Android - Forensics Artifacts
Forensics Artifacts
Before we even begin any investigation, we need to know what artifacts are important from a forensics point of view and where they are located within the Android device. Once we understand, we can handpick them, unbox them, and extract the information that we find interesting about the case we are investigating. Let's explore some key artifacts in an Android device, their forensic value, and where they are located.
SMS/MMS & Call Logs
Explanation
Communications are important in any forensics case, and SMS / Call logs can be crucial evidence. On an Android device, they can be found in a database that stores the content and metadata of messages sent and received through the device's messaging application.
Location
/data/data/com.android.providers.telephony/databases/mmssms.db (for SMS/MMS)
/data/data/com.android.providers.contacts/databases/calllog.db (for Call Logs)
Forensics Value
Recovers complete text message content
Provides sender/receiver numbers and timestamps
Supports conversation reconstruction and timeline validation
Useful for mapping user communication patterns
Contacts & Address Book
Explanation
Contact details on an Android device can also be crucial evidence in any forensic case. This database contains all contacts saved on the device or synced through accounts.
Location
/data/data/com.android.providers.contacts/databases/contacts2.db
Forensics Value
Identifies social connections and associates
Provides potential leads through phone numbers and emails
Supports triangulation with call logs and messages
Browser History
Explanation
These databases record detailed web activity, including visited URLs, page titles, visit timestamps, and search terms the user enters. Depending on the browser, they may store cookies and autofill form data. This information helps identify the user's online interests and behavioral patterns.
Location
Chrome:
/data/data/com.android.chrome/app_chrome/Default/History
Forensics Value
Reveals internet usage habits and search interests
Can indicate planning or intent (e.g., searches about crimes or escape routes)
May expose accessed web services like cloud storage or forums
Location Data
Explanation
Devices often record detailed GPS and network-based location data through Google Play Services. These databases track location visits, movements, place labels, and timestamps, usually even when apps are not actively used.
Location
/data/data/com.google.android.gms/databases/ (multiple files)
location.db, networklocations.db, or com.google.android.location
Forensics Value
Maps user movements and frequented places
Helps confirm or refute the presence at a crime scene
Crucial in reconstructing past activities and routes
Photos, Videos, & Metadata
Explanation
Photos and videos taken with the device often store metadata like timestamps, device model, and geolocation in EXIF headers. Additionally, media folder structures can indicate third-party sharing apps or camera sources.
Location
/sdcard/DCIM/
/sdcard/Pictures/
/sdcard/WhatsApp/Media/
Forensics Value
Provides visual timelines
Can include GPS stamps and timestamps
Sometimes, it shows deleted images in thumbnails or previews
Instant Messaging Apps
Explanation
The third-party messaging apps store messages, media, call logs, and user metadata in private app directories, usually in SQLite databases or encrypted storage. The artifacts may include chat logs, group memberships, timestamps, and shared file references, even after deletion.
Location
/data/data/com.whatsapp/databases/msgstore.db
/sdcard/WhatsApp/Media/ (for images, voice notes, etc.)
Forensics Value
Direct evidence of conversations
Highly relevant in criminal or civil investigations
Media attachments often serve as proof in any forensic case
Exposes communication across encrypted and non-encrypted channels
Application Data
Explanation
Beyond preferences and databases, many apps create custom logs, usage traces, and artifact-rich directories containing JSON, XML, and plain-text files. These files often include crash logs, analytics pings, locally cached content, and background job histories.
Location
/data/data/[app.package.name]/
For example: /data/data/com.instagram.android/ or /data/data/com.snapchat.android/
Forensics Value
Can uncover app usage patterns
Exposes background activity not visible in UI
Hidden data like cached credentials, logs, or usage stats
Examining a suspicious app
User Accounts & Google Services
Explanation
Android stores information about accounts synced with the device, including Google, social media, email, and app-specific logins. Account data includes login timestamps, service tokens, sync settings, and sometimes unhashed usernames or emails.
Location
/data/system/users/0/accounts.db
/data/data/com.google.android.gms/databases
Forensics Value
Identifies user identities and linked online services
Maps services used (e.g., Gmail, Dropbox, and Instagram)
Reveals syncing frequency and potential data exfiltration vectors
Supports correlation with web or cloud-based investigations
Installed Applications Information
Explanation
This artifact contains metadata about all applications installed on the device, including app names, package IDs, version numbers, install times, and permission settings. It includes system and user-installed apps, offering insight into the device's overall software environment.
Location
/data/system/packages.xml
Forensics Value
App usage over time
Can support a timeline or behavioral pattern
Evidence of app installs/uninstalls
Lists dangerous permissions that could relate to surveillance or exploitation.
Last updated