Book Image

Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Book Image

Learning Android Forensics

By: Rohit Tamma, Donnie Tindall

Overview of this book

Table of Contents (15 chapters)
Learning Android Forensics
About the Authors
About the Reviewers

Determining what apps are installed

To see what applications are on the device, an examiner could navigate to /data/data and run the ls command. However, this doesn't provide well-formatted data that will look good in a forensic report. We suggest that you pull the /data/system/packages.list file. This file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the adb shell pm list packages -f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):


This is the first method of data storage: plain text. Often, we will see apps store data in plain text, including data you wouldn't expect (such as passwords).

Perhaps of greater interest is the /data/system/package-usage.list file, which shows the last time a package (or application) was used. It's not perfect; the times shown in the file did not correlate exactly with the last time we used the app...