Determining what apps are installed
To see what applications are on the device, an examiner could navigate to /data/data and run the ls command. However, this doesn't provide well-formatted data that will look good in a forensic report. We suggest that you pull the /data/system/packages.list file. This file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the adb shell pm list packages -f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):
Note
This is the first method of data storage: plain text. Often, we will see apps store data in plain text, including data you wouldn't expect (such as passwords).
Perhaps of greater interest is the /data/system/package-usage.list file, which shows the last time a package (or application) was used. It's not perfect; the times shown in the file did not correlate exactly with the last time we used the app...
