Call History (calllog.db)

Location

Description

SQLite database recording all incoming, outgoing, and missed phone calls. Each record includes the phone number, contact name (if matched), call type (incoming/outgoing/missed/rejected/blocked), duration in seconds, date in epoch milliseconds, and the phone account used for the call.

Forensic Value

Call log records establish communication timelines and contact frequency between parties. The duration field distinguishes between connected calls and unanswered attempts, while the call type identifies whether the device user initiated or received each call. Blocked and rejected calls reveal awareness and avoidance of specific contacts. Timestamps correlate with other device activity artifacts to build a comprehensive behavioral timeline. Deleted entries can often be recovered from SQLite free pages and WAL files.

Tools Required

Collection Commands

adb pull /data/data/com.android.providers.contacts/databases/calllog.db /forensics/output/

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

adb shell content query --uri content://call_log/calls > call_log_dump.txt

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References