F O R 5 8 5 : Advanced Smartphone Forensics
M O S T R E L E V A N T E V I D E N C E
P E R G I G A B Y T E !
http:// for585.com/poster
http:// for585.com/course
M O S T R E L E V A N T E V I D E N C E P E R G I G A B Y T E !
@sansforensics sansforensics dfir.to/gplus-sansforensics dfir.to/MAIL-LISTdfir.to/DFIRCast
O P E R AT I N G S Y S T E M & D E V I C E I N - D E P T H
I N C I D E N T R E S P O N S E & T H R E AT H U N T I N G
FOR500 Windows Forensics
GCFE
FOR518 Mac and iOS
Forensic Analysis and Incident
Response
FOR526 Advanced Memory
Forensics & Threat Detection
FOR585 Advanced
Smartphone Forensics GASF
FOR508 Advanced Incident Response and Threat Hunting GCFA
FOR572Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response GNFA
FOR578 Cyber Threat Intelligence GCTI
FOR610 REM: Malware Analysis GREM
SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling GCIH
A D B C o m m a n d s Requires USB Debugging be enabledadb devices
adb shell pm list packages
adb shell service list
adb shell dumpsys <service of choice> Example: wifi, usagestats, user, etc.adb backup –all
l i b i m o b i l e d e v i c eShould work on locked iOS devices, but may require a trust relationship
ideviceinfo provides device information including encrypted state, activation status, TimeZone, Phone Number, iOS version and more
idevicepair pair can be used to pair via CLI
idevice_id.exe –l provides the 40 digit GUID for the device
idevicename provides the name of the device
idevicecrashreport –e <path for output> contains traces of application usage
M o b i l e M a l w a r e a n d S p y w a r eCommon Signs and Symptoms• Android devices are most at risk for mobile malware infection
• Poor battery life
• Dropped calls and call disruptions
• Unusually large phone bills
• Data plan spikes
• Device performance problems
• Unexpected device behaviors - Unplanned reboots - Apps that close or open on their own - Unexplained settings changes
• Unexplained application errors
• High-risk user behavior - Risky downloads, browsing or link-clicking
• Spyware: Device was out of owner’s control - Spyware installation requires possession of the device
Unpacking and Decompiling an Application File (.apk)Prep:• INSTALL most recent version of Dex2Jar on your desktop:
http://code.google.com/p/dex2jar/downloads/list• INSTALL most recent version of JD-GUI on your desktop:
http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/JD-GUI.shtml• INSTALL most recent Java Development Kit:
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Step 1:• RENAME the application (.apk) file, appending a .zip extension to
the end of the file name. EXAMPLE: zombie_highway.apk becomes zombie_highway.apk.zip
Step 2:• DOUBLE CLICk on the newly named .zip file to open it and see the
contents of the file.• LOCATE the classes.dex file within the unzipped file.• COPY the classes.dex file.
Step 3:• PASTE the classes.dex file into the dex2jar directory created
during prep stage.• OPEN a command prompt and navigate to the dex2jar directory
on the desktop.• EXECUTE the batch file “d2j-dex2jar.bat classes.dex”• This command will create a file named classes_dex2jar.jar in the
dex2jar directory.
Step 4:• OPEN the jd-gui Java Decompiler and navigate to the
classes_dex2jar.jar created in the previous step.• OPEN the classes_dex2jar.jar file to view and NAVIGATE the
contents of the programming to reveal what the .apk file is doing.
Unzipped iOS – .ipa file
Detection• Finding malware
ijcset.com/docs/IJCSET13-04-04-094.pdf
MOBILE MALWARE DETECTION
SIGNATURE BASED
SPECIFICATION BASED
BEHAVIORAL BASED
DATA MINING
CLOUD BASED
Online Mobile Malware Sandboxes• Upload suspicious .apk files
to the Internet for online sandbox analysis:*
- http://www.apk-analyzer.net - http://mobilesandbox.org - https://anubis.iseclab.org - https://code.google.com/p/droidbox* Depending upon your location in the world, these sites may or may not be blocked.
