AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Android

See below for a list of Android Tools.

ToolDescription
ALEAPPALEAPP - Android Logs Events And Protobuf Parser - ALEAPP - Android Logs Events And Protobuf Parser

See below for a list of Android Artifacts.

Artifact or ProcessResource
7bit PDU7bit PDU (GSM-7)
ABX file formatAndroid ABX - Binary XML
AndroidAndroid version without the build.props file
AndroidIdentifying the Android Operating System Version thru UsageStats
AndroidCorroboration. That Is All.
Android - AccountsInvestigating Android Accounts
Android - BluetoothHow Android Bluetooth Connections Can Determine If The Hands of a Driver Were On The Wheel During An Accident
Android - BluetoothTurbo Strikes Again - Tracking Bluetooth Device Battery
Android - BluetoothAndroid Bluetooth Connection Configuration
Android - cast.db An Android Casting (Device) Story: "cast.db"
Android - ContactsInvestigating Android Contacts
Android - Deleted Samsung AppsAndroid - Samsung Traces of Deleted Apps
Android - Device Health Services Turbo Pt. 3 - Device Health Services Application Usage
Android - Device MigrationAndroid - Tracking Device Migration
Android - Device Personalization ServicesWalking the Android (time)line Part 2 – Using Android’s Device Personalization Services to timeline user activity
Android - Digital WellbeingWalking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity.
Android - Digital WellbeingInvestigating Android Digital Wellbeing
Android - DownloadsInvestigating Android Downloads
Android - external.dbAndroid’s external.db – Everything Old Is New Again
Android - Factory ResetsWipeout! Detecting Android Factory Resets
Android - Gallery ImgcacheA Timestamp Seeking Monkey Dives Into Android Gallery Imgcache
Android - IMOInvestigating Android IMO
Android - Installed ApplicationsInvestigating Android Installed Applications
Android - Mobile TelephonyGeodata & Mobile Telephony Artifacts in 3rd-Party Android Apps: Recreating User Travel Patterns
Android - Nearby ShareNearby Share – AirDrop for Android (Return of the Unsolicited Richard Photograph)
Android - Now Playing HistoryGoogle Pixel Now Playing History
Android - PermissionsAndroid - Roles and Permissions (Android 10/11)
Android - PermissionsAndroid’s “Dangerous” Permissions
Android - PlaystoreInvestigating Android Playstore Search History
Android - Recent TasksAndroid Recent Tasks XML Parser
Android - Samsung Predictive TextAndroid - Predictive text exclusions in Samsung devices
Android - SMSInvestigating Android SMS
Android - Turbo.db Charging Battery with Turbo DB
Android - Unsupported ArtifactsMobile Forensics: Discovering the Undiscovered
Android - Usagestats XMLAndroid Usagestats XML Parser
Android - Video ThumbnailsVideo Thumbnails ".lvl" Found on Android Devices
Android 10Android 10 Image - The Binary Hick/DigitalCorpora
Android 10 - UsagestatsUsagestats on Android 10 (Q)
Android 11Android 11 Image with Documentation - The Binary Hick
Android 12Android 12 Image Now Available! - The Binary Hick
Android 13 ImageAndroid 13 Image Now Available - Binary Hick
Android 7, 8, and 9Public Android Images - The Binary Hick
Android AcquisitionData Extraction Cheatsheet
Android AcquisitionThe Investigator’s Guide to Android Acquisition Methods. Part I: Device
Android AcquisitionHow to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X
Android AcquisitionMobile Forensic Images and Acquisition Priorities
Android Forensic MethodologyAndroid Analysis Quickstart - Vishal Thakur
Android Health DataThe State of Android Health Data (Part 1) – Garmin - Binary Hick and Part 2 - Google Fit
Android MalwareExamining A Malware-Infected Android Phone. This Android Is Not Alright. - The Binary Hick
Android ResetWipeout! Detecting Android Factory Resets - Joshua Hickman
Android UnlockingAndroid: Unlock and Rooting
Android Versions/FlavorsDifferent Android Flavors and Forensic Processing - Paraben Corporation
APK DowngradeManually APK Downgrade for split APKs - Pieces0310 and The impact of Android 12
Application ExecutionHas the user ever used the XYZ application? aka traces of application execution on mobile devices
