App data forensics focuses on analyzing the information stored by mobile applications on Android and iOS devices. Modern apps—especially messaging, social media, browsing, banking, and productivity apps—store vast amounts of user-generated content, cached information, databases, logs, and media files. These artifacts often contain the most valuable evidence in mobile investigations.
This chapter explains how app data is stored, what types of artifacts are available, where forensic evidence lives on Android and iOS, and how investigators extract and analyze app-level data.
Why App Data Forensics Matters
Most user activity today happens inside apps, not SMS or native phone functions.
App data reveals:
-
Messages and chat histories
-
Call logs (VoIP apps)
-
Images, videos, voice notes
-
Location history
-
Login tokens
-
File transfers
-
Contacts sync
-
Session data
-
Browser history inside WebViews
Even when apps use encryption (Signal, WhatsApp E2EE), metadata or cached data may still reveal important information.
Where App Data Lives
App data is stored differently on Android and iOS, but both platforms use sandbox directories with similar structures.
App Data on Android
Android stores app data primarily in:
/data/data/<package_name>/
This directory contains:
1. Databases
SQLite files such as:
-
messages.db -
chat.db -
history.db -
downloads.db
These are critical for reconstructing conversations and actions.
2. Shared Preferences
XML configuration files under:
shared_prefs/
Contain:
-
Session tokens
-
App settings
-
User IDs
-
Flags about activity
3. Cache Files
Located in:
cache/
Contain:
-
Images
-
Thumbnails
-
Temporary downloads
-
WebView caches
4. Files Directory
Raw files such as:
-
Documents
-
Audio recordings
-
Attachments
-
Offline maps
-
Logs
5. External Storage
Some apps store public media here:
/sdcard/<AppName>/
/storage/emulated/0/<AppName>/
Useful for:
-
WhatsApp media
-
Telegram downloads
-
Instagram cache
-
Browser downloads
App Data on iOS
iOS stores app data inside containers:
/private/var/mobile/Containers/Data/Application/<UUID>/
Key subdirectories:
1. Documents
User-generated content such as exported files, recordings, backups.
2. Library
Contains:
-
Databases
-
Preferences
-
Caches
-
Application state
-
Cookies
-
WebKit data
3. tmp
Temporary app files:
-
Cached media
-
In-progress downloads
-
Deleted-but-not-overwritten files
Forensic Artifacts in App Data
1. Messaging Apps (WhatsApp, Telegram, Signal, Messenger)
Stored in:
-
Android:
/data/data/com.whatsapp/ -
iOS: App container
Artifacts:
-
Chat databases (msgstore.db)
-
Media (
WhatsApp/Media/) -
Contacts
-
Status updates cache
-
Group info
-
Timestamps & message metadata
Telegram
Stores:
-
Cached images/videos
-
Session tokens
-
Message headers
-
Location data
(Telegram stores many messages on server-side.)
Signal
Most data encrypted. Still accessible:
-
Metadata
-
Timestamps
-
Attachment placeholders
-
Contact info
-
Key files (if device unlocked)
Facebook Messenger / Instagram
Evidence:
-
Message caches
-
Images
-
DM metadata
-
Story thumbnails
-
Session tokens
-
Voice message files
2. Social Media Apps
Includes:
-
Facebook
-
Instagram
-
TikTok
-
Twitter/X
-
Snapchat
Artifacts:
-
Cached profile pictures
-
Chat logs (partial or full)
-
Search history
-
Location tagging
-
Saved posts
-
Browsing history inside WebView
-
Deleted-but-cached media
Snapchat stores:
-
Temporary snaps (sometimes recoverable)
-
Metadata about viewed snaps
-
Story cache
-
Chat history in SQLite files
3. Browsers (Chrome, Safari, In-App WebViews)
Artifacts:
-
History
-
Cookies
-
Cache
-
Login tokens
-
Download history
-
Autofill data
-
IndexedDB and WebSQL storage
Android Chrome:
/data/data/com.android.chrome/app_chrome/
iOS Safari:
Library/Safari/
4. Banking / Payment Apps
While tightly secured, still contain:
-
Logs
-
Device binding data
-
Session metadata
-
Notification content (sometimes)
-
Cached statements
-
App preferences
Forensics must carefully avoid modifying security features.
5. Navigation & Maps Apps
Google Maps / Apple Maps artifacts include:
-
Search history
-
Timeline/location history
-
Saved places
-
Real-time movement caches
-
Route suggestions
Stored in SQLite and plist/XML files.
6. Cloud Storage Apps (Drive, iCloud, Dropbox)
Artifacts:
-
Offline files
-
File metadata
-
Previews
-
Download history
-
Access logs
-
Sync logs
These apps may reveal deleted or shared files.
7. VoIP & Communication Apps
Apps like WhatsApp, Skype, Zoom, Teams, Telegram call logs contain:
-
VoIP call history
-
Call duration
-
Timestamps
-
Participants
-
Session data
-
Meeting logs (Zoom/Teams)
How Investigators Extract App Data
Android Extraction Paths
-
Full File System via root or forensic tools
-
ADB extraction (limited)
-
EDL mode for Qualcomm devices
-
Chip-off for hardware access
-
Cloud backups (Google Drive)
iOS Extraction Paths
-
iTunes backup (logical)
-
Full File System via checkm8/jailbreak/forensic tools
-
iCloud extraction
-
Pairing record exploitation
Parsing App Artifacts
Tools for analysis:
-
Magnet AXIOM
-
Cellebrite Physical Analyzer
-
Oxygen Forensic Detective
-
SQLite Browser
-
plist editors
-
Android Studio tools
-
Manual decoding for LevelDB/JSON caches
Common Forensic Challenges
-
End-to-end encrypted apps (Signal, WhatsApp)
-
File-based encryption (Android/iOS)
-
Scoped storage restrictions
-
Cloud-synced data not stored locally
-
Ephemeral messaging (Snapchat, Telegram secret chat)
-
App obfuscation & proprietary storage formats
Intel Dump
-
App data forensics analyzes SQLite databases, shared_prefs XML, caches, media files, WebView data, session tokens, and logs stored in app containers.
-
Android stores app data under
/data/data/and external storage; iOS usesContainers/Data/Application/<UUID>/. -
Messaging, social media, browser, navigation, financial, and cloud apps hold critical evidence like chat logs, media, locations, tokens, and histories.
-
Extraction relies on logical, file system, full file system, cloud, or hardware-based methods depending on device state and encryption.
-
Tools like Cellebrite, AXIOM, and Oxygen parse app databases and artifacts for investigation.