Device Attestation Data (frosting.db)

androidSystem ConfigurationDevice Extraction

Location

/data/data/com.google.android.gms/databases/frosting.db

Description

SQLite database within Google Play Services that stores device integrity attestation records and SafetyNet/Play Integrity API response data. Contains cached attestation results including device model, build fingerprint, CTS profile match status, basic integrity verdict, and timestamps of attestation checks performed by applications.

Forensic Value

The frosting database provides evidence of the device security posture and integrity state, including whether the bootloader was unlocked, the device was rooted, or a custom ROM was installed at the time attestation checks were performed. Failed integrity checks suggest the device was modified in ways that could affect evidence reliability. The timestamps of attestation events correlate with application activity, as apps that perform SafetyNet checks typically do so at launch. This artifact helps establish whether the device operating environment was trustworthy during the investigation period.

Tools Required

ALEAPPMagnet AXIOMCellebrite UFEDDB Browser for SQLite

Acquisition Methods

Chip-Off Physical Extraction

android — physical

JTAG Physical Extraction

android — physical

ISP (In-System Programming) Extraction

android — physical

ADB Logical Extraction

android — logical

Root Filesystem Extraction

android — logical