Android Forensics References
Last update: September 6th 2022
USERDATA Partition
"/log" folder
- /log/wifi/iwc/iwc_dump.txt
- /log/netstats
- /log/batterystats
- Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Artefacts of Android device power off due to depleted battery
https://instatronic.com/artefacts-of-android-device-power-off-due-to-depleted-battery - /log/recovery
- /log/sdp_log
- /log/thermal_log
- /log/power_off_reset_reason.txt
- Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Artefacts of Android device power off due to depleted battery
https://instatronic.com/artefacts-of-android-device-power-off-due-to-depleted-battery - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/powerOffReset.py
"/misc" and "/misc_de" folder
- /misc/adb/adb_keys
- /misc/bluedroiddump/mainBuffer.log
- /misc/bluedroiddump/subBuffer.log
- /misc/bluedroid/bt_config.conf
- How Android Bluetooth Connections Can Determine If The Hands of a Driver Were On The Wheel During An Accident
https://cellebrite.com/en/how-android-bluetooth-connections-can-determine-if-the-hands-of-a-driver-were-on-the-wheel-during-an-accident/
https://dfir.pubpub.org/pub/6ysxvhvc/release/1 - Android Bluetooth Connection Configuration
https://www.stark4n6.com/2021/06/android-bluetooth-connection.html - Collaborative Testing Services - Mobile Digital Evidence - 2015
https://cts-forensics.com/reports/35550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 - Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Cellebrite CTF 2022 - Heisenberg's Android
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-heisenbergs-android.html - aLEAPP plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/bluetoothConnections.py - /misc/bootstat/
- aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/last_boot_time.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/factory_reset.py - /misc/wifi/qtables.json
- /misc/wifi/wpa_supplicant.conf
/misc/wifi/WifiConfigStore.xml
/misc/apexdata/com.android.wifi/WifiConfigStore.xml - Collaborative Testing Services - Mobile Digital Evidence - 2015
https://cts-forensics.com/reports/35550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Cellebrite Fall 2020 CTF - Part 1 - Tony Mederos
https://starwarsfan2099.github.io/2020/11/02/cellebirte-ctf-tony.html - Clockin’ In with Google’s Wear OS
https://thebinaryhick.blog/2021/01/13/clockin-in-with-googles-wear-os/ - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/wifiConfigstore.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/wifiProfiles.py - /misc/wifi/softap.conf
/misc/apexdata/com.android.wifi/WifiConfigStoreSoftAp.xml - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/wifiHotspot.py - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Let's solve challenges - Cellebrite 2022 CTF Writeup
https://www.dfirblog.com/cellebrite-2022-ctf-writeup/ - Cellebrite CTF 2022 - Heisenberg's Android
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-heisenbergs-android.html
https://www.dfirblog.com/cellebrite-2022-ctf-writeup/
- Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /misc_de/0/apexdata/com.android.permission/runtime-permissions.xml
- Android’s “Dangerous” Permissions
https://thebinaryhick.blog/2021/01/26/androids-dangerous-permissions/ - Examining A Malware-Infected Android Phone. This Android Is Not Alright.
https://thebinaryhick.blog/2022/04/09/examining-a-malware-infected-android-phone-this-android-is-not-alright/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/runtimePerms.py - /misc_de/0/apexdata/com.android.permission/roles.xml
- Android - Roles and Permissions (Android 10/11)
https://blog.d204n6.com/2021/01/android-roles-and-permissions-android.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/roles.py
"/property" folder
- /property/persistent_properties
"/system", "/system_ce" and "/system_de" folders
- /system/appops/
- Snooping on Android 12’s Privacy Dashboard
https://thebinaryhick.blog/2022/01/22/snooping-on-android-12s-privacy-dashboard/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/discreteNative.py - /system/batteryusagestats/
- /system/job/jobs.xml
- /system/netstats/
- Burn After Reading: Expunging Execution Footprints of Android Apps
https://lijuanru.com/publications/nss18.pdf - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - /system/procstats/
- Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - /system/sync/accounts.xml
- Who is the owner of the mobile device?