Local Static Malware Analysis• Tools installed on local machine
for mobile malware analysis: - Android SDK - Dex2Jar - Dexter - JD-GUI• Virtual machine environments
for mobile malware analysis: - Santoku
Mobile Malware Prevention• Installation of mobile malware
antivirus apps can assist users in preventing and detecting infection. Some mobile malware antivirus providers include:
- Avast - AVG - BitDefender - Kaspersky - Lookout - Sophos - TrendMicro - Symantec (Norton) - TrustGo
Smar tphone Acquisit ion TipsA Device On & Unlocked
Logical/Backup Acquisition File System/Adv. Logical Acquisition Physical Acquisition, if supported Acquire SD and SIM card separately
B Device Locked (On or Off) Only power on when directed by the tool Bypassing a lock does not bypass encryption
Physical Acquisition, if supported File system/Adv. Logical, Logical/Backup Acquisition Crack the lock, if possible Perform Advanced Acquisition
• Chip-off • ISP/JTAG • Vendor Service (CAIS, GreyShift) • EDL/Bootloaders, root, jailbreaks
C Device Inaccessible Pull Cloud Data
• Google, iCloud, Cloud Sync, etc. Search for smartphone backups Consider continuity and sync artifacts
Basic Analysis Query Structure
Get everything from a single table: SELECT * FROM A_TABLE;
Get two columns from a single table: SELECT COLUMN_A, COLUMN_B FROM A_TABLE;
Timestamp Conversion
Timestamps are stored in the databases as one of several numerical representations. (Timestamps are assumed to be stored in UTC, you may need to verify this.)
UNIX Epoch (10 digit number - number of seconds since 01/01/1970 00:00:00):• SELECT datetime(TS_COLUMN,'unixepoch')
Or in local time as suggested by the device settings (this can be done for all the following timestamps):
• SELECT datetime(TS_COLUMN,'unixepoch', 'localtime')
UNIX Epoch MILLISECONDS (13 digit number - number of milliseconds since 01/01/1970 00:00:00):
• SELECT datetime(TS_COLUMN/1000,'unixepoch');
Mac Absolute time, number of seconds since 01/01/2001 00:00:00. In order to correctly convert this timestamp, first, add the number of seconds since UNIXEPOCH time to Mac Absolute Time (978307200), then convert.
• SELECT datetime(TS_COLUMN + 978307200, ‘unixepoch’);
Chrome time accounts for time accurate to the MICROSECOND, which requires dividing the number by 1,000,000:
• SELECT datetime(TS_COLUMN/1000000 + (strftime('%s','1601-01-01')),'UNIXEPOCH');
Table Joins
Taking data from two (or more!) tables that have a column in common and joining them into one table. Identify tables of interest that contain unique values. LEFT JOIN – Resulting rows are returned from the LEFT table even if there are no matches in the right. Using the LEFT JOIN produced all the text messages including those with and without attachments. SELECT ZVIBERMESSAGE.ZTEXT AS "Message Text", ZATTACHMENT.ZNAME AS “Attachment Filename", datetime(ZVIBERMESSAGE.ZDATE+978307200,'unixepoch', 'localtime') AS "Message Date", ZVIBERMESSAGE.ZSTATE AS "Message Direction/State" FROM ZVIBERMESSAGE LEFT JOIN ZATTACHMENT on ZATTACHMENT.Z_PK=ZVIBERMESSAGE.ZATTACHMENT
INNER JOIN - Resulting rows are returned when both items are a match. Using the INNER JOIN (also achieved by typing “JOIN” in the query) returned just the messages that included attachments.
Useful Stuff
Column Renaming: A_TABLE.ZAWKWARDCOLUMNNAME AS “Chat Messages”
Counting: SELECT COUNT(*) FROM A_TABLE;
Aggregating with GROUP BY and COUNT (Count chat messages per contact): SELECT MESSAGES,COUNT(*) FROM CHAT GROUP BY CONTACT;
Sorting with ORDER BY: SELECT * FROM CHAT ORDER BY A_TIMESTAMP ASC
ASC = Ascending DESC = Descending
Searching with WHERE and LIKE: SELECT CONTACT, MESSAGE FROM CHAT WHERE CONTACT LIKE '%Hank%'
S Q L i t eSQLite Database Basics
SQLite databases are a self-contained database stored as a file system file (but may have a few supporting files that will also be needed for analysis!) Files have the magic number “SQLite format 3.” SQLite files correspond to a database that contains tables. Tables contain rows of data with corresponding columns that describe the data in the row.
