Friday, July 26, 2019

Android - Samsung Traces of Deleted Apps

Short version

The following Android application artifacts were presented as part of the Traces of Deleted Apps presentation by Christopher Vance and Alexis Brignoni at the SANS DFIR Summit 2019 in Austin, Texas on July 26, 2019. Presentation slides will be available at sans.org/summit-archives.
  • Samsung Members - Keeps a list of an app's display name, package name, is it system, and last used time in the following location, database, and -> table:
data/com.samsung.oh/databases/com_pocketgeek_sdk_app_inventory.db -> android_app 
The app also keeps information on the following events: type (network, install, power, alerts), type values, and creation time. These are kept in the following location, database, and -> table:
data/com.samsung.oh/databases/com_pocketgeek_sdk.db -> device_events
  • Samsung Smart Manager - Keeps a list of apps that have crashed during use. These are kept in the following location, database, and -> table:
data/com.samsung.android.sm/databases/sm.db -> crash_info, excluded_app 
The app also keeps a list of app usage times to include package name, class name, start time and end time. These are kept in the following location, database, and -> table:
data/com.samsung.android.sm/databases/lowpowercontext-system-db -> usage_log
  • Samsung Context Log - Keeps a list of app usage to include timestamp, time offset, app id, app sub id, start and stop time, and duration in milliseconds between start and stop times. These are kept in the following location, database, and -> table:
data/com.samsung.android.providers.context/databases/ContextLog.db -> use_app
These artifacts keep the previously described data even after an app is deleted from the device.

Slight addition to the short version

The artifacts described previously are tied to factory installed apps on Android Samsung devices. These can be used for pattern of life analysis, app usage timelining, as well as indicators of app presence on a device after the app has been deleted.

The SQL queries used to extract the data can be located at the following URL:
https://github.com/abrignoni/DFIR-SQL-Query-Repo
 Within the DFIR SQL Query Repo go to the following locations:
  • Samsung Members
https://github.com/abrignoni/DFIR-SQL-Query-Repo/tree/master/Android/SAMSUNG-SAMSUNG_MEMBERS
These will be available in Magnet Forensics Custom Artifact Exchange after final approval.

Longer addition to the slight addition to the short version

The following screenshots are examples of the type of data contained in these artifacts:

  • Samsung Members

com_pocketgeek_sdk_app_inventory.db -> android_app

App Inventory
com_pocketgeek_sdk.db -> device_events

Events. Notice the Package Installed Event.

  • Samsung Smart Manager
sm.db -> crash_info

Crash apps and time of crash
lowpowercontext-system-db -> usage_log

  • Samsung Context Log
ContextLog.db -> use_app


Notice how the data types being store are almost the same as the ones kept by usage stats.

As always I can be reached on Twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.