The ‘Recent Apps’ feature allows users to conveniently browse and relaunch recently used apps, and it has been available since Android 5.0 and later versions. Starting with Android 8.0, a new internal infrastructure called ‘task snapshots’ was introduced to store app screen captures and metadata displayed in the ‘Recent Apps’.

This article aims to introduce the ‘’Recent Apps’’ feature available on Android devices, and explain the concept of task snapshots, which save its traces. The findings are based on data extracted from the device with Android 11 using MD-NEXT v2.2.8, and analyzed with MD-RED v4.0.5

Table of Contents

• Recent Apps
  • Task Snapshot
• Available Information
  • Last Screen of the Recent App
  • Timestamp of Background Transition
  • Others
  • Summary of Available Information
• Summary

1.Recent Apps

Tap at the bottom-left of the home screen to access the ‘Recent Apps’. Swipe left or right to browse through the apps running in the background. You can reopen a specific app or swipe it upward to remove it from the ‘Recent Apps’. Up to 50 apps can be open in the background, and when the limit is exceeded, the oldest apps will be removed from the ‘Recent Apps’.

Learn more

1.1 Take Snapshot

A task snapshot is an internal Android infrastructure used to store the screen displayed in the ‘Recent Apps’ feature. It refers to the app screen when it is switched to the background. The app screen is saved in both high-resolution and low-resolution.

Learn more

2.Available Information

Under /system_ce/{User ID}/snapshots/, Android stores a set of three files for each screen displayed in the ‘Recent Apps’ list. If a user swipes an app away from the ‘Recent Apps’, the corresponding files are also deleted.

• {Task ID}. jpg

• {Task ID}_reduced.jpg

• {Task ID}.proto

The name of each file is assigned a unique numerical Task ID, and this ID increases sequentially according to the order in which apps transition to the background. Even if an app already shown in ‘Recent Apps’ is launched again and then switched back to the background, its previously assigned Task ID does not change.

2.1 Last Screen of the Recent App

You can identify the last screen displayed in a recent app from the two snapshot image files: {Task ID}.jpg and {Task ID}_reduced.jpg. The {Task ID}_reduced.jpg file is a lower-resolution version and has a smaller file size compared to {Task ID}.jpg

2.2 Timestamp of Background Transition

You can identify the timestamp of an app’s transition to the background in the {Task ID}.proto file, which stores the snapshot’s metadata. The modified, accessed, and changed timestamps (MAC Times) of the {Task ID}.proto file also reflect the moment when the app was switched to the background.

The modified and changed timestamp of {Task ID}.jpg and {Task ID}_reduced.jpg represent the timestamp when the app transitioned to the background. These timestamps are updated each time the app is switched to the background. The accessed timestamp of these files indicates the first time the app was transitioned to the background.

2.3 Others

The /system_ce/{User ID}/snapshots/ directory may also contain screens, such as alarm screens, Galaxy default app searches, network list screens, and others.

Meanwhile, the {Task ID}.xml files stored under /system_ce/{User ID}/recent_tasks/ provide a record of app usage history that complements the snapshot artifacts.

2.4 Summary of Available Information

3.Summary

1. Android devices provide a ‘Recent Apps’ feature that allows users to view recently used apps and relaunch them easily.

2. Task snapshots serve as Android’s internal infrastructure for storing the screens and metadata of recently used apps.

3. For each screen shown in the ‘Recent Apps’, a set of three files, {task ID}.jpg, {task ID}_reduced.jpg, and {task ID}.proto, is stored under /system_ce/{User ID}/snapshots/.

4. The {task ID}.jpg and {task ID}_reduced.jpg files contain the last displayed screen of the app. The modified and changed timestamps indicate the moment the app transitioned to the background, while the accessed time reflects the first time the app transitioned to the background.

5. The {Task ID}.proto file records metadata, including the timestamp of the background transition. Its modified, accessed, and changed timestamps also correspond to the time the app was transitioned to the background.

6. In addition to recent app screens, this directory may also contain images such as alarm screens or other system-generated snapshots. App usage history can be found in the {Task ID}.xml file stored under /system_ce/{User ID}/recent_tasks/.

There is suspicion that the subject participated in criminal activity through a hotspot connection. Is it possible to verify the device’s hotspot connection activity through mobile forensic analysis?

Hotspot connections represent more than simple network activity. They can serve as evidence that two devices were in close physical proximity.

iOS hotspot feature requires manual authentication for the initial connection, but automatically reconnects when the same device comes within range thereafter. This means the presence of automatic connection records indicates that the user previously entered the password manually, and suggests the possibility that both devices were used together in the same location at the time of an incident.