https://www.digitalforensics.com/blog/articles/who-is-the-owner-of-the-mobile-device/ - Clockin’ In with Google’s Wear OS
https://thebinaryhick.blog/2021/01/13/clockin-in-with-googles-wear-os/ - Super Sunday Funday Forensic Challenge - Update 4
https://www.hecfblog.com/2014/09/super-sunday-funday-forensic-challenge_15.html - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /system/shutdown-checkpoints/
- Shutdown Checkpoints in Android 12
https://www.stark4n6.com/2022/01/shutdown-checkpoints-in-android-12.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/shutdown_checkpoints.py - /system/users/0.xml
- Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Forensic analysis of IoT ecosystem
https://hal.archives-ouvertes.fr/hal-03369836/document - /system/users/0/app_idle_stats.xml
- /system/users/0/settings_global.xml
- /system/users/0/settings_secure.xml
- Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Examining A Malware-Infected Android Phone. This Android Is Not Alright.
https://thebinaryhick.blog/2022/04/09/examining-a-malware-infected-android-phone-this-android-is-not-alright/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/settingsSecure.py - /system/users/0/settings_ssaid.xml
- Forensic analysis of instant messengers: Decrypt Signal, Wickr, and Threema
https://www.sciencedirect.com/science/article/pii/S2666281722000166 - /system/users/0/settings_system.xml
- Android - Roles and Permissions (Android 10/11)
https://blog.d204n6.com/2021/01/android-roles-and-permissions-android.html - /system/appops.xml
- Snooping on Android 12’s Privacy Dashboard
https://thebinaryhick.blog/2022/01/22/snooping-on-android-12s-privacy-dashboard/ - Wipeout! Detecting Android Factory Resets
https://thebinaryhick.blog/2021/08/19/wipeout-detecting-android-factory-resets/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/appopSetupWiz.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/appops.py - Digital Forensic Practices and Methodologies for AI Speaker Ecosystems
https://www.sciencedirect.com/science/article/pii/S1742287619301628 - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - /system/batterystats.bin
- Video Aficionado: We Know What You Are Watching
https://par.nsf.gov/servlets/purl/10215810 - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - /system/batterystats-checkin.bin
- /system/batterystats-daily.xml
- Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - /system/deviceidle.xml
- /system/locksettings.db
- /system/netpolicy.xml
- Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - /system/notification_policy.xml
- Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - /system/PkgPredictions.db
- /system/SemWifiApContentProvider
- Part 2: CTF 2022 Write Up – Heisenberg’s Android
https://cellebrite.com/en/part-2-ctf-2022-write-up-heisenbergs-android/ - /system/SimCard.dat
- Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /system/WifiConfigStore.db
- /system/WifiHistory.db
- /system/wifigeofence.db
- Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - /system/packages.xml
- Android - Roles and Permissions (Android 10/11)
https://blog.d204n6.com/2021/01/android-roles-and-permissions-android.html - Mobile Forensics: Discovering the Undiscovered
https://www.magnetforensics.com/blog/mobile-forensics-discovering-the-undiscovered/ - Some artifacts in the /data/system/ directory
http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/packageInfo.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/permissions.py - /system/packages.list
- Android - Roles and Permissions (Android 10/11)
https://blog.d204n6.com/2021/01/android-roles-and-permissions-android.html - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/packageGplinks.py - /system_ce/0/accounts_ce.db
- Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Android - Tracking Device Migration
https://blog.d204n6.com/2021/06/android-tracking-device-migration.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/accounts_ce.py - /system_ce/recent_images/
- Mobile Forensics: Discovering the Undiscovered
https://www.magnetforensics.com/blog/mobile-forensics-discovering-the-undiscovered/ - Android Recent Tasks XML Parser
https://abrignoni.blogspot.com/2019/02/android-recent-tasks-xml-parser.html - Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - Digital Forensic Practices and Methodologies for AI Speaker Ecosystems
https://www.sciencedirect.com/science/article/pii/S1742287619301628 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/recentactivity.py - /system_ce/recent_tasks/
- Mobile Forensics: Discovering the Undiscovered
https://www.magnetforensics.com/blog/mobile-forensics-discovering-the-undiscovered/ - Android Recent Tasks XML Parser
https://abrignoni.blogspot.com/2019/02/android-recent-tasks-xml-parser.html - Digital Forensic Practices and Methodologies for AI Speaker Ecosystems
https://www.sciencedirect.com/science/article/pii/S1742287619301628 - Corroboration. That Is All.
