Cell Tower & Wi-Fi Location Cache

Location

Description

Binary cache files maintained by the Google Location Services provider containing recent cell tower and Wi-Fi access point observations used for network-based location determination. The cache.cell file stores cell tower IDs (MCC, MNC, LAC, CID) with associated GPS coordinates and timestamps. The cache.wifi file stores Wi-Fi BSSIDs (MAC addresses) with their estimated geographic positions.

Forensic Value

Cell tower and Wi-Fi location caches provide a record of the physical locations where the device was present, independent of GPS or user-initiated location queries. Cell tower records are particularly valuable because they are generated passively during normal cellular operation and cannot be disabled by the user without enabling airplane mode. Wi-Fi cache entries record access points detected by the device even without connecting, placing the device in proximity to specific buildings or locations. These caches are lower precision than GPS but provide broader temporal coverage.

Tools Required

Collection Commands

adb pull /data/data/com.google.android.location/files/ /forensics/location_cache/

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

adb shell dumpsys location > location_service_dump.txt

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References