Some temporary files may also be created, including Journal files and Write Ahead Logs. Journal files store original data before a transaction change so the database can be restored to a known state if an error occurs. They are created by default. Write Ahead Logs (WAL) contain new data changes, leaving original database untouched. After a set number of page changes, the WAL is used to update the actual database. Write ahead logs are optional. Journal files – stores original data before a transaction change so the database can be restored to a known state if an error occurs (created by default).
ideviceinfoactivation status, TimeZone, Phone Number, iOS version and more
idevicepair pair
idevice_id.exe –l
idevicename
idevicecrashreport –e <path for output>application usage
MOBILE MALWAREDETECTION
Smar tphone Acquisit ion TipsA Device On & Unlocked
Logical/Backup Acquisition File System/Adv. Logical Acquisition Physical Acquisition, if supported Acquire SD and SIM card separately
B Device Locked (On or Off)
M o b i l e M a l w a r e a n d S p y w a r e
Some temporary files may also be created, Journal files and Write
Journal files store original data before a transaction change so the database can be restored to a known state if an error occurs. They are created by default. Write Ahead Logs (WAL) contain new data changes, leaving original database untouched. After a set number of page changes, the WAL is used to update the actual database. Write ahead logs are optional. Journal files – stores
transaction change so the database can be restored to a known state if an error occurs (created by default).
Pay attention to the device
– requires interaction
$25.00 Poster_FOR585_v2.5_12-18Poster Created by Heather Mahalik, Domenica “Lee” Crognale, and Cindy Murphy with support of the SANS DFIR Faculty ©2018 Heather Mahalik, Domenica “Lee” Crognale, and Cindy Murphy . All Rights Reserved.
DFIR
Sm
artp
hone
Fo
rens
ics
MO
ST
RE
LE
VA
NT
E
VI
DE
NC
E P
ER
GIG
AB
YT
E!
SANS
FOR
585:
AD
VANC
ED S
MAR
TPHO
NE F
ORE
NSIC
S Co
urse
Aut
hors
He
athe
r Mah
alik
hm
ahal
ik@
gmai
l.com
@
heat
herm
ahal
ik
Dom
enic
a Cr
ogna
le
dom
enic
a.cr
ogna
le@
gmai
l.com
@
dom
enic
acro
gnal
Cind
y M
urph
y ci
ndym
urph
y241
2@gm
ail.c
om
@ci
ndym
urph
tw
itter
.com
/san
sfor
ensi
cs
FOR5
85: A
dvan
ced
Smar
tpho
ne F
oren
sics
A sm
artp
hone
land
s on
you
r des
k an
d yo
u ar
e ta
sked
with
det
erm
inin
g if
the
user
was
at a
spe
cific
loca
tion
at a
spe
cific
dat
e an
d tim
e. Y
ou re
ly o
n yo
ur fo
rens
ic to
ols
to d
ump
and
pars
e th
e da
ta. T
he to
ols
show
loca
tion
info
rmat
ion
tyin
g th
e de
vice
to th
e pl
ace
of in
tere
st. A
re y
ou re
ady
to p
rove
th
e us
er w
as a
t tha
t loc
atio
n? D
o yo
u kn
ow h
ow to
take
this
furt
her t
o pl
ace
the
subj
ect a
t the
loca
tion
of in
tere
st a
t tha
t spe
cific
dat
e an
d tim
e? T
read
ca
refu
lly, b
ecau
se th
e us
er m
ay n
ot h
ave
done
wha
t the
tool
s ar
e sh
owin
g!"
SMAR
TPHO
NE D
ATA
CAN’
T HI
DE F
OREV
ER –
IT
’S T
IME
TO O
UTSM
ART
THE
MOB
ILE
DEVI
CE!
