Эта тема продолжение темы Android, Ищем интересности в которой в сообщениях пользователей то же очень много полезной информации
System/build.propN/ADevice information (version, patches, etc.)Userdata/data/com.android.providers.calendar/databases/calendar.db*Calendar Items and Timezone informationUserdata/data/com.android.providers.settings/databases/settings.db*Lock settings informationUserdata/data/com.android.providers.settings/databases/settings.db-WAL*Lock settings informationUserdata/data/com.android.providers.settings/databases/locksettings.db*Lock settings informationUserdata/data/com.android.providers.settings/databases/locksettings.db-WAL*Lock settings informationUserdata/data/com.google.android.gms/shared_prefs/Checkin.xmlN/AActivity on device related to installed SIM (ICCID and Google Account included)Userdata/data/com.google.android.gsf/databases/gservices.db*Fitness settings, network settings, other settingsUserdata/misc/N/ABluetooth, VPN, Wi-Fi and moreUserdata/Property/persist.sys.timezoneN/ATimezone (Up to Android 8)Userdata/Property/persistent_propertiesN/ATimezone (From Android 9)Userdata/system/*.keyN/AFiles needed for password crackingUserdata/system/device_policies.xmlN/APasscode requirements and policies. Syncing info may existUserdata/system/locksettings.db*Lock settings informationUserdata/system/locksettings.db-WAL*Lock settings informationUserdata/system/netpolicy.xmlN/ATimezoneUserdata/system/SimCard.datN/ASim card and phone number informationUserdata/system/users/0/settings_global.xmlN/AGlobal settingsUserdata/system/users/0/settings_secure.xmlN/ASecure settingsUserdata/system/users/0/settings_system.xmlN/ASystem settings

Userdata/data/com.android.email/databases/EmailProvider.dbAccount, Email AddressCache, Mailbox*Email accounts, 3rd party app data, and messages associated with Email notifications, Email accounts, 3rd party app data, and messages associated with Email notificationsUserdata/data/com.android.providers.contacts/databases/contacts2.dbaccountsLogin infoUserdata/data/com.android.providers.settings/*N/AUsername and passwordsUserdata/data/com.android.vending/shared_prefs/lastaccount.xmlN/ALast account used on Google PlayStore (Android 9 and above)Userdata/data/com.google.android.gms/shared_prefs/BackupAccount.xmlN/ABackup account email addressUserdata/data/com.google.android.googlequicksearchbox/databases/app_icons.db*Google Account InformationUserdata/data/com.google.android.googlequicksearchbox/databases/launcher.db*Google Account InformationUserdata/data/com.google.android.googlequicksearchbox/databases/opa_history*Google Account InformationUserdata/data/com.google.android.gsf/databases/gservices.db*Fitness settings, network settings, other settingsUserdata/system_ce/0/accounts_ce.db*Additional accounts (could also be system_de or accounts_de)Userdata/system_de/0/accounts_de.db*Additional accounts (could also be system_de or accounts_de)Userdata/misc/wifi/softap.confN/AHotspot PasswordsUserdata/misc/wifi/wpa_supplicant.confN/AWi-Fi Network PasswordUserdata/system/accounts*.db*User account informationUserdata/system/sync/accounts.xmlN/AUser account informationUserdata/system/users/0/0.xmlN/AUser information

Userdata/data/com.google.android.gms/shared_prefs/*N/APreference filesUserdata/data/com.google.android.gsf/databases/gservices.db*Fitness settings, network settings, other settingsUserdata/system/recent_images/*.pngN/AApplication snapshotsUserdata/system_ce/recent_images/*.pngApplication snapshotsUserdata/system/users/0/settings_global.xmlN/AGlobal settingsUserdata/system/users/0/settings_secure.xmlN/ASecure SettingsUserdata/system/users/0/settings_system.xmlN/ASystem Settings

Userdata/data/com.android.providers.calendar/databases/calendar.db*Calendar Items and Timezone informationUserdata/data/com.android.providers.userdictionary/databases/user_dict.db*Dictionary Files (Keylogging)Userdata/data/com.google.android.gms/databases/NetworkUsage.db*Application, User and Location tracesUserdata/data/com.google.android.gms/databases/ns.db*Application, User and Location tracesUserdata/data/com.google.android.gms/databases/reminders.db*Application, User and Location tracesUserdata/data/com.google.android.gsf/databases/googlesettings.db*Google preferences – location, maps, wallet, etc --1=trueUserdata/data/com.google.android.gsf/databases/gservices.db*Fitness settings, network settings, other settingsUserdata/data/com.sec.android.inputmethod/Swiftkey/user/dynamic.lmN/ADictionary Files (Keylogging) SwiftKey folder name may vary

