Android App Containers Β· /data/data

Android Application Data Forensics: App Container and Third-Party App Analysis

Independent forensic analysis of Android third-party app containers β€” WhatsApp, Signal, Telegram, Snapchat, Instagram, TikTok, Discord β€” extracting messages, media, and behavioral evidence from per-app SQLite, SQLCipher, and Realm databases under /data/data/.

Quick Answer. Every Android app runs under a dedicated Linux UID with a private data directory at /data/data/<package>/ (or /data/user/0/<package>/ and /data/user_de/0/<package>/ for File-Based Encryption). Inside each container live databases/ (SQLite / SQLCipher stores), shared_prefs/ (XML preferences), files/ (app-managed files), and cache/. Android application forensics maps packages to UIDs via packages.xml, parses each app’s SQLite/Realm databases, and correlates with UsageStats to prove active use.

Android app storage layout

PathContents
/data/app/~~//base.apkSigned APK (read-only)
/data/data//databases/SQLite / SQLCipher stores
/data/data//shared_prefs/*.xmlPreferences, account IDs, tokens
/data/data//files/App-managed files, cached media, chat exports
/data/data//cache/HTTP caches, thumbnails, transient data
/data/user_de/0//Device-encrypted (pre-unlock) container
/data/system/packages.xmlPackage β†’ UID, permissions, install source, install time
/data/system/packages_backup.xmlPrior packages.xml β€” often reveals removed apps

High-value app databases we routinely parse

AppPrimary storeEncryption
WhatsAppmsgstore.db (messages, message_media, chat), wa.db (contacts)Local plaintext; /sdcard backups encrypted crypt14/15
Signalsignal.db (SQLCipher)SQLCipher key stored via Android Keystore
Telegramcache4.db (custom binary), user_configsNone; Secret Chats are key-protected
Snapchatcore.db, arroyo.db (chats)Row-level encryption; keys in Keystore
Instagramdirect.db, insta.dbNone on-device
TikTokdb_im_xx.db, awemeIM.dbNone on-device
DiscordIndexedDB (Chromium) + shared_prefsNone on-device
Facebook Messengerthreads_db2None on-device

shared_prefs β€” the underrated evidence source

Almost every app leaks identifiers into shared_prefs/*.xml: account email, user ID, last-login timestamp, device tokens, Firebase Cloud Messaging IDs, and feature flags. These files are XML in cleartext and survive database wipes because uninstall does not necessarily clear them (Android 12+ preserves some via DataRestore). We enumerate every shared_prefs in a case to place accounts and devices in time.

Proving app use β€” not just presence

Installation is not use. Android provides three parallel usage sources:

  • UsageStatsService β€” daily/weekly/monthly rollup files under /data/system/usagestats/<user>/ with per-package foreground time.
  • Event log β€” ACTIVITY_RESUMED, ACTIVITY_PAUSED, NOTIFICATION_SEEN events per second.
  • Battery stats β€” /data/system/batterystats.bin records per-app CPU/network/wake activity.

These sources converge to defensible statements like “the user opened WhatsApp at 14:03:22 local and used it for 4 minutes 12 seconds.” Full detail on Android System Logs & UsageStats Forensics.

Deleted-app residue

When a user uninstalls an app, Android removes /data/data/<pkg>/ but leaves substantial residue: prior packages_backup.xml entries, install-time and last-update timestamps, UsageStats events, notification history, Google Play install log (com.android.vending shared_prefs), and β€” most importantly β€” any Google One or vendor backup made before uninstall. If a pre-uninstall backup exists we restore the container and analyze it.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.

Related Android forensics pages

Frequently asked questions

Can Signal on Android be decrypted?

With physical access, root, and the Android Keystore-protected passphrase: yes β€” the SQLCipher key can be retrieved and signal.db unlocked. Without those: no.

Does WhatsApp on Android encrypt messages on device?

The local msgstore.db is plaintext SQLite. The /sdcard backup (msgstore.db.crypt14/15) is AES-GCM encrypted with a per-account key; end-to-end-encrypted backups (opt-in) use a user-generated 64-digit key or password.

Can deleted app data be recovered without root?

Only via cloud (Google One, vendor backups) and shared /sdcard artifacts. On-device deleted-container recovery generally requires root or a physical acquisition.

How do you distinguish personal use from background notifications?

By requiring UsageStats ACTIVITY_RESUMED (foreground) events, not just NOTIFICATION_SEEN. A notification alone does not prove use; only a resumed foreground session does.

Ready to move on your android application data matter?

Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. AOSP β€” App Data and Storage. developer.android.com
  2. AOSP β€” UsageStatsManager. developer.android.com
  3. NIST SP 800-101 Rev.1 β€” Guidelines on Mobile Device Forensics. csrc.nist.gov
  4. Federal Rule of Evidence 702. www.rulesofevidence.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#AndroidForensics #MobileForensics #DFIR #EliteDigitalForensics #AppForensics #WhatsApp #Signal

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder