The following Android application artifacts were presented as part of the Traces of Deleted Apps presentation by Christopher Vance and Alexis Brignoni at the SANS DFIR Summit 2019 in Austin, Texas on July 26, 2019. Presentation slides will be available at sans.org/summit-archives.
- Samsung Members - Keeps a list of an app's display name, package name, is it system, and last used time in the following location, database, and -> table:
data/com.samsung.oh/databases/com_pocketgeek_sdk_app_inventory.db -> android_app
The app also keeps information on the following events: type (network, install, power, alerts), type values, and creation time. These are kept in the following location, database, and -> table:
data/com.samsung.oh/databases/com_pocketgeek_sdk.db -> device_events
- Samsung Smart Manager - Keeps a list of apps that have crashed during use. These are kept in the following location, database, and -> table:
data/com.samsung.android.sm/databases/sm.db -> crash_info, excluded_app
The app also keeps a list of app usage times to include package name, class name, start time and end time. These are kept in the following location, database, and -> table:
data/com.samsung.android.sm/databases/lowpowercontext-system-db -> usage_log
- Samsung Context Log - Keeps a list of app usage to include timestamp, time offset, app id, app sub id, start and stop time, and duration in milliseconds between start and stop times. These are kept in the following location, database, and -> table:
data/com.samsung.android.providers.context/databases/ContextLog.db -> use_appThese artifacts keep the previously described data even after an app is deleted from the device.
Slight addition to the short version
The artifacts described previously are tied to factory installed apps on Android Samsung devices. These can be used for pattern of life analysis, app usage timelining, as well as indicators of app presence on a device after the app has been deleted.
The SQL queries used to extract the data can be located at the following URL:
https://github.com/abrignoni/DFIR-SQL-Query-RepoWithin the DFIR SQL Query Repo go to the following locations:
- Samsung Members
https://github.com/abrignoni/DFIR-SQL-Query-Repo/tree/master/Android/SAMSUNG-SAMSUNG_MEMBERS
- Samsung Smart Manager
https://github.com/abrignoni/DFIR-SQL-Query-Repo/tree/master/Android/SAMSUNG-SMART_MANAGER - Samsung Context Log
https://github.com/abrignoni/DFIR-SQL-Query-Repo/tree/master/Android/SAMSUNG-CONTEXT-LOG
These will be available in Magnet Forensics Custom Artifact Exchange after final approval.
Longer addition to the slight addition to the short version
The following screenshots are examples of the type of data contained in these artifacts:
com_pocketgeek_sdk_app_inventory.db -> android_app
com_pocketgeek_sdk.db -> device_events
Longer addition to the slight addition to the short version
The following screenshots are examples of the type of data contained in these artifacts:
- Samsung Members
com_pocketgeek_sdk_app_inventory.db -> android_app
 |
| App Inventory |
 |
| Events. Notice the Package Installed Event. |
- Samsung Smart Manager
sm.db -> crash_info
 |
| Crash apps and time of crash |
lowpowercontext-system-db -> usage_log
- Samsung Context Log
ContextLog.db -> use_app
Notice how the data types being store are almost the same as the ones kept by usage stats.
As always I can be reached on Twitter @AlexisBrignoni and email 4n6[at]abrignoni[dot]com.
