Wi-Fi-Based Location Records
Location
/data/data/com.google.android.gms/databases/ and /data/misc/wifi/ (various system databases)Description
Location data derived from Wi-Fi network connections and scans, distributed across multiple system databases. Includes records of Wi-Fi networks detected during location scans, connection timestamps associated with specific access points, and Wi-Fi RTT (Round-Trip Time) ranging data on supported devices for precise indoor positioning.
Forensic Value
Wi-Fi-based location records place the device at specific physical locations based on the unique BSSIDs of detected access points. Even without connecting to a network, Wi-Fi scan results record the presence of nearby access points that can be geolocated through wardriving databases (WiGLE) or vendor records. Connection logs with timestamps establish when the device was within range of specific networks, which is valuable for establishing presence at locations with known Wi-Fi infrastructure such as businesses, residences, and public venues. These records supplement GPS data and may be available when GPS was disabled.
Tools Required
Collection Commands
adb
adb pull /data/misc/wifi/ /forensics/wifi_data/
ALEAPP
python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/
adb
adb shell dumpsys wifi > wifi_service_dump.txt
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.