Beyond the Known: A Call to Forensic Research on Samsung Android Artifacts

By -

I spend a lot of time analyzing Android devices and can process data using a variety of tools, both commercial and open source. As is well known, only by using multiple tools can one minimize errors, validate results across tools, and cover a greater number of artifacts, since each tool processes different files with different methods.

During these analyses, I noticed that many SQLite databases present on Samsung Android devices are not currently parsed by most tools, even though they may contain potentially relevant information for a forensic investigation. Some databases are already supported by some applications. However, many others deserve attention.

DISCLAIMER!
  1. The test was conducted on different Samsung devices, but the goal of this post is not to provide detailed test results, but rather to encourage research and development of new plugins or parsing modules.
  2. These databases were not found on Google Pixel, Xiaomi, Oppo, or other Android devices, and they are unique for Samsung.
  3. There may be errors that need validation!

"\data\system" folder

pkgPredictions.db

This database is used by the system to predict app usage patterns. It includes the table tbl_Sample with columns:
  • running_pkg: the name of the package in execution.
  • launch_time: the time the app was launched.
  • activity_name: the name of the activity in execution.
  • screen_orientation: the orientation of the screen at launch time.

Useful for reconstructing user habits and app interaction trends.

WifiConfigStore.db

This database contains saved Wi-Fi configurations. The table configs includes:
  • CONFIG_KEY: a string that includes the SSID and encryption type.
  • Creation Time: useful for determining when the device first connected to a specific network.

wifigeofence.db

This database stores geolocation data associated with Wi-Fi networks. It includes:
  • config_key: similar to WifiConfigStore.db, identifies the network.
  • latitude_major and longitude_major: provide geolocation data.
  • time_major contains connection timestamp.

"com.sec.android.sdhms" package

Samsung Device Health Manager Service is a system package found on Samsung devices. It includes several databases that may contain valuable forensic information:

  • thermal_log: contains Network Statistics and CPU Data. In my tests, CPU data was retained for approximately 30 days, while network statistics were available for only 5–7 days.
  • sec_batterystats, sec_batterystats_history, and sec_batterystats_ext: these databases store battery usage information. However, retention was very short — typically 1–2 days.
  • anomaly.db: includes a table called config_history that logs various system events, including BOOT_COMPLETED with corresponding timestamps.Other packages and databases

"com.samsung.android.fast" package

This package is associated with Samsung Secure Wi-Fi Service.

The secure_wifi.db database contains a table named eventlog, which logs various system-level broadcast events. 
Key columns include:
  • time_stamp: the time the event occurred.
  • extra: contains Android Intent Actions such as:
    • android.net.wifi.STATE_CHANGE
    • android.net.conn.TETHER_STATE_CHANGED
    • android.intent.action.LOCKED_BOOT_COMPLETED 
    • android.intent.action.TIME_SET
These entries can be useful for reconstructing device activity, such as network usage, boot events, and time manipulation.

"com.samsung.android.mcfds" package

This package is associated with Samsung Continuity Service, which supports cross-device functionality. 
It includes several databases of potential forensic interest:
  • context_engine_database: contains a table named ActivityMoveDataEntity with a column TYPE that includes values such as STATIONARY, WALKING, and VEHICLE. Other potentially relevant tables include GPSDataEntity and ScanEntity.
  • SleepDetection.db: includes a table called screen_data with columns such as:
    • ScreenState: a boolean (0 or 1) likely indicating whether the screen is on or off.
    • useKeyGuard: a boolean (0 or 1) likely referring to device lock/unlock status.
    • userPresent: a boolean (0 or 1) possibly indicating user presence or interaction.
These databases may help reconstruct user activity, movement patterns, and device usage states.

"com.samsung.android.smartsuggestions" package

This package is part of Samsung's Smart Suggestions system, which provides context-aware recommendations to users. It includes the database ContextDatabase.db, which contains a table named ContextHistoryEntity
Key columns include:
  • lifeContextID: with values such as launch_app and charging, indicating the type of context event.
  • lifeContext: for rows where lifeContextID is launch_app, this column contains the package name of the app that was launched.
This database may be useful for identifying app usage patterns and device charging events, contributing to timeline reconstruction and user behavior analysis.

"com.samsung.android.privacydashboard" package

This package is related to Samsung Privacy Dashboard It includes the database permission_db, which contains a table named permissionAccessInformationsThis table logs:
  • The package name that accessed a permission
  • The specific permission used
  • The timestamp of access
In tested cases, the retention period was approximately 7 days. Notably, this database appears to contain additional permission events not present in the standard Privacy Dashboard logs located in /system/appops/discrete/, making it a valuable source for forensic analysis of app behavior and permission usage

"com.sec.android.provider.badge" package

This package corresponds to Samsung's BadgeProvider, which manages notification badges on app icons. 
It includes the database badge.db, which tracks:
  • The package name of the app.
  • The activity class associated with the badge.
  • The badge count (number of unread notifications).
This database can be useful for reconstructing notification states and understanding user interaction with apps.





Comments

Post a Comment

Popular posts from this blog

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system ...
Keep reading

Dissecting the Android WiFiConfigStore.xml for forensic analysis

By -
Image
A smartphone is often connected to a Wi-Fi network: think of how much time we spend at home, in our office, or even in a public place while studying or exercising. As soon as we can reach a (hopefully trusted) Wi-Fi network, we connect to it! On Android devices, the Wi-Fi connection is managed by the Wi-Fi service. This service must store information about the previously connected Wi-Fi networks so that the phone can reconnect as soon as it's in the vicinity. The file that stores this information is WiFiConfigStore.xml, a simple XML file stored in the Userdata partition under /data/misc/apexdata/com.android.wifi/. The source code describing the contents of this file is  available on the Android source code website . This file is parsed by most commercial and open-source tools. I wanted to go a little more in-depth to take a look at the different Wi-Fi settings. The main XML tag is  <WifiConfigStoreData > . This tag contains the  Version  sub-tag, which contains...
Keep reading

A first look at iOS 18 forensics

By -
Image
This has been a tough year for me: my mom passed away in June, and I'm still slowly recovering from the hard blow. It's time to start again doing what I love: researching and sharing! It's early September and like every year, that moment is approaching when everyone who deals with mobile forensics starts to tremble at the thought of the arrival of a new version of iOS! First the good news: the basic and traditional techniques for logical acquisition (or Advanced Logical, if you want to call it that) still work on iOS 18! A new cross-platform open-source tool has recently become available that enables this type of extraction from various types of Apple devices (iPhone, iPad, Apple TV, Apple Watch).  The UFADE tool https://github.com/prosch88/UFADE ), developed and maintained by Christian Peter, fully supports iOS 18 and was used to perform the tests described in this article. The tests were performed on an iPhone 12 with iOS 18 beta operating system, which was reinstalled ...
Keep reading