ARTEMISARTEMIS - Android support for APOLLO
AVG Photo Vault Decrypting the 'AVG' Photo Vault - The Incidental Chew Toy
BadooFinding Badoo chats in Android using SQL queries and the MAGNET App Simulator
BumbleThe Bots are Buzzing - Bumble on Android - Stark4N6
Calculator Photo VaultApp Review of Calculator Photo Vault
Calculator Vault AppsDecrypting the ‘Calculator’ App(s) and Decrypting ‘LOCKED Secret Calculator Vault’
CCleanerQuick DFIR review - CCleaner for Android
Chess.com Decoding Chess.com - Kibaffo33
CitymapperForensic Analysis of Citymapper for Android - Andy Smith
Device Health ServicesTurbo Speed: Parsing Device Health Services from Google - Kevin Pagano
DiscordDiscord Android App Review - DFIR
DiscordDiscord Forensics
DJI Fly Android - DJI Fly & The Pesky Problem of Preferences
Dual SIM PhonesMo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs - Binary Hick
Facebook MessengerInvestigating Android Facebook Messenger
Files By Google Files By Google: More Mobile Explorer Artifacts
Firefox FocusLocal Storage - Firefox Focus Privacy Browser Artifacts in Android
Flud Torrent DownloaderTorrent Applications in Android - Flud Torrent Downloader
Forensic ReferencesAndroid Forensics References - Mattia Epifani
GarminThe State of Android Health Data (Part 1) – Garmin
Garmin ConnectGabbing about Garmin Connect for Android - Stark4n6
Gboard & ClipboardGboard and Clipboard History - Stark4N6
Gboard Session DataOMGboard - Kibaffo
GmailInvestigating Android Gmail
Google AssistantGoogle Assistant Butt Dials (aka Accidental & Canceled Invocations)
Google AssistantGoogle Search & Personal Assistant data on Android
Google Call Screen May I Ask Who's Calling - Google Call Screen
Google Docs Google Docs - Cello & DocList DBs
Google Duo Google Duo - Android & iOS Forensic Analysis
Google FitThe State of Android Health Data (Part 2) – Google Fit - Binary Hick
Google KeepGoogle Keep - Notes and Lists: Mobile Artifacts
Google MapsFinding Phones With Google Maps Part 1 (Android)
Google Maps - Android 12At the roundabout, take the second exit…
Google Photos Dumpster Diving in Google Photos Android App: "local_trash.db"
Google Tasks Google Tasks - Android Forensics analysis
Google Voice Search (via Google Takeout)Parsing Google Voice Search - Campaign Cybersecurity
GroupMeInvestigating Android GroupMe - Forensafe
HealthMate App HealthMate on Android Part 1 - Users, Messages, Devices
HealthMate App HealthMate on Android Part 2 - Activities
HealthMate App HealthMate on Android Part 3 - Heart Rate, GPS, Steps
Huawei - ExtractionPractical Guide to Huawei Device Extraction in UFED
InstagramInvestigating Android Instagram
JamiForensic Analysis of Jami for Android, a Peer-to-Peer Messaging Application - DFLim
Kik MessengerMobile Forensics on Kik Messenger - Leahy Center for Digital Forensics and Cybersecurity
LA FitnessQuick DFIR review - LA Fitness Android app
Last SIMInvestigating Android Last SIM
Launcher.dbRecreate Android apps, folders, and widget screen positions from a forensic extraction
LG - MPTMPT – LG’s incognito version of KnowledgeC
Life360Analyzing Life360 on Android
MastodonThawing the Ice Age - Mastodon on Android - Stark4N6
Mega's megapreferencesDecrypting Mega’s megaprefences Sqlite Database - AskClees
Microsoft RDPAndroid Remote Desktop Apps - Microsoft RDP
Microsoft Surface DuoRooting Microsoft Surface Duo - CyberSocialHub
Microsoft TranslatorMicrosoft Translator - Android DFIR App Review
Mozilla Firefox Web History, Visits, Bookmarks & Search Terms, Downloads, Top Sites & Recently Closed Tabs, and Cookies, Permissions & Form History - Stark4n6
Nanbox MessengerApp Nandbox Messenger on Android
Nike RunAndroid Nike Run app - Geolocation, SQLite views & self joins
Privacy Dashboard - Android 12Snooping on Android 12’s Privacy Dashboard - The Binary Hick
PrivateSpaceNot so private: extracting data from PrivateSpace
ProtobufsParsing unknown protobufs with python
ProtonMailProtonMail
Qualcomm - EDL ModeMastering EDL Mode
Qualcomm - EDL Test PointsMastering EDL Test Points
QuickPicQuickPic for Android - Don't forget external/emulated storage!
