Device Attestation Data (frosting.db)
Location
/data/data/com.google.android.gms/databases/frosting.dbDescription
SQLite database within Google Play Services that stores device integrity attestation records and SafetyNet/Play Integrity API response data. Contains cached attestation results including device model, build fingerprint, CTS profile match status, basic integrity verdict, and timestamps of attestation checks performed by applications.
Forensic Value
The frosting database provides evidence of the device security posture and integrity state, including whether the bootloader was unlocked, the device was rooted, or a custom ROM was installed at the time attestation checks were performed. Failed integrity checks suggest the device was modified in ways that could affect evidence reliability. The timestamps of attestation events correlate with application activity, as apps that perform SafetyNet checks typically do so at launch. This artifact helps establish whether the device operating environment was trustworthy during the investigation period.
Tools Required
Collection Commands
adb
adb pull /data/data/com.google.android.gms/databases/frosting.db /forensics/output/
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
adb
adb shell getprop > device_properties.txt
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.