Recent Tasks & App Snapshots
Location
/data/system_ce/0/recent_tasks/ and /data/system_ce/0/snapshots/Description
XML task description files and JPEG screenshot snapshots stored by the Android ActivityManager for the recent apps switcher. Each task file contains the package name, root activity component, creation timestamp, last active timestamp, and user ID. Associated snapshot images capture the visual state of the application at the time it was backgrounded.
Forensic Value
Recent tasks provide evidence of application usage with timestamps for both task creation and last active time, even for applications that do not maintain their own history. The snapshot images are particularly valuable because they capture the actual screen content of each application at the moment it was switched away from, potentially preserving message content, map views, document text, or other transient information that is no longer accessible within the app itself. Snapshots may survive after the originating app data is deleted or the app is uninstalled.