Samsung Bluetooth Call RoutesRoad Trippin’ – Exploring Bluetooth Call Routes on Samsung Phones
Samsung Galaxy Smart Watch4Exploring The Samsung Galaxy Watch4 Smartwatch - Cyberspaghetti
Samsung Gallery3d TrashMike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash
Samsung My FilesAndroid - Samsung My Files App
Samsung Power EventsDeRR.p. Investigating Power Events on Samsung Devices
Samsung Power Off Reset LogsSamsung Power Off Reset Logs
Samsung Smart Switch Android - Samsung Smart Switch // iOS Transfer Artifacts
Secret Calculator Photo VaultDecrypting 'Secret Calculator Photo Vault' - The Incidental Chew Toy
Session Session On Android – An App Wrapped in Signal - The Binary Hick
SetupWizardWipeout! Part Deux – Determining How an Android Was Setup - The Binary Hick
Shutdown CheckpointsShutdown Checkpoints in Android 12
SignalObtain a logical dump of Signal data on Android with signal-back
SignalDecrypting Signal DB for Android
SignalInvestigating Signal with ArtiFast Signal
SKOUTApp SKOUT on Android
SkypeAndroid Call Logs
SkypeSkype on Android - Images in Web Cache
SlackFinding Slack app messages in Android and using json_extract to do it.
SnapchatSnapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone
SnapchatTwo Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat on Android
SnapchatInvestigating Android Snapchat App
SnapseedMobile Forensics — Analyzing Snapseed on Android - Veeraj Modi
SygicInvestigating Android Sygic - Forensafe
SystemPanel2Android SystemPanel2 - App usage tracking
TeamViewer Remote ControlAndroid Remote Desktop Apps - TeamViewer Remote Control
TelegramTelegram Forensics: Getting Started
TIA Portal Investigating an engineering workstation - Part 1 - NVISO Labs and Part 2
TikTokFinding TikTok messages in Android
TikTokInvestigating Android TikTok - Forensafe
TileAndroid - Locating Location Data: The Tile App
Tor ThumbnailsAndroid Tor Browser Thumbnails. What?
ToxAnalysis of Antox - Android Tox App
Tusky (Mastodon Client)Thawing the Ice Age Pt. 2 - Tusky on Android - Stark4N6
uTorrentInvestigating Android uTorrent Application - Forensafe
VaultyDecoding Vaulty - Kibaffo33
VenmoVenmo. The App for Virtual Ballers.
ViberInvestigating Android Viber
Video Player Apps (VLC, MX Player, Archos, Plex, LocalCast)Was the video played? - Android video player apps
Wear OSClockin’ In with Google’s Wear OS - The Binary Hick
WhatsAppWhatsApp - Images and Messages - An overview - BeBinary4n6
WhatsAppWhatsApp messages in Non-Rooted Android Devices - gforce4n6
WhatsAppNew msgstore – Who ‘Dis? A Look At An Updated WhatsApp On Android - The Binary Hick
WhatsAppForensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android
WhatsAppInvestigating Android WhatsApp
WhatsAppAndroid WhatsApp Forensics. Part I: Acquisition
WhatsAppAndroid WhatsApp Forensics. Part II: Analysis
WickrWickr. Alright. We’ll Call It A Draw. - The Binary Hick
Wi-Fi Investigating Android Wi-Fi Information - Forensafe
Yandex MailInvestigating Android Yandex Mail - Forensafe