https://thebinaryhick.blog/2021/06/17/corroboration-that-is-all/ - Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/recentactivity.py - Write-up Magnet Weekly CTF
https://www.cloud-response.com/2020/10/write-up-magnet-weekly-ctf.html - /system_ce/shortcuts/
- /system_ce/snapshots/
- /system_ce/usagestats/
- Android Usagestats XML Parser
https://abrignoni.blogspot.com/2019/02/android-usagestats-xml-parser.html - Identifying the Android Operating System Version thru UsageStats
https://www.sans.org/white-papers/40265/ - Usagestats on Android 10 (Q)
http://www.swiftforensics.com/2020/01/usagestats-on-android-10-q.html - Mobile Forensics: Discovering the Undiscovered
https://www.magnetforensics.com/blog/mobile-forensics-discovering-the-undiscovered/ - Some artifacts in the /data/system/ directory
http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html - Android Dumpsys Analysis to Indicate Driver Distraction
https://ccdcoe.org/uploads/2021/03/Android-Dumpsys-Analysis-to-Indicate-Driver-Distraction.pdf - Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - Tracking traces of deleted applications
https://www.youtube.com/watch?v=4LcQm4ErXpA
https://docplayer.net/148670626-Tracking-traces-of-deleted-applications-christopher-vance-alexis-brignoni.html - Android version without the build.props file
https://abrignoni.blogspot.com/2021/04/android-version-without-buildprops-file.html - Android Internals
http://newandroidbook.com/Book/2-Excerpt-Data.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/usagestats.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/usagestatsVersion.py - /system_de/0/accounts_de.db
- Android - Tracking Device Migration
https://blog.d204n6.com/2021/06/android-tracking-device-migration.html - Clockin’ In with Google’s Wear OS
https://thebinaryhick.blog/2021/01/13/clockin-in-with-googles-wear-os/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/accounts_de.py
"/user_de" folder
- /user_de/0/com.android.bluetooth/bonddevice.db
- Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - /user_de/0/com.android.providers.telephony/databases/telephony.db
- Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Cellebrite CTF 2021 - Heisenberg's Android
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-heisenbergs-android.html - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 - Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - Android Mobile Artifacts: A Treasure Trove of Digital Evidence in Crime Investigation
https://www.irjet.net/archives/V8/i8/IRJET-V8I885.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /user_de/0/com.android.settings/databases/applist.db
- /user_de/0/com.samsung.accessibility/shared_prefs/accessibility_prefs.xml
- /user_de/0/com.sec.imsservice/shared_prefs/capdiscovery_0.xml
"/data" folder
Digital Wellbeing (com.google.android.apps.wellbeing)
- /data/com.google.android.apps.wellbeing/databases/app_usage
- Walking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity.
https://thebinaryhick.blog/2020/02/22/walking-the-android-timeline-using-androids-digital-wellbeing-to-timeline-android-activity/
Google Docs (com.google.android.apps.docs)
- /data/com.google.android.apps.docs/databases/DocList.db
- aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/DocList.py - Google Docs - Cello & DocList DBs
https://www.stark4n6.com/2020/12/google-docs-cello-doclist-dbs.html - Digital Forensic Investigation of Cloud Storage Services
https://arxiv.org/ftp/arxiv/papers/1709/1709.10395.pdf - Android Cloud Forensics - Final Findings
http://obrienforensics.blogspot.com/2014/04/final-findings.html - Digital Evidence Identification on Google Drive in Android Device Using NIST Mobile Forensic Method
https://pdfs.semanticscholar.org/b699/e47687819041e2cbf69fa6d6afbd0c6a3fc2.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Proposed Method for Mobile Forensics Investigation Analysis of Remnant Data on Google Drive Client
https://jit.ndhu.edu.tw/article/download/1795/1801 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/
Files by Google (com.google.android.apps.nbu.files)
- /data/com.google.android.apps.nbu.files/databases/files_master_database
- Files By Google: More Mobile Explorer Artifacts
https://www.stark4n6.com/2021/01/files-by-google-more-mobile-explorer.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/FilesByGoogle_FilesMaster.py - /data/com.google.android.apps.nbu.files/databases/search_history_database
- Files By Google: More Mobile Explorer Artifacts
https://www.stark4n6.com/2021/01/files-by-google-more-mobile-explorer.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/FilesByGoogle_SearchHistory.py
Device Health Services (com.google.android.apps.turbo)
- /data/com.google.android.apps.turbo/databases/turbo.db
- Charging Battery with Turbo DB
https://www.stark4n6.com/2020/12/charging-battery-with-turbo-db.html - Part 2: CTF 2022 Write Up – Heisenberg’s Android
https://cellebrite.com/en/part-2-ctf-2022-write-up-heisenbergs-android/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/Turbo_Battery.py - /data/com.google.android.apps.turbo/databases/bluetooth.db
- Turbo Strikes Again - Tracking Bluetooth Device Battery
https://www.stark4n6.com/2021/06/turbo-strikes-again-tracking-bluetooth.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/Turbo_Battery.py - /data/com.google.android.apps.turbo/shared_prefs/app_usage_stats.xml
- Turbo Pt. 3 - Device Health Services Application Usage
https://www.stark4n6.com/2021/06/turbo-application-usage.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/Turbo_AppUsage.py
Settings Services (com.google.android.settings.intelligence)
- /data/com.google.android.settings.intelligence/databases/battery-usage-db-v4
- Application Battery Usage via Settings Services
https://www.stark4n6.com/2021/12/application-battery-usage-via-settings.html - Examining A Malware-Infected Android Phone. This Android Is Not Alright.
