When trying to determine if the device was in use as part of our investigation, we can simply look at overall datetime stamps, look for application usage, or think outside the box. Here, that is what we are doing. We are trying to see that the SIM card was leveraged and, even better, which number was in use at that time. Additionally, we can track times associated to SIM card check-ins, which essentially ensures the SIM is still active and usable.   If the phone is rebooted and the SIM is not in the device, you will notice the occurrence in check.xml. If you cannot location simcard.dat on the device, make sure to look for the following:

/data/data/com.google.android.gms/databases/MdpSimBasedDatabase
/data/data/com.google.android.gms/databases/constellation.db

Both files contain SIM card information, verified on Android 10. These files are likely to be found on Android 11 and 12.

In Android 11 and 12 replaces the file USERDATA/misc/wifi/softap.conf  seen in Android 10 and below with /USERDATA/apexdata/com.android.wifi/. This file is regular XML (non-ABX) and contains BSSID and password for phone tethering capabilities.

The databases stored in the com.google.android.gms/databases directory are used to track network activity to include cellular and Wi-Fi. It’s impressive what we can uncover if we are willing to dig!

USERDATA/data/com.google.android.gms/databases/

  •  NetworkUsage.db > Table of Interest: network_raw_entry

  •  ns.db > Table of Interest: pending_ops

  •  Herrevad > Tables of Interest: local_reports and lru_table