AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Android

Android Artifacts

Artifact or ProcessResource
7bit PDU7bit PDU (GSM-7)
ABX file formatAndroid ABX - Binary XML
AndroidAndroid version without the build.props file
AndroidIdentifying the Android Operating System Version thru UsageStats
AndroidCorroboration. That Is All.
Android - BluetoothHow Android Bluetooth Connections Can Determine If The Hands of a Driver Were On The Wheel During An Accident
Android - BluetoothTurbo Strikes Again - Tracking Bluetooth Device Battery
Android - BluetoothAndroid Bluetooth Connection Configuration
Android - cast.db An Android Casting (Device) Story: "cast.db"
Android - Deleted Samsung AppsAndroid - Samsung Traces of Deleted Apps
Android - Device Health Services Turbo Pt. 3 - Device Health Services Application Usage
Android - Device MigrationAndroid - Tracking Device Migration
Android - Device Personalization ServicesWalking the Android (time)line Part 2 – Using Android’s Device Personalization Services to timeline user activity
Android - Digital WellbeingHow to Find User Activity Using the Digital Wellbeing Native App
Android - Digital WellbeingWalking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity.
Android - external.dbAndroid’s external.db – Everything Old Is New Again
Android - Factory ResetsWipeout! Detecting Android Factory Resets
Android - Gallery ImgcacheA Timestamp Seeking Monkey Dives Into Android Gallery Imgcache
Android - Mobile TelephonyGeodata & Mobile Telephony Artifacts in 3rd-Party Android Apps: Recreating User Travel Patterns
Android - Nearby ShareNearby Share – AirDrop for Android (Return of the Unsolicited Richard Photograph)
Android - Now Playing HistoryGoogle Pixel Now Playing History
Android - PermissionsAndroid - Roles and Permissions (Android 10/11)
Android - PermissionsAndroid’s “Dangerous” Permissions
Android - Recent TasksAndroid Recent Tasks XML Parser
Android - Samsung Predictive TextAndroid - Predictive text exclusions in Samsung devices
Android - Turbo.db Charging Battery with Turbo DB
Android - Unsupported ArtifactsMobile Forensics: Discovering the Undiscovered
Android - Usagestats XMLAndroid Usagestats XML Parser
Android - Video ThumbnailsVideo Thumbnails ".lvl" Found on Android Devices
Android 10Android 10 Image - The Binary Hick/DigitalCorpora
Android 10 - UsagestatsUsagestats on Android 10 (Q)
Android 11Android 11 Image with Documentation - The Binary Hick
Android 12Android 12 Image Now Available! - The Binary Hick
Android 7, 8, and 9Public Android Images - The Binary Hick
Android Health DataThe State of Android Health Data (Part 1) – Garmin - Binary Hick and Part 2 - Google Fit
Android MalwareExamining A Malware-Infected Android Phone. This Android Is Not Alright. - The Binary Hick
APK DowngradeManually APK Downgrade for split APKs - Pieces0310 and The impact of Android 12
ARTEMISARTEMIS - Android support for APOLLO
AVG Photo Vault Decrypting the 'AVG' Photo Vault - The Incidental Chew Toy
BadooFinding Badoo chats in Android using SQL queries and the MAGNET App Simulator
Calculator Photo VaultApp Review of Calculator Photo Vault
Calculator Vault AppsDecrypting the ‘Calculator’ App(s) and Decrypting ‘LOCKED Secret Calculator Vault’
CamScannerDeep Dive into CamScanner — Android
CCleanerQuick DFIR review - CCleaner for Android
Chess.com Decoding Chess.com - Kibaffo33
CitymapperForensic Analysis of Citymapper for Android - Andy Smith
DiscordDiscord Android App Review - DFIR
DiscordDiscord Forensics
DJI Fly Android - DJI Fly & The Pesky Problem of Preferences
Files By Google Files By Google: More Mobile Explorer Artifacts
Firefox FocusLocal Storage - Firefox Focus Privacy Browser Artifacts in Android
Flud Torrent DownloaderTorrent Applications in Android - Flud Torrent Downloader
GarminThe State of Android Health Data (Part 1) – Garmin
Gboard Session DataOMGboard - Kibaffo
Google AssistantGoogle Assistant Butt Dials (aka Accidental & Canceled Invocations)
Google AssistantGoogle Search & Personal Assistant data on Android
