Registered Accounts Database (accounts_ce.db)

androidSystem ConfigurationDevice Extraction

Location

/data/system_ce/0/accounts_ce.db

Description

SQLite database maintained by the Android AccountManager service, storing all user accounts registered on the device. Each entry includes the account name (typically an email address or username), account type (Google, Samsung, Exchange, WhatsApp, etc.), and associated authentication tokens. The database is credential-encrypted (CE) and requires the device to be unlocked for access.

Forensic Value

The accounts database provides a definitive list of all service accounts configured on the device, establishing the user identity across Google, email, social media, messaging, and enterprise services. Account names reveal email addresses, phone numbers, and usernames associated with the device user across multiple platforms. The account type field identifies which services the user actively uses. Authentication token entries can confirm active sessions. The presence of unexpected accounts may indicate device compromise or unauthorized access by a third party.

Tools Required

Cellebrite UFEDALEAPPMagnet AXIOMOxygen Forensic DetectiveDB Browser for SQLite

Acquisition Methods

Chip-Off Physical Extraction

android — physical

JTAG Physical Extraction

android — physical

ISP (In-System Programming) Extraction

android — physical

ADB Logical Extraction

android — logical

Root Filesystem Extraction

android — logical