Android Keystore Metadata
Location
/data/misc/keystore/ and /data/misc/keystore/user_0/Description
Directory containing metadata and blob files for the Android Keystore system, which provides hardware-backed (TEE or Strongbox) cryptographic key storage. Key entries include application-specific encryption keys, authentication-bound keys, biometric-bound keys, and VPN credential storage. Each key blob is associated with a UID identifying the owning application.
Forensic Value
Keystore metadata reveals which applications have stored cryptographic keys on the device, indicating use of encrypted communications, secure authentication, or DRM-protected content. The key characteristics (authentication-required, biometric-bound) indicate the security level of the keys. The presence of VPN keys establishes that VPN connections were configured. While the key material itself is protected by hardware and generally not extractable, the metadata files, key aliases, and associated UIDs identify which applications rely on secure key storage and the nature of their cryptographic operations.