Hello everybody, the question is the following
How can I know (which logs I might check, mainly) if an Andoid has been used between timestamp A and timestamp B (A<B)?
Thanks!
I would be looking at SQLite databases )
I would be looking at SQLite databases )
Why? I think that information might be stored in logs, not in SQLite databases 😯
I would be looking at SQLite databases )
Why? I think that information might be stored in logs, not in SQLite databases 😯
"If the only tool you have is a hammer, all things around start to seem like nails" )
I would be looking at SQLite databases )
Why? I think that information might be stored in logs, not in SQLite databases 😯
Do you think that SQLite databases might have dates and times in them and if a user makes use of an app or the device then a date might be changed. Android devices can have hundreds of such databases used for both system logging and user applications.
I would be looking at SQLite databases )
Why? I think that information might be stored in logs, not in SQLite databases 😯
Do you think that SQLite databases might have dates and times in them and if a user makes use of an app or the device then a date might be changed. Android devices can have hundreds of such databases used for both system logging and user applications.
Ok, I understand what you say, but my question was focused to if it exists a log in which is written when a mobile phone is accessed, for example when you type the PIN number or draw the pattern with your finger. I mean, the way you are exploring involves the exam of the whole set of SQLite databases in the phone.
Hmm I was answering the question you asked, not the question you thought you asked )
I mean, the way you are exploring involves the exam of the whole set of SQLite databases in the phone.
That's forensics for you.
As to iDevices, you could know Last Factory Restore/Upgrade date/time by using XRY or UFED. As to Android, usually every Android phone needs a google account, so you could find Suspect's google account, and use it as a keyword to search. Look at the search hits and try to do Timeline forensics.
Skywalker - it's not considered polite to change your orginal post - it makes my answer re sqlite look odd and will discourage me answering your questions in future!
Skywalker - it's not considered polite to change your orginal post - it makes my answer re sqlite look odd and will discourage me answering your questions in future!
Sorry Paul, but I don't understand what you mean. I haven't changed my original post.
Thank you.