Com
mon
Sm
artp
hone
Ev
iden
ce L
ocat
ions
Som
e of
the
artif
acts
list
ed fo
r the
iPho
ne a
nd A
ndro
id m
ay b
e re
cove
rabl
e fr
om a
ll du
mps
or j
ust p
hysi
cal a
cces
s de
pend
ing
on th
e de
vice
."
Librar
y/Call
Histor
y/call
_hist
ory.d
bLib
rary/C
allHis
toryD
B/Call
Histor
y.stor
edata
Librar
y/Add
ressB
ook/A
ddres
sBoo
k.sqli
tedb
Librar
y/Add
ressB
ook/A
ddres
sBoo
kImag
es.sq
litedb
Librar
y/SMS
/sms.d
b
Librar
y/SMS
/Attac
hmen
ts/*
Librar
y/Cale
ndar/
Calen
dar.s
qlited
b
Librar
y/Note
s/note
s.sqli
te
Librar
y/Safa
ri/*
Librar
y/Acco
unts/
Acco
unts3
.sqlite
Librar
y/Bull
etinB
oard
/Clea
redSe
ction
s.plis
t
Media
/Photo
Data/
Photo
s.sqli
te
Librar
y/TCC
/TCC.d
b
Librar
y/Data
base
s/Data
Usag
e.sqli
te
Librar
y/ADD
ataSto
re.sq
lite
Librar
y/Cor
eDue
t/cor
edue
td.db
Call l
ogs
Call r
ecor
d ((iO
S 8 –
iOS 10
)
Conta
cts
Conta
ct im
ages
SMS m
essa
ges
MMS fi
le
Calen
dar
Notes
Safar
i acti
vity
Acco
unt in
forma
tion
Logs
of cl
eared
notifi
catio
ns
Metad
ata ab
out m
ultim
edia
fi les
Appli
catio
n perm
ission
s
Appli
catio
n info
rmati
on an
d usa
ge de
tails
iOS un
lock d
ata re
posit
ory
(Refer
to m
ac4n
6.com
)un
lock d
ata re
posit
ory
(Refer
to m
ac4n
6.com
)
Data
base
Desc
riptio
n
com.
apple
.comm
cente
r.plis
t
com.
apple
.acco
untse
tting
s.plis
t
com.
apple
.Map
s.plis
t Lib
rary/M
aps/B
ookm
arks.p
list
com.
apple
.Map
s/Map
sco
m.ap
ple.M
aps/M
aps
Syste
mCon
fi gur
ation
/com.
apple
.wifi .
plist
Syste
mCon
fi gur
ation
/prefe
rence
s.plis
t
Librar
y/Pref
erenc
es/co
m.ap
ple.m
obile
notes
.plist
Librar
y/Spr
ingBo
ard/Ic
onSta
te.pli
st
Librar
y/Con
fi gur
ation
Profi
les/U
serSe
tting
s.plis
t
Librar
y/Pref
erenc
es/co
m.ap
ple.sp
ringb
oard
.plist
Librar
y/Pref
erenc
es/co
m.ap
ple.W
ebFo
unda
tion.p
list
Librar
y/Pref
erenc
es/co
m.ap
ple.M
obile
SMS.p
list
Librar
y/Pref
erenc
es/co
m.ap
ple.m
adrid
.plist
Librar
y/Data
Acce
ss/Ac
coun
tInfor
matio
n.plis
t
Librar
y/Data
Acce
ss/iCl
oud-‘
iClou
d ema
il acco
unt n
ame’/
.mbo
xCac
he.pl
ist
Librar
y/Data
Acce
ss/iCl
oud-‘
iClou
d ema
il acco
unt n
ame’/
.O© i
neCa
che/‘
numb
er’
Devic
e pho
ne nu
mber,
netw
ork c
arrier
, ICC
IDs,
and I
MSIs
acco
unts
push
ed to
devic
e
Last
latitu
de an
d lon
gitud
e, ma
p sea
rch hi
story
Maps
book
marks
Histor
y.map
sdata
(iOS 7
)Ge
oHist
ory.m
apsd
ata
(OS 8
– iOS
10)
WiFi
WiFi
and m
ore
Notes
Home
scree
n ico
n lay
out
User-
create
d res
tricti
ons
User-
create
d res
tricti
ons
Safar
i acti
vity
SMS,
iMes
sage
and F
aceT
ime
SMS,
iMes
sage
and F
aceT
ime
sync
data
iClou
d ema
il acco
unt in
forma
tion
iClou
ld o©
ine c
ache
plis
tDe
scrip
tion
iOS
Devi
ces
/Libr
ary/Co
reDue
t/*
/Libr
ary/Ag
greg
ateDic
tiona
ry/AD
DataS
tore.s
qlited
b
/Libr
ary/Ba
tteryL
ife/Cu
rrentP
owerL
og.PL
SQL
/priva
te/va
r/netw
orkd
/netus
age.s
qlite
/Libr
ary/H
ealth
/healt
hdb.s
qlite
/Libr
ary/H
ealth
/healt
hdb_
secu
re.sq
lite
/Libr
ary/Ca
ches
/com.
