Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Overview of this book

Learning Android Forensics
Google Keep analysis

Keep is a note-taking application provided by Google. It can also be used to set reminders, either at a certain date/time or when the user is at a specified location.

Package name:

Version: Default version with Android 5.0.1 (not listed within app)

Files of interest:

  • /databases/keep.db

  • /files/1/image/original

The files/1/image/original directory contains photos taken using the app. Notes and reminders can both be associated with an image.

The keep.db contains all of the information about notes and reminders. There are, once again, several tables of interest:




This contains information about location-based reminders. The reminder_id column can be correlated with entries in the reminder table. The reminder_detail table contains the latitude and longitude set for the reminder. The scheduled_time column is the date/time the reminder was set, in the Linux epoch time.


This contains metadata about images in the /files...