Blog >> Android Scoped Storage

Investigating Android Scoped Storage

27/09/2024 Friday

Android Scoped Storage is a feature introduced in Android 10 and enforced for app developers starting with Android 11. By using this feature, each app is given its own isolated storage space, preventing it from freely accessing files belonging to other apps or the user’s sensitive data. Apps can still access shared media files, like photos and videos, but must request specific permissions or use designated APIs.

Digital Forensics Value of Android Scoped Storage

Scoped Storage leaves behind artifacts containing information about the files stored on an Android device, as well as which apps accessed these files at specific times. This data can assist digital forensic investigators in tracing user activity and establishing a timeline of events involving particular apps. It also enables them to collect metadata associated with media files, which helps in creating a comprehensive picture of the device user's actions and connections.

Location of Android Scoped Storage Artifacts

Android Scoped Storage artifacts can be found at the following locations:
*/com.google.android.providers.media.module/databases/external.db
*/com.android.providers.media/databases/external.db

Analyzing Android Scoped Storage Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Android Scoped Storage artifact from Android device files and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Scoped Storage artifact parsers:

Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Scoped Storage artifact in ArtiFast.

Android Scoped Storage Images

• File Path: The location of the file in the android device.
• File Size: The file size in bytes.
• Parent Folder: The parent folder of this file.
• Created Date/Time: The date/time when this file has been created.
• Last Modified Date/Time: The date/time when this file has been modified.
• MIME Type: The type of the data stored in this file.
• File Name: The name of the file.
• Display Name: The display name of this file.
• Package Name: The bundle name of the application that caused this file to be created.
• Is Trashed: Indicates whether this file has been deleted from the user device or not.
• Expiration Date/Time: The date and time when this trashed file will be deleted permanently.
• Taken Date/Time: The date/time when this file has been taken.
• Latitude: Latitude.
• Longitude: Longitude.
• Resolution: The resolution of this file.
• Orientation: The orientation of the device when opening this device.
• Is Downloaded: Indicates whether this file has been downloaded or not.
• Is Favorited: Indicates whether this file has been marked as Favorited or not.

Android Scoped Storage Videos

• File Path: The location of the file in the android device.
• File Size: The file size in bytes.
• Parent Folder: The parent folder of this file.
• Created Date/Time: The date/time when this file has been created.
• Last Modified Date/Time: The date/time when this file has been modified.
• MIME Type: The type of the data stored in this file.
• File Name: The name of the file.
• Display Name: The display name of this file.
• Package Name: The bundle name of the application that caused this file to be created.
• Is Trashed: Indicates whether this file has been deleted from the user device or not.
• Expiration Date/Time: The date and time when this trashed file will be deleted permanently.
• Taken Date/Time: The date/time when this file has been taken.
• Latitude: Latitude.
• Longitude: Longitude.
• Resolution: The resolution of this file.
• Orientation: The orientation of the device when opening this device.
• Is Downloaded: Indicates whether this file has been downloaded or not.
• Is Favorited: Indicates whether this file has been marked as Favorited or not.

Android Scoped Storage Audios

• File Path: The location of the file in the android device.
• File Size: The file size in bytes.
• Parent Folder: The parent folder of this file.
• Created Date/Time: The date/time when this file has been created.
• Last Modified Date/Time: The date/time when this file has been modified.
• MIME Type: The type of the data stored in this file.
• File Name: The name of the file.
• Display Name: The display name of this file.
• Package Name: The bundle name of the application that caused this file to be created.
• Is Trashed: Indicates whether this file has been deleted from the user device or not.
• Expiration Date/Time: The date and time when this trashed file will be deleted permanently.
• Taken Date/Time: The date/time when this file has been taken.
• Latitude: Latitude.
• Longitude: Longitude.
• Resolution: The resolution of this file.
• Orientation: The orientation of the device when opening this device.
• Is Downloaded: Indicates whether this file has been downloaded or not.
• Is Favorited: Indicates whether this file has been marked as favorited or not.

Android Scoped Storage Folders

• File Path: The location of the file in the android device.
• File Size: The file size in bytes.
• Parent Folder: The parent folder of this file.
• Created Date/Time: The date/time when this file has been created.
• Last Modified Date/Time: The date/time when this file has been modified.
• File Name: The name of the file.
• Display Name: The display name of this file.
• Package Name: The bundle name of the application that caused this file to be created.
• Is Trashed: Indicates whether this file has been deleted from the user device or not.
• Expiration Date/Time: The date and time when this trashed file will be deleted permanently.
• Taken Date/Time: The date/time when this file has been taken.
• Latitude: Latitude.
• Longitude: Longitude.
• Resolution: The resolution of this file.
• Orientation: The orientation of the device when opening this device.
• Is Downloaded: Indicates whether this file has been downloaded or not.
• Is Favorited: Indicates whether this file has been marked as favorited or not.

Android Scoped Storage Other Files

• File Path: The location of the file in the android device.
• File Size: The file size in bytes.
• Parent Folder: The parent folder of this file.
• Created Date/Time: The date/time when this file has been created.
• Last Modified Date/Time: The date/time when this file has been modified.
• MIME Type: The type of the data stored in this file.
• File Name: The name of the file.
• Display Name: The display name of this file.
• Package Name: The bundle name of the application that caused this file to be created.
• Is Trashed: Indicates whether this file has been deleted from the user device or not.
• Expiration Date/Time: The date and time when this trashed file will be deleted permanently.
• Taken Date/Time: The date/time when this file was taken.
• Latitude: Latitude.
• Longitude: Longitude.
• Resolution: The resolution of this file.
• Orientation: The orientation of the device when opening this device.
• Is Downloaded: Indicates whether this file has been downloaded or not.
• Is Favorited: Indicates whether this file has been marked as favorited or not.

For more information or suggestions please contact: kalthoum.karkazan@forensafe.com