apple
.routi
ned/c
ache
_enc
rypted
*.db
/Libr
ary/Ca
ches
/com.
apple
.routi
ned/S
tateM
odel*
.arch
ive
/Libr
ary/Ca
ches
/cach
e_en
crypte
d*.db
/Libr
ary/Ca
ches
/lock
Cach
e_en
crypte
d*.db
/Appli
catio
ns/*
/Libr
ary/Bu
lliten
Board
/Clea
redSe
ction
s.plis
t
/Libr
ary/Ke
yboa
rd/U
serD
iction
ary.sq
lite
/Libr
ary/Ac
coun
ts/Ac
coun
ts3.sq
lite
/Libr
ary/D
ataba
ses/C
ellula
rUsa
ge.db
/Libr
ary/TC
C/TCC
.db
/Libr
ary/D
ataba
ses/D
ataus
age.s
qlite
/Libr
ary/co
m.ap
ple.it
unes
stored
/itune
sstor
ed2.s
qlited
b
Devic
e loc
k stat
e (1=
Lock
ed, 0
=Unlo
cked
)
Dictio
nary
Batte
ry life
trac
ker, A
pplic
ation
trac
es
Netw
ork a
rtifac
ts
Activ
ity, P
erson
al inf
orma
tion,
more
Frequ
ent L
ocati
ons (
https
://git
hub.c
om/m
ac4n
6/iOS
-
Frequ
ent-L
ocati
ons-D
umpe
r)
Cell a
nd W
iFi lo
catio
ns
Exam
ine re
levan
t app
direc
tories
to ob
tain
addit
ional
data
Logs
of cl
eared
notifi
catio
ns
User
create
d auto
-corre
ct
Acco
unts,
user
infor
matio
n, etc
.
SIMs u
sed i
n dev
ice, in
cludin
g mos
t rec
ent
Appli
catio
ns pe
rmiss
ions
Appli
catio
n trac
es
Appli
catio
n trac
es
Data
base
Desc
riptio
n
/Lock
down
/devic
e_va
lues.p
list
/Prefe
rence
s/com
.apple
.home
shari
ng.pl
ist
/Prefe
rence
s/com
.apple
.assis
tant.b
acke
dup.p
list
/Prefe
rence
s/com
.apple
.cored
uetd.
plist
com.
apple
.comm
cente
r.plis
t
com.
apple
.iden
titys
ervice
s.ids
tatus
cach
e.plis
t
com.
apple
.acco
untse
tting
s.plis
t
com.
apple
.Map
s.plis
t
/Libr
ary/M
aps/B
ookm
arks.p
list
com.
apple
.Map
s/Map
sco
m.ap
ple.M
aps/M
aps
com.
apple
.Mob
ileBlu
etooth
.devic
es.pl
ist
Cloud
Confi
gurat
ionDe
tails.
plist
/Syste
mCon
fi gur
ation
/com.
apple
.wifi .
