Table

Description

accounts

Shows accounts on the device that have access to the contacts list. At least one of the accounts will show the user's Google account email address. This list may include third-party apps installed that have permission to access the contacts list (we will see this in the Tango, Viber, and WhatsApp sections).

contacts

Contains partial information for contacts (more data can be found in the raw_contacts table). The name_raw_contact_id value corresponds to the _id value in the raw_contacts table. The photo_file_id value corresponds to the filename found in the /files/photos directory. times_contacted and last_time_contacted show the number of times that contact was called from or made a call to the device, and the time of the last call in Unix epoch format.

data

This table contains all of the information for each contact, such as email address and phone numbers. The raw_contact_id column is a unique value for each contact that can be correlated with the _id value in the raw_contact_id to identify the contact. Note that each contact may have several rows, as seen by the identical raw_contact_id values. There are 15 data columns (data1-data15) that contains some information about the contact, but there are no discernible patterns. The same column may contain the contact name, an email address, a Google+ profile, and so on. The value in the data14 column correlates to the file names of the images in the files/profiles path. The data15 column contains a thumbnail of the contact's profile photo.

deleted_contacts

Contains a contact_id value and deleted_contact_timestamp in Unix epoch format. However, this cannot be correlated back to any other tables to identify the name of the contact that was deleted. It may be possible to use the deleted data-recovery techniques in Chapter 6, Recovering Deleted Data from an Android Device, to recover the contact names, though. The contact_id value corresponds to the contact_id column in the raw_contacts table.

groups

Shows groups in the contact list, either automatically generated or created by the user. The title of the group is the name of the group. There does not appear to be a way to identify users in each group.

raw_contacts

Contains all information for every contact in the contact list. The display_name shows the contact's name, if it is available. To determine the contact's phone number, email address, or other information, the _id column value must be matched back to the raw_contact_id value in the data table. The sync3 column shows a timestamp, but based on our testing, this cannot be assumed to be when the contact was added; we had contacts several years old that were synced this month. The times_contacted and last_time_contacted columns only apply for phone calls; sending an email or SMS to a contact did not increment these values.

We were unable to identify any means to determine whether a contact was added through the phone interface, added as a friend on Google+, or added through other methods.

Table

Description

calls

Contains information regarding all calls to and from the device. The number column shows the remote user's phone number and whether the call was sent or received. The date column is the date/time of the call, stored in Unix epoch format. The duration column is the length of the call in seconds. The type column indicates the type of call:

• Incoming
• Outgoing
• Missed

The name column shows the remote user's name, if the number was stored in the contact list. geocoded_location shows the location of the phone number, based on the area code (for US numbers) or country code.