Installed Packages Registry (packages.xml)
Location
/data/system/packages.xmlCommon Names
Description
XML file maintained by the Android PackageManager that serves as the authoritative registry of all installed applications. Each package entry contains the application name, version code, version name, installation timestamp (ft and lt attributes in hex epoch), installer package name, requested permissions, granted permissions, signing certificate hash, shared user ID, and data directory path.
Forensic Value
packages.xml provides a complete inventory of every application installed on the device, including those that have been hidden from the launcher or disabled. The firstInstallTime and lastUpdateTime timestamps establish when each application was originally installed and most recently updated, which is critical for determining if a malicious app was installed during the investigation timeframe. The installer field reveals whether an app was installed from the Play Store, sideloaded via ADB, or installed by another app. Permission grants identify applications with sensitive capabilities such as camera, microphone, location, and SMS access.
Tools Required
Collection Commands
adb
adb pull /data/system/packages.xml /forensics/output/
adb
adb shell pm list packages -f > installed_packages.txt
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.