plist
/Syste
mCon
fi gur
ation
/prefe
rence
s.plis
t
/Libr
ary/D
ataAc
cess/
Acco
untIn
forma
tion.p
list
/Libr
ary/D
ataAc
cess/
iClou
d-[iCl
oud e
mail a
ccoun
t nam
e]/*
/Libr
ary/Pr
eferen
ces/*
/Libr
ary/D
ataAc
cess
/var/m
obile
/Libr
ary/Ke
yboa
rd
Activ
ated s
tate,
BT ad
dres
s and
mor
e
iClou
d acco
unt in
forma
tion
Cloud
sync
setti
ngs
sync
devic
es
Devic
e pho
ne nu
mber,
Netw
ork c
arrier
, ICCID
s and
IMSIs
iClou
d syn
c, Em
ail, F
aceT
ime,
, mor
e
acco
unts
push
ed to
devic
e
Last
latitu
de an
d lon
gitud
e, ma
p sea
rch hi
story
Maps
book
marks
Histor
y.map
sdata
(iOS 7
)
GeoH
istory
.map
sdata
(iOS 8
- iOS
11) *
Pull c
loud i
f pos
sible
Sync
ed de
vices
Cloud
confi
gurat
ions
WiFi
WiFi
and m
ore
sync
data
iClou
d Ema
il acco
unt in
forma
tion a
nd o©
ine c
ache
Exam
ine pl
ists f
or m
ore i
nform
ation
Acco
unt in
forma
tion u
sed t
o set
up ap
ps (E
mail,
#, et
c)
dyna
mic-t
ext.d
at
plis
t File
s of
Inte
rest
Desc
riptio
n
Desc
riptio
n
Jailb
roke
n iO
S De
vice
s
Part
ition
File
Desc
riptio
n
Root
ed A
ndro
id D
evic
es
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
/syste
m/ac
coun
ts*.db
/com.
goog
le.an
droid
.gm/da
tabas
es/<m
ail-na
me>.d
b
/com.
andr
oid.em
ail/da
tabas
es/Em
ailPr
ovide
r.db
/com.
goog
le.an
droid
.gms/d
ataba
ses/h
errev
ad
/syste
m/loc
ksett
ings.d
b and
lock
setti
ngs.d
b-WAL
/com.
andr
oid.pr
ovide
rs.me
dia/ex
terna
l*.db
and e
xtern
al*.db
-WAL
/com.
andr
oid.ve
nding
/datab
ases
/loca
lapps
tate.d
b
/com.
goog
le.an
droid
.loca
tions
/fi les
/cach
e.cell
/com.
goog
le.an
droid
.loca
tions
/fi les
/cach
e.wifi
/com.
sams
ung.a
ndro
id.pr
ovide
rs.co
ntext.
datab
ases
.Conte
xtLog
_0.
db (O
S 7)
/com.
goog
le.an
droid
.gms/d
ataba
ses/N
etwor
kUsa
ge.db
/com.
goog
le.an
droid
.gms/d
ataba
ses/n
s.db
/com.
goog
le.an
droid
.gms/d
ataba
ses/r
emind
ers.db
/syste
m/pa
ckag
es.xm
l/sy
stem/
pack
ages
.list
/syste
m/ne
tpolic
y.xml
/syste
m/us
ages
tats/0
/<vari
ous d
irecto
ries>
/*.xm
l
/syste
m/ba
tterys
tats.b
in/sy
stem/
batte
rystat
s-dail
y.xml
/syste
m/ba
tterys
tats-c
heck
in.bin
/com.
sec.a
ndro
id.ap
p.lau
nche
r/data
base
s/lau
nche
r.db
/com.
andr
oid.pr
ovide
rs.do
wnloa
ds/da
tabas
es/do
wnloa
ds.db
/syste
m/dm
appm
gr.db
/com.
andr
oid.pr
ovide
rs.se
tting
s/*
/data/
*
/syste
m/rec
ent_i
mage
s/*.pn
g
User
acco
unt in
forma
tion
Gmail
snipp
ets
artif
acts
Wirel
ess a
nd M
AC ad
dres
ses
Lock
setti
ngs i
nform
ation
Trace
s to S
D card
Appli
catio
n trac
es
Cellu
lar an
d WiFi
Appli
catio
n trac
es fo
r Sam
sung
de
vices
Appli
catio
n, Us
er an
d Loc
ation
tra
ces
Appli
catio
n perm
ission
s
Appli
catio
n Usa
ge
Appli
catio
n Usa
ge (m
ay be
di²
cult
to pa
rse)
Appli
catio
n arti
facts
(even
after
de
leted
)
Appli
catio
n Usa
ge
Grea
t plac
e for
usern
ame a
nd
passw
ords
Appli
catio
n dire
ctorie
s inc
lude m
ore
data
Appli
catio
n sna
psho
ts ma
y exis
t he
re
Part
ition
File
Desc
riptio
n
Andr
oid
Data Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data
Data Data
Data
Data
Data
/com.
andr
oid.pr
ovide
rs.co
ntacts
/datab
ases
/conta
cts2.d
b
/com.
andr
oid.pr
ovide
rs.co
ntacts
/datab
ases
/calllo
g.db
/com.
sec.a
ndro
id.pr
ovide
r.logs
prov
ider/d
ataba
ses/L
ogs.d
b
/syste
m/ac
coun
ts*.db
/com.
andr
oid.pr
ovide
rs.co
ntacts
/ data
base
s/con
tacts2
.db
/com.
andr
oid.pr
ovide
rs.co
ntacts
/ data
base
s/con
tacts3
.db
/com.
andr
oid.pr
ovide
rs.tel
epho
ny/ d
ataba
ses/m
mssm
s.db
/com.
goog
le.an
droid
.apps
.map
s/*
/com.
sec.a
ndro
id.da
emon
app/d
b/wea
therC
lock
/com.
goog
le.an
droid
.gm/da
tabas
es/<m
ail-na
me>.d
b
/com.
goog
le.an
droid
.gms/d
ataba
ses/h
errev
ad
/syste
m/loc
ksett
ings.d
b and
lock
setti
ngs.d
b-WAL
/com.
andr
oid.pr
ovide
rs.se
tting
s/data
base
s/sett
ings.d
b
and s
etting
s.db-W
AL
/com.
andro
id.pro
viders
.med
ia/ex
terna
l*.db
and e
xterna
l*.db
-WAL
/com.
andr
oid.ve
nding
/datab
ases
/loca
lapps
tate.d
b
/com.
sams
ung.a
ndro
id.pr
ovide
rs.co
ntext.
datab
ases
.
Conte
xtLog
_0.db
(OS 7
)
/com.
goog
le.an
droid
.gms/d
ataba
ses/N
etwor
kUsa
ge.db
/com.
goog
le.an
droid
.gms/d
ataba
ses/n
s.db
/com.
goog
le.an
droid
.gms/d
ataba
ses/r
emind
ers.db
/com.
andr
oid.pr
ovide
rs.se
tting
s/*
/syste
m/*.k
ey
/syste
m/de
vice_
polic
ies.xm
l
/syste
m.Sim
Card
.dat
Call l
ogs
Call l
ogs (
OS 7)
Call l
ogs a
nd m
ore!
User
acco
unt in
forma
tion
Conta
ctsCo
ntacts
(OS 7
)
SMS/M
MS
Maps
Loca
tion a
rtifac
ts
Gmail
snipp
ets
Wirel
ess a
nd M
AC ad
dres
ses
Lock
setti
ngs i
nform
ation
Lock
setti
ngs i
nform
ation
Trace
s to S
D card
used
in th
e dev
ice.
Appli
catio
n trac
es
Appli
catio
n trac
es fo
r Sam
sung
devic
es
Appli
catio
n, Us
er an
d Loc
ation
trac
es
Grea
t plac
e for
usern
ame a
nd
passw
ords
Files
need
ed fo
r pas
swor
d crac
king
Passw
ord r
equir
emen
ts an
d poli
cies.
Sim ca
rd an
d pho
ne nu
mber
inform
ation
Post
er C
reat
ed b
y He
athe
r Mah
alik
, Dom
enic
a “L
ee” C
rogn
ale,
and
Cin
dy M
urph
y
©20
18 H
eath
er M
ahal
ik, D
omen
ica
“Lee
” Cro
gnal
e, a
nd C
indy
Mur
phy.
All R
ight
s Re
serv
ed.