To see what applications are on the device, an examiner could navigate to
/data/data and run the
ls command. However, this doesn't provide well-formatted data that will look good in a forensic report. We suggest that you pull the
/data/system/packages.list file. This file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the
adb shell pm list packages -f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):
This is the first method of data storage: plain text. Often, we will see apps store data in plain text, including data you wouldn't expect (such as passwords).
Perhaps of greater interest is the
/data/system/package-usage.list file, which shows the last time a package (or application) was used. It's not perfect; the times shown in the file did not correlate exactly with the last time we used the app...