Cache**Gmail attachments, Downloads and Browser dataUserdata/data/com.android.providers.contacts/databases/calllog.dbcallsCall logs (From Android 7)Userdata/data/com.android.providers.contacts/databases/contacts2.dbcallsCall logs (Up to Android 6)Userdata/data/com.android.providers.telephony/databases/mmssms.dbsms and partSMS/MMSUserdata/data/com.google.android.apps.messaging/databases/bugle_db*RCS/Android Messages (refer to notebook for query)Userdata/data/com.google.android.dialer/databases/dialer.db*Call logsUserdata/data/com.google.android.gm/databases/.dbconversations and messagesGmail snippetsUserdata/data/com.google.android.gm/databases/bigTopDataDB.Email informationUserdata/data/com.google.android.gm/databases/EmailProvider.dbEmail informationUserdata/data/com.google.android.gms/databases/icing_mmssms.db*SMS/MMSUserdata/data/com.google.android.gms/databases/ipa_mmssms.db*SMS/MMSUserdata/data/com.sec.android.provider.logsprovider/databases/logs.dblogsCall logs

Userdata/data/com.android.providers.media/databases/external*.db*Traces to SD card used in the device. This is stored on the phone.Userdata/data/com.android.providers.media/databases/external*.db-WAL*Traces to SD card used in the device. This is stored on the phone.Userdata/data/com.google.android.apps.photos/databases/gphotos0.dblocal_mediaCamera Photos informationUserdata/data/com.samsung.cmh/databases/cmh.dbfilesCamera Photo - Samsung DevicesUserdata/data/com.samsung.storyservice/databases/dme.dbinfoCamera Photo - Samsung DevicesUserdata/data/com.samsung.visionprovider/databases/visionprovider.dbfilesCamera Photo - Samsung DevicesUserdata/media/N/AActs like SD card

Cache*N/AGmail attachments, Downloads and Browser dataUserdata/data/com.android.browser/app_databases/**Internet HistoryUserdata/data/com.android.browser/app_geolocation/GeolocationPermissions.db*Internet HistoryUserdata/data/com.android.browser/databases/Browser.dbUserdata/data/com.android.browser/databases/browser2.db*Internet HistoryUserdata/data/com.android.browser/databases/webview.db*Internet HistoryUserdata/data/com.android.browser/databases/webviewCache.db*Internet HistoryUserdata/data/com.android.email/webviewCache.db*Internet History

Userdata/data/com.android.connectivity.metrics/databases/events.dbcompleted_events_requestsUSB, Bluetooth, NFC and other connects - Acquisition connection tracked hereUserdata/data/com.google.android.gms/databases/herrevad*Wireless network and MAC addressesUserdata/data/com.google.android.locations/files/cache.cell*Cellular and WiFiUserdata/data/com.google.android.locations/files/cache.wifi*Cellular and WiFiUserdata/misc/wifi/WifiConfigStore.xmlN/AWireless network

Userdata/data/com.google.android.apps.docs.editors.docs/databases/**Google DocsUserdata/data/com.google.android.apps.docs.editors.sheets/databases/**Google DocsUserdata/data/com.google.android.apps.docs.editors.slides/databases/**Google DocsUserdata/data/com.google.android.apps.docs/databases/**Google DocsUserdata/data/com.google.android.apps.genie.geniewidget/databases/newsweather.db*Sync activityUserdata/data/com.google.android.gms/databases/peoplelog.db*Sync activity - contactsUserdata/data/com.google.android.gms/shared_prefs/com.google.android.gms.auth.authzen.cryptauth.Sync Manager.proximity_features.xmlN/ASync ActivityUserdata/system/sync/accounts.xmlSynced Accounts

