Files By Google: More Mobile Explorer Artifacts

Files By Google is the default file organizer built into Google Pixel phones but can also be installed as an app through the Google Play Store (found here). Josh Hickman did a good amount of research with it's connections to the External.db database found on Android phones but didn't go into details the database files found directly from the app. My analysis here will provide even further details in correlation with Josh's already fantastic research.

The Files By Google app folder can be found at the following path:


We want to look at the "databases" subfolder which will give us two different database files to analyze:
  • files_master_database - contains information about files found in the Files application
  • search_history_database - only created after a search has been done in the Files application
  • app_usage_database - contains some application usage on the phone


The "files_master_database" has 16 total tables shown below:

Figure 3: files_master_database Database Tables

The main table of interest is the "files_master_data" table. This includes a lot of similar information that the External.db contains. We get file paths, file names, size, date modified (in Unix Epoch milliseconds), media type and more.

Figure 4: files_master_data Table in files_master_database

This data is useful in matching it up with other file artifacts to see what may reside on the phone storage. The media_type column groups files into the following categories:

0 = App/Data
1 = Images
2 = Audio
3 = Videos
6 = Text

I haven't been able to figure out what types correlate to media type 4 and 5 at this point.

Another table of interest is the "files_metadata_table". It has media metadata for files found in the Files by Google application.

Figure 5: files_metadata_table structure

The table was sparsely populated but did have some resolution and camera information found on DCIM images taken with the device.


The search_history_database file was only created after doing a file search in the Files by Google application. It was not present before doing so. The database doesn't have much information inside but does provide a date and timestamp alongside the keyword that was searched.

Figure 6: Search history from the Files by Google app

As you can see above, I searched for two terms. Below is the snapshot from the database. We get the term and the timestamp (in Unix Epoch milliseconds) from the "search_history_content" table.
Figure 7: search_history_content table from search_history_database


As seen from the screenshot below there are only 3 tables in this database with the "app_usage_stats_table" table being the most relevant.

Figure 1: app_usage_database Database Tables

Four columns are present in the table, which include the app package name, the last used timestamp of said application, the app size, and the timestamp of the time when the app was last updated.

Figure 2: app_usage_stats_table Table

last_used_ms_timestamp and app_last_updated_ms_timestamp are both in stored in Unix Epoch offset in milliseconds. The other two are pretty self explanatory. From what I can tell, all of the applications displayed are the built in applications from Google/Android such as YouTube or Google Docs, not any third party ones such as Facebook or Instagram. The only exceptions I found on my own test device were entries for Magisk, Solid Explorer and FX Explorer, which all have root access on the phone.

More research needs to be completed on the timestamps for application usage here from this database as they didn't seem to match properly. My guess is it could be when the application touches a file from the Files By Google app itself.

ALEAPP parsers has been added for the File Master and the Search History tables while I continue to look at the App Usage table. Custom artifacts have also been submitted to the Magnet Artifact Exchange pending approval.


Post a Comment