maybe my mistake but i dont remember you saying logs in your initial post and I did re-read it after your earlier reply.
SkyWalker,
(DISCLOSURE I own Sanderson Forensics' SQLite Forensic Toolkit software, but have no direct nor indirect financial interest whatsoever in Sanderson Forensics).
I think Paul's suggestion of analyzing SQLite databases is a sound one as it should allow you to distinguish between human "User" generated activity versus non-human "System" generated activity.
Here are some SQLite databases (one could call them "Logs") of potential interest on Android phones (the below list is from a Verizon LG G3 Android OS 5.0.1)
1) "accounts.db" stores "com.Android.exchange" company email user name and password plus all other user accounts on the phone located at image.raw\userdata (EFI 44)\system\users\0\
2) "mmssms.db" contains text messages (senders, recipients, dates, times, etc.) and is located here image.raw\userdata (EFI 44)\data\com.android.providers.telephony\databases\
3) "mailstore.username@gmail.com.db" contains Gmail content (senders, recipients, body of email, dates, etc.) located at image.raw\userdata (EFI 44)\data\com.google.android.gm\databases\
4) "EMAIL.db" contains Microsoft Exchange email content and can be found at image.raw\userdata (EFI 44)\data\com.lge.email\data\
5) EML email files in the following folder path image.raw\userdata (EFI 44)\data\com.lge.email\data\Messaging\EML\
6) "calendar.db", contains calendar entries found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\
7) "contacts2.db" contains Call Logs and Contacts. Includes entry for "deleted" contacts as well as normal contacts. Found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\
8) "profile.db" contains Google ID email addresses located at image.raw\userdata (EFI 44)\data\com.android.providers.contacts\databases\
9) "babel1.db" contains Google Hangout session information and can be located at \data\com.google.android.talk\databases\
10) Location based evidence use your forensic tool to extract longitude and latitude information from photos, videos, Facebook messages. Also, create a full-text searchable index of the extracted evidence and search for terms such as "Wi-Fi", which may identify webpages showing the phone connecting to an organization or place of businesses' Wifi network on specific dates and times.
If your analysis is not turning up the evidence one expects to see, then it may be appropriate to use a tool such as Sanderson Forensic's SQLite Forensic Toolkit to carve SQLite databases to attempt to recover deleted records that are not normally recoverable.
On a completely unrelated topic, my oldest Daughter is looking at colleges in Spain to spend her Junior Year Abroad. Which are the top universities in Spain that you would recommend?
Regards,
Larry
SkyWalker,
(DISCLOSURE I own Sanderson Forensics' SQLite Forensic Toolkit software, but have no direct nor indirect financial interest whatsoever in Sanderson Forensics).
I think Paul's suggestion of analyzing SQLite databases is a sound one as it should allow you to distinguish between human "User" generated activity versus non-human "System" generated activity.
Here are some SQLite databases (one could call them "Logs") of potential interest on Android phones (the below list is from a Verizon LG G3 Android OS 5.0.1)
1) "accounts.db" stores "com.Android.exchange" company email user name and password plus all other user accounts on the phone located at image.raw\userdata (EFI 44)\system\users\0\
2) "mmssms.db" contains text messages (senders, recipients, dates, times, etc.) and is located here image.raw\userdata (EFI 44)\data\com.android.providers.telephony\databases\
3) "mailstore.username@gmail.com.db" contains Gmail content (senders, recipients, body of email, dates, etc.) located at image.raw\userdata (EFI 44)\data\com.google.android.gm\databases\
4) "EMAIL.db" contains Microsoft Exchange email content and can be found at image.raw\userdata (EFI 44)\data\com.lge.email\data\
5) EML email files in the following folder path image.raw\userdata (EFI 44)\data\com.lge.email\data\Messaging\EML\
6) "calendar.db", contains calendar entries found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\
7) "contacts2.db" contains Call Logs and Contacts. Includes entry for "deleted" contacts as well as normal contacts. Found in file path image.raw\userdata (EFI 44)\data\com.android.providers.calendar\databases\
8) "profile.db" contains Google ID email addresses located at image.raw\userdata (EFI 44)\data\com.android.providers.contacts\databases\
9) "babel1.db" contains Google Hangout session information and can be located at \data\com.google.android.talk\databases\
10) Location based evidence use your forensic tool to extract longitude and latitude information from photos, videos, Facebook messages. Also, create a full-text searchable index of the extracted evidence and search for terms such as "Wi-Fi", which may identify webpages showing the phone connecting to an organization or place of businesses' Wifi network on specific dates and times.
If your analysis is not turning up the evidence one expects to see, then it may be appropriate to use a tool such as Sanderson Forensic's SQLite Forensic Toolkit to carve SQLite databases to attempt to recover deleted records that are not normally recoverable.
On a completely unrelated topic, my oldest Daughter is looking at colleges in Spain to spend her Junior Year Abroad. Which are the top universities in Spain that you would recommend?
Regards,
Larry
Thank you Larry!! This is a very, very useful information.
Answering your unrelated topic D , I can recommend you the University of Salamanca (the oldest in Europe to be recognized as a University as such by the Pope in the XIII century), the University of Granada (a city which is very well known for The Alhambra -built by the Muslims-, it's absolutely amazing), or the University of Santiago de Compostela (known for the Road to Santiago). All three cities are UNESCO Human Heritage and they have the most famous Universities in Spain in which you can live as a University student. I think you can live better the experience of being a student in these three cities than in the other.
She can also come to Madrid or Barcelona, but it won't be the same at all.
You can ask mw whatever you need!
Regards!!!
There is no single log you should focus on. Android does not log access times in a single log.
But, by examining everything and excluding the dates of your examination, you should be able to deduce when the device was last powered on. I agree with many here by saying the databases will hold the best information.