Эта тема продолжение темы Android, Ищем интересности в которой в сообщениях пользователей то же очень много полезной информации
DEVICE INFORMATION
Файл вложения "poster.pdf" это for585.com/poster SANS The Most Relevant Evidence per Gigabyte
и не только ;-)
Дополнительный ресурс с материалами и примерами Android Forensics References -> USERDATA Partition (Last update: September 6th 2022)
DEVICE INFORMATION
Partition | Path | Table | Description |
| System | /build.prop | N/A | Device information (version, patches, etc.) |
| Userdata | /data/com.android.providers.calendar/databases/calendar.db | * | Calendar Items and Timezone information |
| Userdata | /data/com.android.providers.settings/databases/settings.db | * | Lock settings information |
| Userdata | /data/com.android.providers.settings/databases/settings.db-WAL | * | Lock settings information |
| Userdata | /data/com.android.providers.settings/databases/locksettings.db | * | Lock settings information |
| Userdata | /data/com.android.providers.settings/databases/locksettings.db-WAL | * | Lock settings information |
| Userdata | /data/com.google.android.gms/shared_prefs/Checkin.xml | N/A | Activity on device related to installed SIM (ICCID and Google Account included) |
| Userdata | /data/com.google.android.gsf/databases/gservices.db | * | Fitness settings, network settings, other settings |
| Userdata | /misc/ | N/A | Bluetooth, VPN, Wi-Fi and more |
| Userdata | /Property/persist.sys.timezone | N/A | Timezone (Up to Android 8) |
| Userdata | /Property/persistent_properties | N/A | Timezone (From Android 9) |
| Userdata | /system/*.key | N/A | Files needed for password cracking |
| Userdata | /system/device_policies.xml | N/A | Passcode requirements and policies. Syncing info may exist |
| Userdata | /system/locksettings.db | * | Lock settings information |
| Userdata | /system/locksettings.db-WAL | * | Lock settings information |
| Userdata | /system/netpolicy.xml | N/A | Timezone |
| Userdata | /system/SimCard.dat | N/A | Sim card and phone number information |
| Userdata | /system/users/0/settings_global.xml | N/A | Global settings |
| Userdata | /system/users/0/settings_secure.xml | N/A | Secure settings |
| Userdata | /system/users/0/settings_system.xml | N/A | System settings |
PASSWORDS AND ACCOUNT INFORMATION
Partition | Path | Table | Description |
| Userdata | /data/com.android.email/databases/EmailProvider.db | Account, Email AddressCache, Mailbox* | Email accounts, 3rd party app data, and messages associated with Email notifications, Email accounts, 3rd party app data, and messages associated with Email notifications |
| Userdata | /data/com.android.providers.contacts/databases/contacts2.db | accounts | Login info |
| Userdata | /data/com.android.providers.settings/* | N/A | Username and passwords |
| Userdata | /data/com.android.vending/shared_prefs/lastaccount.xml | N/A | Last account used on Google PlayStore (Android 9 and above) |
| Userdata | /data/com.google.android.gms/shared_prefs/BackupAccount.xml | N/A | Backup account email address |
| Userdata | /data/com.google.android.googlequicksearchbox/databases/app_icons.db | * | Google Account Information |
| Userdata | /data/com.google.android.googlequicksearchbox/databases/launcher.db | * | Google Account Information |
| Userdata | /data/com.google.android.googlequicksearchbox/databases/opa_history | * | Google Account Information |
| Userdata | /data/com.google.android.gsf/databases/gservices.db | * | Fitness settings, network settings, other settings |
| Userdata | /system_ce/0/accounts_ce.db | * | Additional accounts (could also be system_de or accounts_de) |
| Userdata | /system_de/0/accounts_de.db | * | Additional accounts (could also be system_de or accounts_de) |
| Userdata | /misc/wifi/softap.conf | N/A | Hotspot Passwords |