https://thebinaryhick.blog/2022/04/09/examining-a-malware-infected-android-phone-this-android-is-not-alright/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/battery_usage_v4.py
Google Play Service (com.google.android.gms)
- /data/com.google.android.gms/databases/cast.db
- An Android Casting (Device) Story: "cast.db"
https://deagler4n6blog.blogspot.com/2021/01/a-casting-story-castdb.html - /data/com.google.android.gms/databases/constellation.db
- Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - /data/com.google.android.gms/databases/gass.db
- Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/installedappsGass.py - /data/com.google.android.gms/databases/gms.notifications.db
- /data/com.google.android.gms/databases/google_account_history.db
- /data/com.google.android.gms/databases/google_app_measurement.db
- Forensics on Android Applications
https://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11306/Kitsaki_mte1618.pdf?isAllowed=y&sequence=1 - Forensic Analysis of the Bumble Dating App for Android
https://www.mdpi.com/2673-6756/2/1/16/htm - /data/com.google.android.gms/databases/herrevad
- HERREVAD Databases Geo Location Artefacts
http://trewmte.blogspot.com/2017/02/herrevad-databases-geo-location.html - Update - HERREVAD Databases Geo Location Artefacts
http://trewmte.blogspot.com/2018/07/update-herrevad-databases-geo-location.html - Update2 - HERREVAD Databases Geo Location Artefacts
http://trewmte.blogspot.com/2019/05/update2-herrevad-databases-geo-location.html - Update3 - HERREVAD Databases Geo Location Artefacts
http://trewmte.blogspot.com/2019/12/update3-herrevad-databases-geo-location.html - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - /data/com.google.android.gms/databases/icing_contacts.db
- Recovering data from broken screen Android phone - alternative
https://hackcorrelation.blogspot.com/2016/10/recovering-data-from-broken-screen.html - /data/com.google.android.gms/databases/icing_mmssms.db
- Cellebrite-icing_mmssms.db-Parser
https://github.com/python-for-mobile-forensics/Cellebrite-icing_mmssms.db-Parser/blob/master/README.md - Android Messaging Forensics – SMS/MMS and Beyond
https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/ - /data/data/com.google.android.gms/databases/MdpSimBasedDatabase
- Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - /data/com.google.android.gms/databases/NetworkUsage.db
- Providing Context to the Clues: Recovery and Reliability of Location Data from Android Devices
https://stars.library.ucf.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=2353&context=etd - /data/com.google.android.gms/databases/ns.db
- /data/com.google.android.gms/databases/reminders.db
- Smart Speakers Forensics
https://core.ac.uk/download/pdf/230544843.pdf - /data/com.google.android.gms/shared_prefs/batterystats.xml
- Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - /data/com.google.android.gms/shared_prefs/adid_settings.xml
- /data/com.google.android.gms/shared_prefs/BackupAccount.xml
- Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - /data/com.google.android.gms/shared_prefs/Checkin.xml
- Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 - Cellebrite CTF 2022 - Heisenberg's Android
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-heisenbergs-android.html - /data/com.google.android.gms/shared_prefs/nearbysharing:service:state.xml
- Nearby Share – AirDrop for Android (Return of the Unsolicited Richard Photograph)
https://thebinaryhick.blog/2020/08/22/nearby-share-airdrop-for-android-return-of-the-unsolicited-richard-photograph/
Google Play Store (com.android.vending)
- /data/com.android.vending/databases/data_usage.db
- Forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications
https://link.springer.com/article/10.1007/s12243-022-00919-6 - /data/com.android.vending/databases/frosting.db
- Analysis of application installation logs on Android systems
https://dl.acm.org/doi/10.1145/3297280.3297489 - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/frosting.py - /data/com.android.vending/databases/install_queue.db
- Forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications
https://link.springer.com/article/10.1007/s12243-022-00919-6 - /data/com.android.vending/databases/library.db
- Mobile Forensics: Discovering the Undiscovered
https://www.magnetforensics.com/blog/mobile-forensics-discovering-the-undiscovered/ - Analysis of application installation logs on Android systems
