One of the first things you should verify in regard to location information is if the user has location services enabled on their device. These settings are saved in the googlesettings.db in USERDATA/data/com.google.android.gsf/databases/. Here, if you see the value of 1 for “use_location_for_services,” then you can state that the user has location information enabled on their device.

Once we have established that, the floodgates have opened. Everything we discussed in earlier sections can be applied, but what if you still aren’t finding what you need. What if the user cleared their location history? Other files may help you. Files like cache.cell and cache.wifi may aid if you have a rooted device or full access to the device via physical acquisition.

Browser data may include location information that the user doesn’t realize. Here we see that the user has a last name of Mahalik and is staying in room 226. This was autosaved by Chrome but could exist in any browser installed on the Android. Chances are this is the user logging into the hotel’s Wi-Fi, so I would examine the timestamps and attempt to associate that to a Wi-Fi connection to cement the user being in that location at a specific date and time.

The database found in /data/system/wifigeofence.db is only on Samsung devices and keeps a record of BSSID's, last connection times, and lat/long.