Download Manager Database (downloads.db)

Location

Description

SQLite database maintained by the Android DownloadManager system service, recording all file downloads initiated through the system download framework. Each record contains the source URL, destination file path, MIME type, file size, download status, last modification timestamp, requesting application package name, and any notification metadata.

Forensic Value

The downloads database provides a record of files downloaded to the device with full source URLs and timestamps, establishing what content was obtained and from where. The uri column preserves the complete download URL including query parameters that may contain session tokens or content identifiers. The notificationpackage field identifies which application initiated each download, linking downloads to specific app activity. Entries persist in the database after downloaded files are deleted, providing evidence of files that were obtained and subsequently removed.

Tools Required

Collection Commands

adb pull /data/data/com.android.providers.downloads/databases/downloads.db /forensics/output/

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

adb shell content query --uri content://downloads/all_downloads > downloads_dump.txt

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References