App Usage Statistics (UsageStats)
Location
/data/system/usagestats/0/ (XML files organized by daily/weekly/monthly/yearly)Description
XML-based usage statistics collected by the Android UsageStatsManager service, recording application usage events including foreground activity changes, configuration changes, and interactive state transitions. Data is organized into daily, weekly, monthly, and yearly rollup files, each containing package names with first and last timestamps and total time in foreground.
Forensic Value
UsageStats provides a comprehensive timeline of which applications were actively used and for how long, even when individual app databases have been cleared. The event log entries record precise timestamps for app foreground/background transitions, enabling reconstruction of the exact sequence of app usage throughout each day. This artifact is particularly valuable for establishing that a messaging app, camera, or other application was actively in use at a specific time. The data persists through app uninstallation and is maintained by the system service rather than individual apps.
Tools Required
Collection Commands
adb
adb pull /data/system/usagestats/0/ /forensics/usagestats/
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
adb
adb shell dumpsys usagestats > usagestats_dump.txt
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.