Industry News

How to Uncover Application Artifacts for Mobile Device Investigations

Application artifacts are an important data source in mobile device investigations. Identifying what applications are installed on the device and have been in use can be another investigative goal. This can help during the initial stages of an investigation when you may try to triage available data sources and determine which are of primary interest. Determining that a specific application is installed, like Snapchat, may help to corroborate other information case investigators have.

A screenshot of the Artifacts View in Magnet AXIOM showing "Installed Applications".

You may have encountered users that compartmentalize certain activity within specific applications. Along that line, many grooming or luring cases have started on something like a social media platform and the offender then transitioned the victim to something perceived to be a more private messaging application. In addition to the installed application artifacts, review of the device analytics artifacts (like battery statistics or application permissions) can help to show that not only a particular application was installed, but that it was in use during a certain period of time.

Application Artifacts in Investigations

Applications are the backbone of our mobile devices, providing us a with a plethora of functionality and entertainment options. When it comes to uncovering crucial evidence in a mobile device investigation, applications provide investigators with insights into the activities and interests of a suspect. Applications often hold the key to connecting the dots in an investigation.

Top Application Artifacts for Android and iOS

Magnet Forensics has curated the following list of top application artifacts and where they can be found on a given device. Magnet AXIOM and AXIOM Cyber will surface these artifacts for you quickly and easily, and Magnet GRAYKEY and VERAKEY provide same-day access to the latest iOS and Android devices; but it’s important you know where to look:

Android Application Artifacts

Installed Applications:
/system/packages.list
/system/packages.xml
/data/com.android.vending/databases/library.db
Application Permissions:
/data/system/packages.xml
Battery Stats:
/data/data/com.google.android.gms/shared_prefs/Batterystats.xml
BatterystatsDumpsysTask:
/data/data/com.google.android.gms/files/BatterystatsDumpsysTask.gz
Usage Stats:
/data/system/usagestats/0
Recent Images:
/system_ce/0/recent_images
Recent Tasks:
/system_ce/0/recent_tasks

iOS Application Artifacts

Installed Applications:
HomeDomain-Library/FrontBoard/applicationState.db
Info.plist
Manifest.plist
/private/var/mobile/Library/FrontBoard/applicationState.db
Application Permissions:
HomeDomain-Library/TCC/TCC.db
/private/var/mobile/Library/TCC/TCC.db
Power Log
/private/var/containers/Shared/SystemGroup/[APPGUID]/Library/BatteryLife/CurrentPowerlog.PLSQL
/private/var/containers/Shared/SystemGroup/[APPGUID]/Library/BatteryLife/Archives/
powerlog_DATE_ID.PLSQL.gz
KnowledgeC:
/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
Biome:
/private/var/db/biome/streams/restricted
/private/var/mobile/Library/Biome/streams/public
/private/var/mobile/Library/Biome/streams/restricted
Screentime:
/private/car/mobile/Library/Application
Support/com.apple.remotemanagementd/RMAdminStore-Local.sqlite
Snapshots:
/private/var/mobile/Library/Containers/Data/Application/[APPGUID]/Library/Splashboard/Snapshots

Mobile device applications reflect an individual’s life. In an investigation, they are an important source of data and insight into everything from a suspect’s preferences and hobbies to health and fitness habits, financial transactions, and work-related activities.

Leveraging Application Artifacts

While many examiners spend the bulk of their time using the artifact explorer in AXIOM Examine, other features like Timeline and Connections can help surface items of interest. The volume of artifacts from a modern mobile device examination can make it easy for potential application artifacts of interest to blend into the noise, almost hiding in plain sight.

Using the Timeline explorer can help to profile when a particular activity occurred on a device or provide context as to what a user was doing on their device at a certain time. The use of absolute and relative time filters can also help examiners find key details around points of interest in the timeline of a specific investigation.

The Timeline view in Magnet AXIOM Showing Application Artifacts

The connections explorer provides a visual representation of how the various artifacts in your case are related. By using the distinct properties of each artifact, called artifact attributes, you can show relationships between an artifact of your choosing – such as a screen name or phone number – to see how they relate to other application artifacts in your case.

The Connections view in Magnet AXIOM

These days, mobile devices often have greater storage capacity, even rivaling traditional computers. Still, the always-on, always-connected nature of mobile devices means that cloud stored data cannot be overlooked. The Potential Cloud Evidence Leads dashboard is a great resource for identifying other sources of data which may be relevant to your investigation – particularly when mobile devices are involved.

A screenshot showing the Potential Cloud Evidence Leads in Magnet AXIOM.

Applications on a device may not always store data locally or there may be additional logs, usage, and analytics data available directly from the connected cloud account. The potential cloud evidence leads dashboard helps examiners by surfacing potential sources of cloud-stored data and accounts from the installed applications and accounts recovered on a device. This can help to provide an efficient method for directing further investigative efforts in a case.

If you haven’t tried Magnet AXIOM or AXIOM Cyber, request a free trial today.

Related Resources

Blog

Blog

Magnet User Summit 2024: One for the ages 

It’s our favorite time of the year!

April 18, 2024 • About a 3 minute view
Blog

Blog

Introducing Magnet One: Redefining the pursuit of justice

At Magnet Forensics, we're thrilled to announce Magnet One, the digital forensics platform that aims to redefine the pursuit of justice.

April 16, 2024 • About a 4 minute view
Blog

Blog

Introducing Magnet Nexus: Large-scale investigations, made easy

In today’s workplace, employees and critical business assets are often spread throughout the globe. Employees may be working from home, the office, or a combination of both. To enable a

April 11, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top