Accessing the call logs of a phone is often required during an investigation to confirm certain events. The information about call logs is stored in the contacts2.db file located at /data/data/com.android.providers.contacts/databases/. As mentioned earlier, you can use SQLite Browser to see the data present in this file after extracting it to a local folder on the forensic workstation. Let's see how to extract call logs by following these steps:
- As shown in the following screenshot, using the adb pull command, the necessary .db files can be extracted to a folder on the forensic workstation:
The contacts2.db file copied to a local folder
- Note that applications used to make calls can store call log details in the respective application folder. All communication applications must be examined for call log details, as follows:
C:android-sdk-windowsplatform-tools>adb.exe pull /data/data/com.android.providers.contacts C:temp
This will give the following output:
- Now, open the contacts2.db file using SQLite Browser (by navigating to File | Open Database) and browse through the data present in different tables. The calls table present in the contacts2.db file provides information about the call history. The following screenshot highlights the call history along with the name, number, duration, and date:
On devices running Android 7.0 (Nougat), call log data has been moved out of the contacts2.db file. On these devices, call log data can be accessed at /data/com.android.providers.contacts/databases/calllog.db