Media Store & Thumbnails
Location
/data/media/0/DCIM/, /data/media/0/.thumbnails/, and /data/data/com.android.providers.media/databases/external.dbDescription
The Android MediaStore content provider database (external.db) indexes all media files on the device including photos, videos, and audio recordings. DCIM contains camera-captured images and videos. The .thumbnails directory stores automatically generated preview images for gallery display. The database records file paths, EXIF metadata, dimensions, duration, date taken, date added, and bucket (folder) associations.
Forensic Value
The MediaStore database retains metadata entries for media files even after the original files have been deleted, providing evidence of photographs and videos that once existed on the device. Thumbnails in the .thumbnails directory are generated independently and often survive deletion of the source image, preserving visual evidence. EXIF metadata embedded in photos includes GPS coordinates, camera settings, and timestamps that establish when and where images were captured. The date_added versus datetaken discrepancy can reveal files received from external sources versus captured on the device.
Tools Required
Collection Commands
adb
adb pull /data/media/0/DCIM/ /forensics/dcim/
adb
adb pull /data/data/com.android.providers.media/databases/external.db /forensics/output/
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.