Wi-Fi-Based Location Records

androidLocation DataDevice Extraction

Location

/data/data/com.google.android.gms/databases/ and /data/misc/wifi/ (various system databases)

Description

Location data derived from Wi-Fi network connections and scans, distributed across multiple system databases. Includes records of Wi-Fi networks detected during location scans, connection timestamps associated with specific access points, and Wi-Fi RTT (Round-Trip Time) ranging data on supported devices for precise indoor positioning.

Forensic Value

Wi-Fi-based location records place the device at specific physical locations based on the unique BSSIDs of detected access points. Even without connecting to a network, Wi-Fi scan results record the presence of nearby access points that can be geolocated through wardriving databases (WiGLE) or vendor records. Connection logs with timestamps establish when the device was within range of specific networks, which is valuable for establishing presence at locations with known Wi-Fi infrastructure such as businesses, residences, and public venues. These records supplement GPS data and may be available when GPS was disabled.

Tools Required

Cellebrite UFEDALEAPPMagnet AXIOMOxygen Forensic DetectiveDB Browser for SQLite

Acquisition Methods

Chip-Off Physical Extraction

android — physical

JTAG Physical Extraction

android — physical

ISP (In-System Programming) Extraction

android — physical

ADB Logical Extraction

android — logical

Root Filesystem Extraction

android — logical