| Userdata | /misc/wifi/wpa_supplicant.conf | N/A | Wi-Fi Network Password |
| Userdata | /system/accounts*.db | * | User account information |
| Userdata | /system/sync/accounts.xml | N/A | User account information |
| Userdata | /system/users/0/0.xml | N/A | User information |
SYSTEM SETTINGS
Partition | Path | Table | Description |
| Userdata | /data/com.google.android.gms/shared_prefs/* | N/A | Preference files |
| Userdata | /data/com.google.android.gsf/databases/gservices.db | * | Fitness settings, network settings, other settings |
| Userdata | /system/recent_images/*.png | N/A | Application snapshots |
| Userdata | /system_ce/recent_images/*.png | Application snapshots | |
| Userdata | /system/users/0/settings_global.xml | N/A | Global settings |
| Userdata | /system/users/0/settings_secure.xml | N/A | Secure Settings |
| Userdata | /system/users/0/settings_system.xml | N/A | System Settings |
USER SETTINGS
Partition | Path | Table | Description |
| Userdata | /data/com.android.providers.calendar/databases/calendar.db | * | Calendar Items and Timezone information |
| Userdata | /data/com.android.providers.userdictionary/databases/user_dict.db | * | Dictionary Files (Keylogging) |
| Userdata | /data/com.google.android.gms/databases/NetworkUsage.db | * | Application, User and Location traces |
| Userdata | /data/com.google.android.gms/databases/ns.db | * | Application, User and Location traces |
| Userdata | /data/com.google.android.gms/databases/reminders.db | * | Application, User and Location traces |
| Userdata | /data/com.google.android.gsf/databases/googlesettings.db | * | Google preferences – location, maps, wallet, etc --1=true |
| Userdata | /data/com.google.android.gsf/databases/gservices.db | * | Fitness settings, network settings, other settings |
| Userdata | /data/com.sec.android.inputmethod/Swiftkey/user/dynamic.lm | N/A | Dictionary Files (Keylogging) SwiftKey folder name may vary |
COMMUNICATIONS - SMS, CALLS, EMAILS
Partition | Path | Table | Description |
| Cache | * | * | Gmail attachments, Downloads and Browser data |
| Userdata | /data/com.android.providers.contacts/databases/calllog.db | calls | Call logs (From Android 7) |
| Userdata | /data/com.android.providers.contacts/databases/contacts2.db | calls | Call logs (Up to Android 6) |
| Userdata | /data/com.android.providers.telephony/databases/mmssms.db | sms and part | SMS/MMS |
| Userdata | /data/com.google.android.apps.messaging/databases/bugle_db | * | RCS/Android Messages (refer to notebook for query) |
| Userdata | /data/com.google.android.dialer/databases/dialer.db | * | Call logs |
| Userdata | /data/com.google.android.gm/databases/<mail-name>.db | conversations and messages | Gmail snippets |
| Userdata | /data/com.google.android.gm/databases/bigTopDataDB.<user-id> | Email information | |
| Userdata | /data/com.google.android.gm/databases/EmailProvider.db | Email information | |
| Userdata | /data/com.google.android.gms/databases/icing_mmssms.db | * | SMS/MMS |
| Userdata | /data/com.google.android.gms/databases/ipa_mmssms.db | * | SMS/MMS |
| Userdata | /data/com.sec.android.provider.logsprovider/databases/logs.db | logs | Call logs |
MULTIMEDIA
Partition | Path | Table | Description |
| Userdata | /data/com.android.providers.media/databases/external*.db | * | Traces to SD card used in the device. This is stored on the phone. |
| Userdata | /data/com.android.providers.media/databases/external*.db-WAL | * | Traces to SD card used in the device. This is stored on the phone. |
| Userdata | /data/com.google.android.apps.photos/databases/gphotos0.db | local_media | Camera Photos information |
| Userdata | /data/com.samsung.cmh/databases/cmh.db | files | Camera Photo - Samsung Devices |