Google Call Screen May I Ask Who's Calling - Google Call Screen
Google Docs Google Docs - Cello & DocList DBs
Google Duo Google Duo - Android & iOS Forensic Analysis
Google FitThe State of Android Health Data (Part 2) – Google Fit - Binary Hick
Google KeepGoogle Keep - Notes and Lists: Mobile Artifacts
Google Maps - Android 12At the roundabout, take the second exit…
Google Photos Dumpster Diving in Google Photos Android App: "local_trash.db"
Google Tasks Google Tasks - Android Forensics analysis
Google Voice Search (via Google Takeout)Parsing Google Voice Search - Campaign Cybersecurity
HealthMate App HealthMate on Android Part 1 - Users, Messages, Devices
HealthMate App HealthMate on Android Part 2 - Activities
HealthMate App HealthMate on Android Part 3 - Heart Rate, GPS, Steps
Huawei - ExtractionPractical Guide to Huawei Device Extraction in UFED
LA FitnessQuick DFIR review - LA Fitness Android app
Launcher.dbRecreate Android apps, folders, and widget screen positions from a forensic extraction
LG - MPTMPT – LG’s incognito version of KnowledgeC
Mega's megapreferencesDecrypting Mega’s megaprefences Sqlite Database - AskClees
Microsoft RDPAndroid Remote Desktop Apps - Microsoft RDP
Microsoft Surface DuoRooting Microsoft Surface Duo - CyberSocialHub
Microsoft TranslatorMicrosoft Translator - Android DFIR App Review
Mozilla Firefox Web History, Visits, Bookmarks & Search Terms, Downloads, Top Sites & Recently Closed Tabs, and Cookies, Permissions & Form History - Stark4n6
Nanbox MessengerApp Nandbox Messenger on Android
Nike RunAndroid Nike Run app - Geolocation, SQLite views & self joins
Privacy Dashboard - Android 12Snooping on Android 12’s Privacy Dashboard - The Binary Hick
PrivateSpaceNot so private: extracting data from PrivateSpace
ProtobufsParsing unknown protobufs with python
ProtonMailProtonMail
Qualcomm - EDL ModeMastering EDL Mode
Qualcomm - EDL ModeIt’s as easy as EDL
Qualcomm - EDL Test PointsMastering EDL Test Points
QuickPicQuickPic for Android - Don't forget external/emulated storage!
Samsung Galaxy Smart Watch4Exploring The Samsung Galaxy Watch4 Smartwatch - Cyberspaghetti
Samsung Gallery3d TrashMike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash
Samsung My FilesAndroid - Samsung My Files App
Samsung Power Off Reset LogsSamsung Power Off Reset Logs
Samsung Smart Switch Android - Samsung Smart Switch // iOS Transfer Artifacts
Secret Calculator Photo VaultDecrypting 'Secret Calculator Photo Vault' - The Incidental Chew Toy
Shutdown CheckpointsShutdown Checkpoints in Android 12
SignalObtain a logical dump of Signal data on Android with signal-back
SignalDecrypting Signal DB for Android
SignalInvestigating Signal with ArtiFast Signal
SKOUTApp SKOUT on Android
SkypeSkype on Android - Images in Web Cache
SlackFinding Slack app messages in Android and using json_extract to do it.
SnapChatSnapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone
SnapChatGone in 10 Seconds Snapchat Forensics
SnapChatTwo Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat on Android
SnapseedMobile Forensics — Analyzing Snapseed on Android - Veeraj Modi
SystemPanel2Android SystemPanel2 - App usage tracking
TeamViewer Remote ControlAndroid Remote Desktop Apps - TeamViewer Remote Control
TIA Portal Investigating an engineering workstation - Part 1 - NVISO Labs and Part 2
TikTokFinding TikTok messages in Android
TileAndroid - Locating Location Data: The Tile App
Tor ThumbnailsAndroid Tor Browser Thumbnails. What?
ToxAnalysis of Antox - Android Tox App
VaultyDecoding Vaulty - Kibaffo33
VenmoVenmo. The App for Virtual Ballers.
Video Player Apps (VLC, MX Player, Archos, Plex, LocalCast)Was the video played? - Android video player apps
Wear OSClockin’ In with Google’s Wear OS - BinaryHick
WhatsAppWhatsApp - Images and Messages - An overview - BeBinary4n6
WhatsAppWhatsApp messages in Non-Rooted Android Devices - gforce4n6
WhatsAppNew msgstore – Who ‘Dis? A Look At An Updated WhatsApp On Android - The Binary Hick
WickrWickr. Alright. We’ll Call It A Draw. - The Binary Hick

Android Tools

Coming soon….