Applications can be installed on a device and then never used. Proving use is sometimes the hardest part of a smartphone investigation. The timestamps in each application directory should reflect when the application was installed and used. Application usage traces may also exist in the following files:
• USERDATA/system/usagestats/0/<various directories>/*.xml (multiple files exist)
• USERDATA/data/com.sec.android.app.launcher/databases/launcher.db
• USERDATA/data/com.samsung.android.providers.context/databases/ContextLog_0.db
• USERDATA/system/users/0/app_idle_stats.xml
• USERDATA/data/com.android.vending/databases/frosting.db
• USERDATA/system/notification_log.db
• USERDATA/data/com.google.android.apps.wellbeing/databases/app_usage
• /USERDATA/data/com.google.android.gms/databases/cast.db - Contains info about discovered Cast devices
• Table = DeviceInfo
• Friendly name
• Model
• LAN IP address
Although the data in these folders does not directly reflect only application information, remnants may be found to support your other findings. One database of interest is the downloads.db. This database is located at USERDATA/data/com.android.providers.downloads/databases. The table of interest is “downloads,” which will contain the name of the .jar, method for downloading, “hints” on what the application was, where the download was stored, and more. Some items in this table may be encrypted. Another database that contains applications that are removed from the device is the launcher.db located at USERDATA/data/com.sec.android.app.launcher/databases. The tables “appOrder” and “favorites” contain application information even after the application was deleted from the device. The last four files shown in the paths above will be discussed in the upcoming slides.
Another file of interest is the app_idle_stats.xml located at USERDATA/system/users/0. We recommend searching for the file name to ensure the file isn’t overlooked on devices that have Secure Boot or multiple users. If this file is available, it provides information on application usage and tracks how long the application has been idle. The time format shown above is Android chronometer time format, which essentially is like a stopwatch tracking time.1
Reference:
[1] https://for585.com/chronometer