Userdata/data/com.google.android.apps.maps/databases/da_destination_historydestination historyMapsUserdata/data/com.google.android.apps.maps/databases/gmm_storage.db*Search history MapsUserdata/data/com.google.android.apps.maps/databases/search_history.dbhistory and suggestionsMapsUserdata/data/com.google.android.apps.maps/databases/gmm_sync.db*SyncingUserdata/data/com.sec.android.daemonapp/db/weatherClock*Location artifactsUserdata/Media/0/DCIM/Camera*EXIF data with location info

Userdata/app/*N/AAPK files for installed applicationsUserdata/dalvik-cacheN/A.dex/.oat/.art files for installed applicationsUserdata/data/"Application Folder"N/AApplication Data Files*Userdata/data/com.android.vending/databases/data_usage.dbapp_data_usageApplication tracesUserdata/data/com.android.vending/databases/frosting.dbfrostingApplication tracesUserdata/data/com.android.vending/databases/install_queue.dbinstall_requestsApplication tracesUserdata/data/com.android.vending/databases/library.dbownershipApplication tracesUserdata/data/com.android.vending/databases/localappstate.dbappstateApplication tracesUserdata/data/com.android.vending/databases/notification_cachenotificationsApplication tracesUserdata/data/com.android.vending/databases/package_verification.dbverification_cacheApplicati on tracesUserdata/data/com.android.vending/databases/suggestions.dbsuggestionsApplication tracesUserdata/data/com.android.vending/databases/verify_apps.db*Application tracesUserdata/data/com.google.android.gms/databases/config.dbmainApplication tracesUserdata/data/com.google.android.gms/databases/gass.dbapp_infoApplication tracesUserdata/data/com.google.android.gms/databases/gcm_registrar.dbpackagesApplication tracesUserdata/data/com.google.android.gms/databases/google_app_measurement.db*Application tracesUserdata/data/com.google.android.gms/shared_prefs/batterystats.xmlN/ABattery Usage Stats - Contains Application Usage informationUserdata/data/com.google.android.googlequicksearchbox/*N/AGoogle App searches, installed applications and moreUserdata/data/com.samsung.android.providers.context.databases.Co ntextLog_0.db*Application traces (Samsung devices)Userdata/data/com.sec.android.app.launcher/databases/launcher.dbN/AApplication artifacts (even after deleted)Userdata/data/data/com.google.android.gms/files/batterystatsdumpsystask.gzN/ABattery Usage Stats - Contains Application Usage informationUserdata/system/appops.xmlN/AApplication permissionsUserdata/system/batterystats.binN/ABattery Usage Stats - Contains Application Usage informationUserdata/system/batterystats-checkin.binN/ABattery Usage Stats - Contains Application Usage informationUserdata/system/batterystats-daily.xmlN/ABattery Usage Stats - Contains Application Usage informationUserdata/system/dmappmgr.dbN/AApplication UsageUserdata/system/job/jobs.xmlN/AApplication UsageUserdata/system/notification_log.dbN/AApplication notificationsUserdata/system/packages.listN/AApplication permissions and metadataUserdata/system/packages.xmlN/AApplication permissionsUserdata/system/usagestats/0/*N/AApplication Usage StatsUserdata/system/users/0/app_idle_stats.xmlN/AApplication UsageUserdata/system_ce/0/recent_images/*.pngN/AApplication snapshotsUserdata/system_ce/0/recent_tasks/*.xmlN/ARecent Tasks

Userdata/data/com.android.providers.calendar/databases/calendar.db*Calendar ItemsUserdata/data/com.android.providers.contacts/databases/contacts2.dbcontacts and raw contactsContactsUserdata/data/com.android.providers.contacts/databases/contacts2.dbcallsCall LogsUserdata/data/com.android.providers.contacts/databases/calllog.dbcallsCall LogsUserdata/data/com.android.providers.downloads/databases/downloads.db*DownloadsUserdata/data/com.google.android.gms/databases/icing_contacts.db*ContactsUserdata/data/com.google.android.gms/databases/icing_mmssms.dbMMS/SMSUserdata/data/com.google.android.gms/databases/ipa_mmssms.db*MMS/SMSUserdata/data/com.google.android.gms/databases/android_paywalletAndroid PayUserdata/data/com.google.android.gms/databases/pluscontacts.db*Google+ Contacts

Файл вложения "poster.pdf" это for585.com/poster SANS The Most Relevant Evidence per Gigabyte
и не только ;-)

Дополнительный ресурс с материалами и примерами Android Forensics References -> USERDATA Partition (Last update: September 6th 2022)