| Userdata | /data/com.samsung.storyservice/databases/dme.db | info | Camera Photo - Samsung Devices |
| Userdata | /data/com.samsung.visionprovider/databases/visionprovider.db | files | Camera Photo - Samsung Devices |
| Userdata | /media/ | N/A | Acts like SD card |
BROWSER ACTIVITY
Partition | Path | Table | Description |
| Cache | * | N/A | Gmail attachments, Downloads and Browser data |
| Userdata | /data/com.android.browser/app_databases/* | * | Internet History |
| Userdata | /data/com.android.browser/app_geolocation/GeolocationPermissions.db | * | Internet History |
| Userdata | /data/com.android.browser/databases/Browser.db | ||
| Userdata | /data/com.android.browser/databases/browser2.db | * | Internet History |
| Userdata | /data/com.android.browser/databases/webview.db | * | Internet History |
| Userdata | /data/com.android.browser/databases/webviewCache.db | * | Internet History |
| Userdata | /data/com.android.email/webviewCache.db | * | Internet History |
NETWORK CONNECTIONS
Partition | Path | Table | Description |
| Userdata | /data/com.android.connectivity.metrics/databases/events.db | completed_events_requests | USB, Bluetooth, NFC and other connects - Acquisition connection tracked here |
| Userdata | /data/com.google.android.gms/databases/herrevad | * | Wireless network and MAC addresses |
| Userdata | /data/com.google.android.locations/files/cache.cell | * | Cellular and WiFi |
| Userdata | /data/com.google.android.locations/files/cache.wifi | * | Cellular and WiFi |
| Userdata | /misc/wifi/WifiConfigStore.xml | N/A | Wireless network |
SYNCING ARTIFACTS
Partition | Path | Table | Description |
| Userdata | /data/com.google.android.apps.docs.editors.docs/databases/* | * | Google Docs |
| Userdata | /data/com.google.android.apps.docs.editors.sheets/databases/* | * | Google Docs |
| Userdata | /data/com.google.android.apps.docs.editors.slides/databases/* | * | Google Docs |
| Userdata | /data/com.google.android.apps.docs/databases/* | * | Google Docs |
| Userdata | /data/com.google.android.apps.genie.geniewidget/databases/newsweather.db | * | Sync activity |
| Userdata | /data/com.google.android.gms/databases/peoplelog.db | * | Sync activity - contacts |
| Userdata | /data/com.google.android.gms/shared_prefs/com.google.android.gms.auth.authzen.cryptauth.SyncManager.proximity_features.xml | N/A | Sync Activity |
| Userdata | /system/sync/accounts.xml | Synced Accounts |
LOCATION ARTIFACTS
Partition | Path | Table | Description |
| Userdata | /data/com.google.android.apps.maps/databases/da_destination_history | destination history | Maps |
| Userdata | /data/com.google.android.apps.maps/databases/gmm_storage.db | * | Search history Maps |
| Userdata | /data/com.google.android.apps.maps/databases/search_history.db | history and suggestions | Maps |
| Userdata | /data/com.google.android.apps.maps/databases/gmm_sync.db | * | Syncing |
| Userdata | /data/com.sec.android.daemonapp/db/weatherClock | * | Location artifacts |
| Userdata | /Media/0/DCIM/Camera | * | EXIF data with location info |
APPLICATION USAGE
Partition | Path | Table | Description |
| Userdata | /app/* | N/A | APK files for installed applications |
| Userdata | /dalvik-cache | N/A | .dex/.oat/.art files for installed applications |
| Userdata | /data/"Application Folder" | N/A | Application Data Files* |
| Userdata | /data/com.android.vending/databases/data_usage.db | app_data_usage | Application traces |
| Userdata | /data/com.android.vending/databases/frosting.db | frosting | Application traces |
| Userdata | /data/com.android.vending/databases/install_queue.db | install_requests | Application traces |
| Userdata | /data/com.android.vending/databases/library.db | ownership | Application traces |
| Userdata | /data/com.android.vending/databases/localappstate.db | appstate | Application traces |