This article aims to explain how to connect to a personal hotspot on iOS devices and provide key information available to identify the connection history. The findings are based on the data extracted from iOS 16.7 device using MD-NEXT v2.2.8 and analyzed via MD-RED v4.0.4.

Table of Contents

• How to Set Up a Personal Hotspot
  • Hotspot Providing Device
  • Hotspot Receiving Device
• Hotspot Connection History on Receiving Device (A)
  • Case 1: Device A connects to Device B’s hotspot (1st session)
  • Case 2: Device A disconnects from the hotspot (1st session)
  • Case 3: Device A reconnects to Device B’s hotspot (2nd session)
  • Case 4: Device A disconnects from the hotspot (2nd session)
  • Case 5: Device A connects and disconnects from the hotspot (multiple times)
• Summary of Available Information
• Appendix: Information Available on Providing Device (B)
• Summary

1.How to Set Up a Personal Hotspot

When a Wi-Fi network is unavailable, you can share your iPhone’s cellular data connection by enabling a Personal Hotspot. To enable a hotspot, configure devices as follows.

Learn more

1.1 Hotspot Providing Device

Go to ‘Settings’ > ‘Personal Hotspot’ or ‘Settings’ > ‘Cellular’ > ‘Personal Hotspot’ and enable ‘Allow Others to Join’ option. To use this hotspot, other users must enter the password set in the providing device.

1.2 Hotspot Receiving Device

Go to ‘Settings’ > ‘Wi-Fi’ and select a personal hotspot of Device B. A personal hotspot is displayed with the icon next to it. If a personal hotspot is successfully connected, the icon is displayed on the top-right corner of the device screen.

2.Hotspot Connection History on Receiving Device (A)

The hotspot connection history on the receiving device is stored in the following source files:

• /private/var/preferences/com.apple.wifi.known-networks.plist

• /private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist

• /var/mobile/Library/Preferences/com.apple.networkserviceproxy.plist

The following information is available in the fils : 

• Start timestamp of initial connection

• Start timestamp of automatic an manual hotspot connection

• Start timestamp of the nth connection

• Start/end timestamp of the last connection

The following sections describe typical scenarios in which this information can be identified and analyzed. Device A refers to the device that received the hotspot connection, and Device B refers to the device that provided it.

2.1 Case 1 : Device A Connects to Device B’s hotspot (1st session)

This scenario is when Device A connects to Device B’s personal hotspot. If it is the initial connection, the password set on the providing Device B is required to enable the connection.

The following information is available :

• The AddedAt key in the com.apple.wifi.known-networks.plist file and the AddedAt key in the com.apple.wifi-private-mac-networks.plist file record the timestamp when the hotspot was initially connected.

• The NSPServiceStatusMAnagerInfo key in the com.apple.networkserviceproxy.plist file contains blob-processed Plist data with detailed hotspot connection information. In each NS.time key, under PrivacyProxyNetworkStatusTimeNetworkStartTime andPrivacyProxyNetworkStatusTimeNetworkEndTime keys, you cna find the timestamp the hotspot was connected and disconnected. The timestamp is recorded in CFAbsoluteTime format.

The following table summarizes the information above.

2.2 Case 2 : Device A Connects from the hotspot (1st session)

In this case, Device A loses its connection to Device B’s hotpot. Hotspot connections can be lost when :

• The user manually disconnects from the hotspot.

• The device switches to a different Wi-Fi network.

• The device moves too far from the hotspot providing device.

• The hotspot provider changes the hotspot password.

When a connection is terminated, the end timestamp can be found in the com.apple.networkserviceproxy.plist file.

2.3 Case 3 : Device A Connects to Device B’s hotspot (2nd session)

In this case, Device A temporarily loses connection and then reconnects to Device B’s hotspot. There are two possible reconnection scenarios.

• Automatic connection: The device automatically reconnects when it comes within range of the hotspot. For this condition, the providing device must not have changed the password, and the ‘Allow Others to Join’ option must be enabled.

• Manual connection: The user actively selects and reconnects to the hotspot. Since the password was saved during the first connection, re-authentication is not required.

The JoinedBySystemAt key within the com.apple.wifi.known-networks.plist file records the start timestamp of the automatic connection. Upon manual reconnection, the JoinedByUserAt key is updated with the corresponding start timestmap of connection.

The lastJoined key in the com.apple.wifi-private-mac-networks.plist file records the start timestamp of the last connection, updating with each session (2nd, 3rd, nth session).

