Android SQLite Database Forensics: A Tip to Digital Archeology

Mobile forensics is one of the fastest growing digital forensics discipline. This is due to the rapid growth in the usage of mobile phones by the people. One of the most significant breakthrough in the development of mobile phone industry is the emergence of android smartphones.

Android phone and other smart phones are bundled with a complete operating system that helps users to interact with many services. The services include both data as well as voice services. The interesting area of Android forensics involves the acquisition of data from smart phones and then its analysis. It is important to have a broad knowledge of the platform used and the SQLite files used to store data, throughout the investigation process.

A thorough understanding of Android SQLite Database Forensics will assist a forensic investigator through the successful investigation and analysis of an Android device.

Main residence of digital evidence in an android device

Some of the important locations where the evidence can be collected are described below. Let’s see the file names and the corresponding locations where it resides. 

Contacts Details:

The user contacts details can be acquired for analyzing the contacts of any Android device. This helps the investigator to analyze the persons who all are contacted by the suspect. The location for this file is

 /data/data/com.android.providers.contacts/databases/contacts.db

Text Messages: 

The information regarding the messaging apps including the text message data and the media shared can be analyzed form the directory file. The location of the directory file is

/data/data/com.android.providers.telephony/databases/directory

Call History: 

Call history of the suspect’s phone gives major evidences that support the investigation process. Call history and other information are recorded in the system SQLite files. These details can be acquired from

/data/data/com.android.providers.contacts/databases/contacts.db

WhatsApp Contents:

WhatsApp is most common instant messenger supported in all android smart phones which values more for an investigator.  The database files from WhatsApp messenger resides in the Documents folder. The two SQLite file of value for artifact collection from WhatsApp includes: msgstore.db and wa.db. The former contains details regarding chat conversations done between the user and his contacts list and Later is for storing information form user contacts. These SQLite files can be located in 

/data/data/com.whatsapp/databases/msgstore.db

/data/data/com.whatsapp/databases/wa.db

The msgstore.db contains two tables: messages and chat_list. The messages table contains a list of all messages that a user has sent or received from his/her contacts. WhatsApp stores contact phone numbers, messages, timestamps, and other details including attachments and multimedia details are stored in these files. Revealing these information from the SQLite database assists the investigator in digital investigation.

Viber Messages:

Viber is also an Instant messenger commonly used around the globe. So the analysis of the Viber also leads to major evidence collection in android forensics. The two main SQLite files where Viber artifacts reside are viber_data and viber_messages. This includes major evidences regarding images and videos sent or received through Viber, send or received message, Stickers, contacts and other activities carried out through Viber. The location of these files is

/data/data/com.viber.voip/databases/

Browsing History:

The SQLite file browser.db can be analyzed for Android browsing details. It is integrated with all details including search history, usernames, web history, URLs, passwords etc. The location for this file is

/data/data/com.android.browser/databases/browser.db

Google App Details:

This file accounts.db holds details of all the Google app accounts including account credentials in encrypted format. Usernames and passwords can be recovered from this files. The location for this file is

/data/data/com.google.android.googleapps/databases/accounts.db

GPS Location:

Geolocation.db is the other file which is relevant for digital investigators as far as investigator is concerned. This holds the last known location travelled by the suspect. This sometimes helps in tracing the location of the crimes. The SQLite file resides in

/data/data/com.android.browser/gears/geolocation.db.

Google Maps:

Google Maps database store all the search history and other details including keywords searched in its SQLite files. This helps the digital investigator to trace the location through which the suspect travelled and thereby collecting the evidence.  The location for the search history file is

/data/data/com.google.android.apps.maps/databases/search_history.db

Observations

Android SQLite database Forensics is gaining importance in this fast growing mobile world. Most of the individuals own an android phone and it becomes a part of the day to day activities, knowingly or unknowingly. So, analyzing the Android SQLite files reveals many of the evidence for a digital forensic investigation.