Investigating Android Devices: Forensic Analysis with Andriller

You can download Andriller from the following link: https://pypi.org/project/andriller/

Andriller provides several options to conduct investigations on Android devices, such as USB connection, TAR (image) files, and ADB files. In our case, we have a TAR file that I found online, for example from DigitalCorpora. In addition, Andriller includes other miscellaneous utilities accessible from the menu bar, such as a decoder, which we will mostly rely on.

The Decoder feature provides access to the following data types:

Accounts (System) — accounts.db
Android Calendar — calendar.db
Android Call Logs — calllog.db
Android Browser History — browser2.db
Google Chrome History — History
Google Chrome Passwords — Login Data
Download History — downloads.db
Facebook Messenger — threads_db2
Facebook Messenger Lite — core.db
Contacts and Call Logs — contacts2.db
Google Photos — gphotos0.db
Kik Messages — kikDatabase.db
SMS Messages — mmssms.db
Samsung Call Logs — logs.db
Samsung SMS Snippets — logs.db
Skype Calls — .db
Skype Messages — .db
Skype Messages (Legacy) — main.db
Viber Calls — viber_data
Viber Contacts — viber_data
Viber Messages — viber_messages
WebView Browser Passwords — webview.db
WhatsApp Calls — msgstore.db
WhatsApp Contacts — wa.db
WhatsApp Messages — msgstore.db
Wi-Fi Passwords — wpa_supplicant.conf

If you have a TAR file of the Android device, you can click the TAR button in Andriller, then select an output folder to save the results. After that, click to select the TAR file, and Andriller will start parsing and retrieving the data.

From the screenshot below, you can see that after Andriller parses and retrieves the data, you can explore the entire file system of the Android device to look for evidence. However, before starting this exploration, it is important to know where to look for specific types of data:

Device Information

System /build.prop – Device information (version, patches, etc.)
/data/com.android.providers.calendar/databases/calendar.db – Calendar items and timezone information
/data/com.android.providers.settings/databases/settings.db – Lock settings information
/data/com.google.android.gms/shared_prefs/Checkin.xml – Activity on the device related to installed SIM (ICCID and Google Account included)
/data/com.google.android.gsf/databases/gservices.db – Fitness settings, network settings, and other configurations
/misc/ – Bluetooth, VPN, Wi-Fi, and more
/system/*.key – Files needed for password cracking
/system/device_policies.xml – Passcode requirements and policies
/system/locksettings.db & /system/locksettings.db-WAL – Lock settings information
/system/netpolicy.xml – Network policy and timezone
/system/SimCard.dat – SIM card and phone number information
/system/users/0/settings_global.xml – Global settings
/system/users/0/settings_secure.xml – Secure settings
/system/users/0/settings_system.xml – System settings

Passwords and Account Information

/data/com.android.email/databases/EmailProvider.db – Email accounts, third-party app data, and messages
/data/com.android.providers.contacts/databases/contacts2.db – Login information and accounts
/data/com.android.vending/shared_prefs/lastaccount.xml – Last Google Play Store account used (Android 9+)
/data/com.google.android.gms/shared_prefs/BackupAccount.xml – Backup account email address
/data/com.google.android.googlequicksearchbox/databases/app_icons.db, launcher.db, opa_history – Google Account information
/system/accounts.db* – User account information
/system/sync/accounts.xml – User account information

System Settings

/data/com.google.android.gms/shared_prefs/ – Preference files
/system/recent_images/*.png – Application snapshots
/system/users/0/settings_global.xml, settings_secure.xml, settings_system.xml – Global, secure, and system settings

User Settings

/data/com.android.providers.userdictionary/databases/user_dict.db – Dictionary files (keylogging)
/data/com.google.android.gms/databases/NetworkUsage.db, ns.db, reminders.db – Application, user, and location traces
/data/com.google.android.gsf/databases/googlesettings.db – Google preferences: location, maps, wallet, etc.
/data/com.sec.android.inputmethod/Swiftkey/user/dynamic.lm – Dictionary files for SwiftKey

Communications – SMS, Calls, Emails

/data/com.android.providers.contacts/databases/calllog.db – Call logs (Android 7+)
/data/com.android.providers.telephony/databases/mmssms.db – SMS/MMS
/data/com.google.android.apps.messaging/databases/bugle_db – RCS/Android Messages
/data/com.google.android.gm/databases/ – Gmail conversations and email information
/data/com.google.android.gms/databases/icing_mmssms.db, ipa_mmssms.db – SMS/MMS
/data/com.sec.android.provider.logsprovider/databases/logs.db – Call logs

Multimedia

/data/com.android.providers.media/databases/external.db & external.db-WAL** – Traces of SD card usage
/data/com.google.android.apps.photos/databases/gphotos0.db – Camera photo information
/media/0/DCIM/Camera – Photos with EXIF data and location info

Browser Activity

/data/com.android.browser/databases/ – Internet history
/data/com.android.email/webviewCache.db – Email and browser data

Network Connections

/data/com.android.connectivity.metrics/databases/events.db – USB, Bluetooth, NFC, and other connections
/data/com.google.android.locations/files/cache.cell & cache.wifi – Cellular and Wi-Fi information

Syncing Artifacts

/data/com.google.android.apps.docs/ – Google Docs sync activity
/data/com.google.android.gms/databases/peoplelog.db – Contacts sync activity
/system/sync/accounts.xml – Synced accounts

Location Artifacts

/data/com.google.android.apps.maps/databases/da_destination_history – Destination history
/Media/0/DCIM/Camera – EXIF location data

Application Usage

/app/ – APK files for installed applications
/dalvik-cache – .dex/.oat/.art files
/data/com.android.vending/databases/ – App usage, notifications, install requests, and other traces
/system/appops.xml – Application permissions
/system/usagestats/0/ – Application usage stats
/log/sdp_log – Valid and invalid lockscreen code attempts

Native Applications

/data/com.android.providers.calendar/databases/calendar.db – Calendar items
/data/com.android.providers.contacts/databases/contacts2.db – Contacts & call logs
/data/com.android.providers.downloads/databases/downloads.db – Download history
/data/com.google.android.gms/databases/ – Contacts, MMS/SMS, wallet, and Google+ contacts

Let’s take an example where we want to locate SMS messages. The SMS database is stored in the following path:

\data\data\data\com.android.providers.telephony\databases\mmssms.db

You can copy the mmssms.db file and paste it into another folder. After that, return to the Andriller tool and, from the menu bar, select Decoder, then choose SMS Decoding (mmssms.db). Select the file, and Andriller will display the results as shown below.

Let’s look for the download history on the device. This can help us determine whether the user downloaded a malicious application from an app store. You can find the download history database at:

/data/data/com.android.providers.downloads/databases/downloads.db

Once again, in Andriller, go to Decoder and select downloads.db.
After selecting the file, you will see the result as shown below.

I believe this overview provides a solid foundation for understanding how to investigate an Android device that has been seized or legally targeted for examination. From file system exploration to database analysis, each artifact helps build a clearer picture of device activity.

As you continue working with these tools, take time to explore their capabilities across different Android versions and device types. Each environment may reveal additional details or unique data structures.

I hope this article has helped you gain useful insights into Android forensic analysis and that it encourages you to deepen your understanding through further practice and exploration.

Reverse The Malware