The table below summarizes the information above.

2.4 Case 4 : Device A disconnects from the hotspot (2nd session)

In this case, the device disconnects from the hotspot after having successfully reconnected. To determine when the hotspot connection was terminated, refer to UpdatedAt key in com.apple.wifi.known-networks.plist file and lastUpdated key in com.apple.sifi-private-mac-networks.plist file.

2.5 Case 5 : Device A disconnects from the hotspot (multiple times)

In this case, the device repeatedly connects to and disconnects from the hotspot. In each session, the same information described in Case 3: Device A reconnects to Device B’s hotspot (2nd session) can be found.

When hotspot connections and disconnections occur two or more times, the start and end timestamps for all sessions except the last one are recorded in the NS.timekey under the
PrivacyProxyNetworkStatusTimeNetworkStartTime and PrivacyProxyNetworkStatusTimeNetworkEndTime keys in the com.apple.networkserviceproxy.plist file.

For example, if four sessions occurred, the start and end timestmaps for sessions 1 through 3 can be identified in the source file. While the las (4th) session’s connection start and end timestmaps cannot be verified, you can refer to the recording of previous connection and disconnection timestamps to trace hotspot connection history.

The table below summarized the information above.

3. Summary of Available Information

4.Appendix: Information Available on Providing Device (B)

The device that provided the hotspot also stores records of hotspot connection activity.If deleted records are present in the ZTIMESTMAP key of the ZPROCESS table in the /private/var/wireless/Library/Databases/DataUsage.sqlite file, it suggest that the hotspot provider enabled the ‘Allow Others to Join’ option.

5.Summary

• • Hotspot connection records suggest the physical proximity of the providing and receiving devices.

• • Connecting to a hotspot requires entering the hotspot password on the initial connection. If a device automatically connects to a specific hotspot, it suggests a prior connection between the two devices.

• • On the receiving device, hotspot connection records are found in the following source files

  •   ◦ com.apple.wifi.known-networks.plist

  •   ◦ com.apple.wifi-private-mac-networks.plist

  •   ◦ com.apple.networkserviceproxy.plist

• • On the providing device, if deleted records of the ZTIMESTMAP key in the ZPROCESS table of the DataUsage.sqlite file exist, it indicates that a hotspot connection occurred.

AI features, such as translation and photo editing, are rapidly expanding across mobile devices. In particular, AI-driven photo editing features, such as object removal and natural background generation, are now commonly available in default gallery apps, no longer requiring third-party applications.

At the same time, this advancement has also posed new challenges in digital investigations. Photos edited with AI can be difficult to distinguish from the original, potentially causing confusion when verifying the authenticity of digital evidence. For this reason, identifying whether a photo has been altered and securing traces of such edits are becoming important in forensic analysis.

This article explains the AI photo editing features available on major smartphone manufacturers, Samsung Galaxy and Apple iPhone. The findings are based on the data extracted from an Android 15 device running One UI 7.0 and an iOS 18.5 device, extracted using MD-NEXT v2.2.5 and analyzed with MD-RED4 v4.0.1.

Table of Contents

• Galaxy AI Photo Editing Features
  • Sketch to Image
  • Generative Edit
  • Portrait Studio
• iPhone AI Photo Editing Features
  • Clean Up
• Available Editing Artifacts
  • Device Gallery/Photos App
  • Metadata
  • File Name and Save Path
  • Other Artifacts
  • Summary of Artifacts Left by AI Photo Editing Features
• Summary

1.Galaxy AI Photo Editing Features

Samsung first introduced the Galaxy AI, a collection of AI features integrated into its devices, with the launch of the Galaxy S24 series. Galaxy AI was later expanded to earlier models through the One UI 6.1 update. Among these features, ‘Photo Assist’ empowers photo editing with AI functionality. The key features of Photo Assist are outlined below. For more details, refer to Samsung’s official website.

Learn more

1.1 Sketch to Image

This feature allows you to transform simple sketches drawn over a photo into realistic objects.
To use this feature, open the Gallery app, select a photo > Tap the Photo Assist icon > Select the Sketch to Image icon and draw a sketch.

AI will automatically convert it to a realistic object that matches the context of the photo.

Generative Edit

This feature allows you to move, delete, or resize a person or object in a photo. When an object is removed or repositioned, AI automatically fills the empty area to seamlessly match the surrounding background.

To use this feature, open the Gallery app, select a photo > Tap the Photo Assist icon > Select or outline the target object to adjust its size or to remove it.

Portrait Studio

This feature allows you to apply various artistic effects, such as watercolor or sketch styles, to portrait photos. It is available only for photos recognized as portraits.

To use this feature, open the Gallery app, select a photo > Tap the Photo Assist icon > Choose the desired effect to apply to the photo. If there is more than one person, select the person you want to apply the effect to.

1.2 iPhone AI photo Editing Features

Apple rolled out ‘Apple Intelligence’ starting with iOS 18.1, compatible with devices featuring the A17 Pro chip or later. In the Photos app, Apple Intelligence includes the ‘Clean Up’ feature, which removes distracting objects from a photo.

Clean Up

To use the ‘Clean Up’ feature, open the Photos app and select a photo to edit > Tap the icon at the bottom of the screen > Select the Clean Up icon> Tap or brush over the area you want to remove, and the selected object will be erased from the photo. Once finished, tap [Done] in the upper-right corner to apply the effect.

Note that if you brush over the sensitive details, such as faces, tattoos, or ID numbers, they may be blurred with a pixelated effect. For more information, refer to Apple’s official website.

Learn more

1.3 Available Editing Artifacts

Device Gallery/Photo App

On Galaxy, edited photos are saved as separate copies in the Gallery. A watermark ‘AI-generated content’ appears at the bottom-left corner of the edited photo, indicating that an AI effect has been applied.

On iPhone, edits are applied directly to the original photo. Unlike on Galaxy, edited versions are not saved separately in the Photos app. As a result, it is difficult to visually distinguish edited photos within the Photos app.

Alternatively, you can check whether a photo has been edited by tapping the icon to enter edit mode. If the [Revert] button appears in the upper-right corner, it indicates that the photo has been edited using the Clean Up feature or other basic editing tools such as crop or filters.

On iPhone, edits are applied directly to the original photo. Unlike on Galaxy, edited versions are not saved separately in the Photos app. As a result, it is difficult to visually distinguish edited photos within the Photos app.

Alternatively, you can check whether a photo has been edited by tapping the icon to enter edit mode. If the [Revert] button appears in the upper-right corner, it indicates that the photo has been edited using the Clean Up feature or other basic editing tools such as crop or filters.

Metadata

On Galaxy, the edited photo’s Hex data contains metadata in JSON format (key:value format). Within this metadata, the value assigned to the genAIType key indicates which Photo Assist feature was used during editing.

On iPhone, the hex data of an edited photo contains the string ‘Apple Photos Clean Up.’ If this string is found in the hex data, it indicates the Clean Up feature has been applied to the photo.

File Name and Save Path

On Galaxy, edited photos are saved in the same path as the original. For photos taken directly with the device camera, both the original and edited files share the same naming format, YYYYMMDD_HHmmss.{extension}. Therefore, it is difficult to distinguish between the edited photo and the original based solely on the file name or save path.

• Save path of original: /var/mobile/Media/DCIM/{sezuence number]APPLE/[IMG_sequence number].{extension}

• Save path of edited photo: /var/mobile/Media/PhotoData/Mutations/DCIM/{sequence number}APPLE/[IMG_sequence number]/Adjustments/FullSizeRender.{extension}

Other Artifacts

On Galaxy, edited records are stored in the media.db file located at /data/com.samsung.android.providers.media/databases. When the Photo Assist feature is used, the files table in this database contains a key named sef_file_types.

On iPhone, the Adjustments.plist file is available in the save path where edited photos are stored (/var/mobile/Media/PhotoData/Mutations/DCIM/{sequence number}APPLE). In this Plist file, refer to adjustmentTimestamp, adjustmentRenderTypes, and adjustmentData keys to find the timestamp the photo was edited, whether the Clean Up feature was used, and the area of the photo where the AI effect was applied.

Summary of Artifacts Left by AI Photo Editing Features

O: Distinguishable / X: Not Distinguishable / △: Detectable, but similar traces may also appear when using non-AI editing features

1.4 Summary

1. The latest Galaxy and iPhone models support AI-powered photo editing features within their default Gallery (Photos) app.

2. On Galaxy, the traces of AI photo editing (Photo Assist) can be identified through the Gallery app, the metadata of the edited file, and the media.db file.

3. On iPhone, the traces of AI photo editing (Clean Up) can be identified through the Photos app, metadata, and the Adjustment.plist file.

Location information is a vital piece of digital evidence used to map a subject’s movements and validate alibis. Location spoofing apps compromise the integrity of data by hiding real travel routes or fabricating alibis. For instance, there have been cases where suspects used a spoofing app to simulate being away from a crime scene, while simultaneously taking multiple photos to support their false claim.

