DocumentsUI Recents & Persisted URI Grants

Location

Common Names

Description

Recent-document metadata and persisted URI permission state created by Android’s Storage Access Framework and DocumentsUI component when the user browses cloud or local documents and grants apps continued access to selected content.

Forensic Value

These artifacts can show that a user browsed or granted an application access to a particular document tree, cloud provider, or file path even when the app did not copy the content locally. In exfiltration and insider-threat cases, persisted URI grants may explain how a third-party app retained access to sensitive files after the chooser dialog closed. Recents state also helps identify which document providers and files were surfaced to the user through the system picker.

Tools Required

Collection Commands

adb shell dumpsys package packages > package_grants_dump.txt

adb shell dumpsys activity provider com.android.documentsui > documentsui_provider_dump.txt 2>/dev/null

adb bugreport /forensics/bugreport.zip

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.
• •DocumentsUI storage is highly version-dependent and OEM customization is common. Persisted URI grants are often easier to validate from bugreport or dumpsys package output than from a single on-disk database.

MITRE ATT&CK Techniques

References