https://dl.acm.org/doi/10.1145/3297280.3297489 - CTF Cellebrite CTF 2020: Rene Gade
https://ciofecaforensics.com/2020/10/31/cellebrite-ctf-rene/ - Tracking traces of deleted applications
https://www.youtube.com/watch?v=4LcQm4ErXpA
https://docplayer.net/148670626-Tracking-traces-of-deleted-applications-christopher-vance-alexis-brignoni.html - Every Step You Take: Application and Network Usage in Android
https://docplayer.net/90183420-Every-step-you-take-application-and-network-usage-in-android.html - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/installedappsLibrary.py - /data/com.android.vending/databases/localappstate.db
- Analysis of application installation logs on Android systems
https://dl.acm.org/doi/10.1145/3297280.3297489 - Tracking traces of deleted applications
https://www.youtube.com/watch?v=4LcQm4ErXpA
https://docplayer.net/148670626-Tracking-traces-of-deleted-applications-christopher-vance-alexis-brignoni.html - Part 2: CTF 2022 Write Up – Heisenberg’s Android
https://cellebrite.com/en/part-2-ctf-2022-write-up-heisenbergs-android/ - Collaborative Testing Services - Mobile Digital Evidence - 2015
https://cts-forensics.com/reports/35550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/installedappsVending.py - /data/com.android.vending/databases/package_verification.db
- Tracking traces of deleted applications
https://www.youtube.com/watch?v=4LcQm4ErXpA
https://docplayer.net/148670626-Tracking-traces-of-deleted-applications-christopher-vance-alexis-brignoni.html - /data/com.android.vending/databases/suggestions.db
- Collaborative Testing Services - Mobile Digital Evidence - 2015
https://cts-forensics.com/reports/35550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /data/com.android.vending/databases/verify_apps.db
- Forensic investigation of Cisco WebEx desktop client, web, and Android smartphone applications
https://link.springer.com/article/10.1007/s12243-022-00919-6
Google Quick Search (com.google.android.googlequicksearchbox)
- Google Search & Personal Assistant data on android
http://www.swiftforensics.com/2020/03/google-search-personal-assistant-data.html - Google Search Bar & Search Term History – Are You Finding Everything?
https://thebinaryhick.blog/2019/03/20/google-search-bar-search-term-history-are-you-finding-everything/ - Forensic Investigation of Google Assistant
https://link.springer.com/article/10.1007/s42979-020-00285-x - How Android Bluetooth Connections Can Determine if a Driver had Their Hands on the Wheel During an Accident
https://dfir.pubpub.org/pub/6ysxvhvc/release/1 - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging
https://kyuhlee.github.io/publications/asiaccs17.pdf - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/googleQuickSearchbox.py
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/googleQuickSearchboxRecent.py
Google Services Framework (com.google.android.gsf)
- /data/com.google.android.gsf/databases/gservices.db
- Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - /data/com.google.android.gsf/databases/googlesettings.db
- Forensic Analysis of Wireless Networking Evidence of Android Smartphones
https://www.fortoo.eu/m/page-media/4/Andriotis-2012-1-wifs.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/pSettings.py
Messages (com.google.android.apps.messaging)
- /data/com.google.android.apps.messaging/databases/bugle_db
- Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - Android Messaging Forensics – SMS/MMS and Beyond
https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/ - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - /data/com.google.android.apps.messaging/shared_prefs/sim_state_tracker.xml
Samsung One UI Home (com.sec.android.app.launcher)
- Recreate Android apps, folders, and widget screen positions from a forensic extraction
https://abrignoni.blogspot.com/2019/10/recreate-android-apps-folders-and.html
Android Contacts Storage (com.android.providers.contacts)
- /data/com.android.providers.contacts/databases/calllog.db
- Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts
https://cellebrite.com/en/hex-diving-the-easy-way-to-uncover-hidden-forensic-artifacts/ - Calllog.db and SMS data on Android 7.0 Nougat
https://forensenellanebbia.blogspot.com/2018/10/calllogdb-and-sms-data-on-android-70.html - Android Mobile Artifacts: A Treasure Trove of Digital Evidence in Crime Investigation