| Userdata | /data/com.android.vending/databases/notification_cache | notifications | Application traces |
| Userdata | /data/com.android.vending/databases/package_verification.db | verification_cache | Application traces |
| Userdata | /data/com.android.vending/databases/suggestions.db | suggestions | Application traces |
| Userdata | /data/com.android.vending/databases/verify_apps.db | * | Application traces |
| Userdata | /data/com.google.android.gms/databases/config.db | main | Application traces |
| Userdata | /data/com.google.android.gms/databases/gass.db | app_info | Application traces |
| Userdata | /data/com.google.android.gms/databases/gcm_registrar.db | packages | Application traces |
| Userdata | /data/com.google.android.gms/databases/google_app_measurement.db | * | Application traces |
| Userdata | /data/com.google.android.gms/shared_prefs/batterystats.xml | N/A | Battery Usage Stats - Contains Application Usage information |
| Userdata | /data/com.google.android.googlequicksearchbox/* | N/A | Google App searches, installed applications and more |
| Userdata | /data/com.samsung.android.providers.context.databases.ContextLog_0.db | * | Application traces (Samsung devices) |
| Userdata | /data/com.sec.android.app.launcher/databases/launcher.db | N/A | Application artifacts (even after deleted) |
| Userdata | /data/data/com.google.android.gms/files/batterystatsdumpsystask.gz | N/A | Battery Usage Stats - Contains Application Usage information |
| Userdata | /system/appops.xml | N/A | Application permissions |
| Userdata | /system/batterystats.bin | N/A | Battery Usage Stats - Contains Application Usage information |
| Userdata | /system/batterystats-checkin.bin | N/A | Battery Usage Stats - Contains Application Usage information |
| Userdata | /system/batterystats-daily.xml | N/A | Battery Usage Stats - Contains Application Usage information |
| Userdata | /system/dmappmgr.db | N/A | Application Usage |
| Userdata | /system/job/jobs.xml | N/A | Application Usage |
| Userdata | /system/notification_log.db | N/A | Application notifications |
| Userdata | /system/packages.list | N/A | Application permissions and metadata |
| Userdata | /system/packages.xml | N/A | Application permissions |
| Userdata | /system/usagestats/0/* | N/A | Application Usage Stats |
| Userdata | /system/users/0/app_idle_stats.xml | N/A | Application Usage |
| Userdata | /system_ce/0/recent_images/*.png | N/A | Application snapshots |
| Userdata | /system_ce/0/recent_tasks/*.xml | N/A | Recent Tasks |
NATIVE APPLICATIONS
Partition | Path | Table | Description |
| Userdata | /data/com.android.providers.calendar/databases/calendar.db | * | Calendar Items |
| Userdata | /data/com.android.providers.contacts/databases/contacts2.db | contacts and raw contacts | Contacts |
| Userdata | /data/com.android.providers.contacts/databases/contacts2.db | calls | Call Logs |
| Userdata | /data/com.android.providers.contacts/databases/calllog.db | calls | Call Logs |
| Userdata | /data/com.android.providers.downloads/databases/downloads.db | * | Downloads |
| Userdata | /data/com.google.android.gms/databases/icing_contacts.db | * | Contacts |
| Userdata | /data/com.google.android.gms/databases/icing_mmssms.db | MMS/SMS | |
| Userdata | /data/com.google.android.gms/databases/ipa_mmssms.db | * | MMS/SMS |
| Userdata | /data/com.google.android.gms/databases/android_pay | wallet | Android Pay |
| Userdata | /data/com.google.android.gms/databases/pluscontacts.db | * | Google+ Contacts |
Файл вложения "poster.pdf" это for585.com/poster SANS The Most Relevant Evidence per Gigabyte
и не только ;-)
Дополнительный ресурс с материалами и примерами Android Forensics References -> USERDATA Partition (Last update: September 6th 2022)
Последнее редактирование:
