To see what applications are on the device, an examiner could navigate to /data/data and run the ls command. But that doesn't provide well-formatted data that will look good in a forensic report. We suggest pulling the /data/system/packages.list file; this file lists the package name for every app on the device and path to its data (if this file does not exist on the device, the adb shell pm list packages –f command is a good alternative). For example, here is an entry for Google Chrome (the full file on our test device contained 120 entries):
This is data storage method 1: plaintext. Often we will see apps store data in plaintext, even including data you wouldn't expect (such as passwords).
Perhaps of greater interest is the /data/system/package-usage.list file, which shows the last time that package (or application) was used. It's not perfect; the times shown in the file did not correlate exactly with the last time we used the app. It appears that the app updating or receiving notifications (even if the user does not view them) may affect the time, however it is good for a general indication of the last apps the user accessed:
If you're wondering where to find the time in that line, it's in a format known as Unix epoch time.