- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of Android third-party app containers β WhatsApp, Signal, Telegram, Snapchat, Instagram, TikTok, Discord β extracting messages, media, and behavioral evidence from per-app SQLite, SQLCipher, and Realm databases under /data/data/.
Quick Answer. Every Android app runs under a dedicated Linux UID with a private data directory at /data/data/<package>/ (or /data/user/0/<package>/ and /data/user_de/0/<package>/ for File-Based Encryption). Inside each container live databases/ (SQLite / SQLCipher stores), shared_prefs/ (XML preferences), files/ (app-managed files), and cache/. Android application forensics maps packages to UIDs via packages.xml, parses each app’s SQLite/Realm databases, and correlates with UsageStats to prove active use.
| Path | Contents |
|---|---|
| /data/app/~~ | Signed APK (read-only) |
| /data/data/ | SQLite / SQLCipher stores |
| /data/data/ | Preferences, account IDs, tokens |
| /data/data/ | App-managed files, cached media, chat exports |
| /data/data/ | HTTP caches, thumbnails, transient data |
| /data/user_de/0/ | Device-encrypted (pre-unlock) container |
| /data/system/packages.xml | Package β UID, permissions, install source, install time |
| /data/system/packages_backup.xml | Prior packages.xml β often reveals removed apps |
| App | Primary store | Encryption |
|---|---|---|
| msgstore.db (messages, message_media, chat), wa.db (contacts) | Local plaintext; /sdcard backups encrypted crypt14/15 | |
| Signal | signal.db (SQLCipher) | SQLCipher key stored via Android Keystore |
| Telegram | cache4.db (custom binary), user_configs | None; Secret Chats are key-protected |
| Snapchat | core.db, arroyo.db (chats) | Row-level encryption; keys in Keystore |
| direct.db, insta.db | None on-device | |
| TikTok | db_im_xx.db, awemeIM.db | None on-device |
| Discord | IndexedDB (Chromium) + shared_prefs | None on-device |
| Facebook Messenger | threads_db2 | None on-device |
Almost every app leaks identifiers into shared_prefs/*.xml: account email, user ID, last-login timestamp, device tokens, Firebase Cloud Messaging IDs, and feature flags. These files are XML in cleartext and survive database wipes because uninstall does not necessarily clear them (Android 12+ preserves some via DataRestore). We enumerate every shared_prefs in a case to place accounts and devices in time.
Installation is not use. Android provides three parallel usage sources:
/data/system/usagestats/<user>/ with per-package foreground time.ACTIVITY_RESUMED, ACTIVITY_PAUSED, NOTIFICATION_SEEN events per second./data/system/batterystats.bin records per-app CPU/network/wake activity.These sources converge to defensible statements like “the user opened WhatsApp at 14:03:22 local and used it for 4 minutes 12 seconds.” Full detail on Android System Logs & UsageStats Forensics.
When a user uninstalls an app, Android removes /data/data/<pkg>/ but leaves substantial residue: prior packages_backup.xml entries, install-time and last-update timestamps, UsageStats events, notification history, Google Play install log (com.android.vending shared_prefs), and β most importantly β any Google One or vendor backup made before uninstall. If a pre-uninstall backup exists we restore the container and analyze it.
Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.
With physical access, root, and the Android Keystore-protected passphrase: yes β the SQLCipher key can be retrieved and signal.db unlocked. Without those: no.
The local msgstore.db is plaintext SQLite. The /sdcard backup (msgstore.db.crypt14/15) is AES-GCM encrypted with a per-account key; end-to-end-encrypted backups (opt-in) use a user-generated 64-digit key or password.
Only via cloud (Google One, vendor backups) and shared /sdcard artifacts. On-device deleted-container recovery generally requires root or a physical acquisition.
By requiring UsageStats ACTIVITY_RESUMED (foreground) events, not just NOTIFICATION_SEEN. A notification alone does not prove use; only a resumed foreground session does.
Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant