Registered Accounts Database (accounts_ce.db)
Location
/data/system_ce/0/accounts_ce.dbDescription
SQLite database maintained by the Android AccountManager service, storing all user accounts registered on the device. Each entry includes the account name (typically an email address or username), account type (Google, Samsung, Exchange, WhatsApp, etc.), and associated authentication tokens. The database is credential-encrypted (CE) and requires the device to be unlocked for access.
Forensic Value
The accounts database provides a definitive list of all service accounts configured on the device, establishing the user identity across Google, email, social media, messaging, and enterprise services. Account names reveal email addresses, phone numbers, and usernames associated with the device user across multiple platforms. The account type field identifies which services the user actively uses. Authentication token entries can confirm active sessions. The presence of unexpected accounts may indicate device compromise or unauthorized access by a third party.
Tools Required
Collection Commands
adb
adb pull /data/system_ce/0/accounts_ce.db /forensics/output/
adb
adb shell dumpsys account > accounts_dump.txt
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.