https://www.irjet.net/archives/V8/i8/IRJET-V8I885.pdf - Call Log query
https://github.com/kacos2000/Queries/blob/master/calllog_db.sql - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/calllog.py - /data/com.android.providers.contacts/databases/contacts2.db
- Open Source Mobile Device Forensics
https://smarterforensics.com/wp-content/uploads/2014/06/OpenSourceMobileForensics.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - Android Mobile Artifacts: A Treasure Trove of Digital Evidence in Crime Investigation
https://www.irjet.net/archives/V8/i8/IRJET-V8I885.pdf - Contacts query
https://github.com/kacos2000/Queries/blob/master/contacts2.sql - Contacts calls query
https://github.com/kacos2000/Queries/blob/master/contacts2calls.sql - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/contacts.py - /data/com.android.providers.contacts/files/photos/
- Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf
Android Messaging Storage (com.android.providers.telephony)
- /data/user_de/0/com.android.providers.telephony/databases/mmssms.db
/data/com.android.providers.telephony/databases/mmssms.db - Android Messaging Forensics – SMS/MMS and Beyond
https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/ - Android mmssms.db each table introduction
https://blog.katastros.com/a?ID=00250-640c0b9b-4c94-4928-9250-7406735e59a2 - Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
https://cellebrite.com/en/part-1-walk-through-of-answers-to-the-2021-ctf-investigating-heisenbergs-android-device/ - Cellebrite CTF 2022 - Heisenberg's Android
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-heisenbergs-android.html - Learning Android Forensics - Second Edition
https://www.packtpub.com/product/learning-android-forensics-second-edition/9781789131017 - Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/smsmms.py - /data/com.android.providers.telephony/databases/app_parts/
- Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/
Android Calendar Storage (com.android.providers.calendar)
- /data/com.android.providers.calendar/databases/calendar.db
- Collaborative Testing Services - Mobile Digital Evidence - 2016
https://cts-forensics.com/reports/36550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2017
https://cts-forensics.com/reports/37550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2019
https://cts-forensics.com/reports/19-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2020
https://cts-forensics.com/reports/20-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2021
https://cts-forensics.com/reports/21-5550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf - /data/data/com.google.android.calendar/databases/cal_v2a
- Collaborative Testing Services - Mobile Digital Evidence - 2022
https://cts-forensics.com/reports/22-5550_Web.pdf
Android Media Storage
- /data/com.google.android.providers.media.module/databases/external.db
- Android’s external.db – Everything Old Is New Again
https://thebinaryhick.blog/2020/10/19/androids-external-db-everything-old-is-new-again/ - Mobile Forensic Investigations A Guide to Evidence Collection, Analysis, and Presentation - Second Edition
https://www.oreilly.com/library/view/mobile-forensic-investigations/9781260135107/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/emulatedSmeta.py
Android Logs Provider (com.sec.android.provider.logsprovider)
- /data/com.sec.android.provider.logsprovider/databases/logs.db
- Android Messaging Forensics – SMS/MMS and Beyond
https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/ - Logs provider query
https://github.com/kacos2000/Queries/blob/master/logs_db.sql - Collaborative Testing Services - Mobile Digital Evidence - 2015
https://cts-forensics.com/reports/35550_Web.pdf - Collaborative Testing Services - Mobile Digital Evidence - 2018
https://cts-forensics.com/reports/38550_Web.pdf - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/calllogs.py
Android Location (com.google.android.location)
- /data/com.google.android.location/files/cache.cell/cache.wifi
/data/com.google.android.location/files/cache.cell/cache.cell - Decoding cache.cell and cache.wifi files
https://forensics.spreitzenbarth.de/2011/10/28/decoding-cache-cell-and-cache-wifi-files/ - aLEAPP Plugin
https://github.com/abrignoni/ALEAPP/blob/master/scripts/artifacts/cachelocation.py