> For the complete documentation index, see [llms.txt](https://summit-labs.frida.ninja/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://summit-labs.frida.ninja/lab/1-lab-setup-and-initial-app-exploration/1.2-review-files-in-the-app-data-directory.md).
# \[1.2] Review files in the app data directory
In the early stages of our reversing workflow, we can look through the filesystem of this app to see if there are any leads. This could include things like shared preferences, databases, or basically anywhere within the app's sandbox.
### Shared Preferences (SharedPrefs)
If you're using the lab kit, a complete copy of the data directory has been provided under 'app\_data\_directory'. If you wanted to pull it off the device, it's located at: `/data/data/com.enchantedcloud.photovault`
A couple of artifacts of interest include the shared preferences xml (com.enchantedcloud.photovault\_preferences.xml), content shown here:
Of interest are the `pin` , `passcode_type`, and`enc_keys_pin` entries. Let's make a note of them and continue.
There's also a file called `crypto.xml` - which hits on a certain subject were interested in! So let's take a look:
{% hint style="info" %}
It may be helpful to start a textfile in notepad++, wherein you mark down interesting or potentially significant data as you go. As you go along, you can use this as a sort of index for testing values you might retrieve during DBI.
{% endhint %}
### Database
You might also notice `simplenosql.db` , which is stored in the `databases` folder. If you open it, there are only two tables.
Inside the table simplenosql, there are a couple of rows:
Each row appears to pertain to a 'bucket', which in our case is either albums or albums\_decoy. Inside the data column is quite a bit of JSON data:
It appears that this may provide some intelligence as to where our encrypted media could be stored. Let's see if we can find these files in the `files/media/orig/` directory as indicated.
### Encrypted Media
As expected, we have a number of jpg files with timestamps as names. If we view them using a hex editor we can see they appear to be high entropy crypto containers.
If we continue to look through the other encrypted media, the only obvious similarity you may note between them is that they all begin with 01 01.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://summit-labs.frida.ninja/lab/1-lab-setup-and-initial-app-exploration/1.2-review-files-in-the-app-data-directory.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.