Such practices fall under anti-forensic techniques, specifically the category of data modification. By altering or fabricating data, location spoofing undermines the reliability of digital evidence and complicates forensic analysis.

This article aims to introduce the main features of three widely used location spoofing apps: Fake GPS Location, GPS Emulator, and Fly GPS. It also explains the types of forensic artifacts that can be recovered during analysis. The findings are based on devices with Android 12, using Fake GPS Location v90.0, GPS Emulator v3.02, and Fly GPS v7 (free versions).

Index

• Location Spoofing App
  • Fake GPS Location
  • GPS Emulator
  • Fly GPS
  • Summary of Key Features by App
• Available Information
  • Location Search
  • Location Spoofing History
  • Movement Route
  • Favorites
• Summary

1.Location Spoofing App

A location spoofing app works by feeding the system with fake coordinates generated by the app instead of real GPS signals. As a result, the device appears to be in a different location. This section explains the key features supported by three common spoofing apps: Fake GPS Location, GPS Emulator, and Fly GPS.

1.1 Fake GPS Location

Location Search

Use the search bar at the top of the screen to enter an address. Once entered, the icon moves to the corresponding location.

Virtual Location Setup

Run the app and swipe across the map to move to the desired location. Tap on the map, and the marker will shift to that point. Select [Start Fake GPS] to set the device’s coordinates to the desired location. Fake GPS Location only supports setting a fixed location.

Favorites

After setting a location, tap the icon at the bottom-right corner to save it as a favorite. You can view all saved favorites by tapping the icon. Selecting a favorite will reposition the map to that location. Fake GPS Location does not provide an option to delete saved favorites.

1.2 GPS Emulator

Location Search

Tap the icon at the top-right corner and enter an address in the search bar to move to that location.

Virtual Location Setup

GPS Emulator offers two options, one that allows users to set a fixed virtual location and the other to simulate travel routes.

•Fixed Location: Swipe the map to the desired point and tap the icon at the bottom of the screen. The marker will appear at that point, and the device will use it as the virtual location. Tap the icon to stop spoofing.

•Movement Path: Select the
icon at the top-left corner > New route to configure paths manually or automatically.

    ・Manual: Swipe the map to set a start and end point. You can connect the points with a straight line.

    ・ Auto: Generate a path that follows roads or sidewalks, simulating travel routes.

Favorites

Tap the icon at the bottom-right corner to save a fixed location as a favorite. Go to
icon at the top-left corner > Bookmarks > Locations & Routes to view the saved favorites.

Location Spoofing History

Go to icon at the top-left corner > Bookmarks > History to view the records of spoofed locations. Tap the icon to remove entries from the list.

1.3 Fly GPS

Location Search

Tap the icon at the top-right corner and enter an address in the search bar to move to that location.

Virtual Location Setup

Fly GPS offers two options: Fixed Location Mode for setting a static spot, and Move Location Mode for simulating movement routes as if a user is physically moving.

• Fixed Location Mode: Swipe the map and tap the desired location. A marker with a popup menu will appear. Select the popup menu > GPS Service Run > Fixed Location Mode to set the virtual coordinates.

• Move Location Mode: Begin by setting a start point the same way as in Fixed Location Mode. Select the popup menu > GPS Service Run > Move Location Mode. Once the start point is set, use the gray directional pad displayed in the bottom-right corner to simulate movement along a path.

Favorites

Select the popup menu > Add to favorites to save the location. Go to Favorites at the top-right of the screen to view the saved favorites. You can reuse the saved items and display them again on the map. Fly GPS support deletion in favorites.

Location Spoofing History

Go to at the top-left corner > History to view the timestamp and location details of spoofed positions. Fly GPS does not support deletion in history.

1.4 Summary of Key Features by App

The main features provided by each app can be summarized as follows:

• Fake GPS Location: In the free version, only location search and favorites are supported. It is limited to setting a single fixed location.

• GPS Emulator: Offers the most comprehensive feature set, including location search, favorites, fixed location, movement path, and location spoofing history. It supports both manual and automatic options (based on roads and sidewalks) for virtual location setup, allowing for more precise manipulation.

• Fly GPS: Supports location search, favorites, fixed location, movement path, and location spoofing history. One distinctive feature is that location spoofing history cannot be deleted, which can provide valuable forensic evidence.

The summary of key features by app can be summarized as follows:

2.Available Information

2.1 Location Search

Location search is a common feature in location spoofing apps. It stores location search history data, which can be used to verify user behavior, such as manually searching for a specific address to change device coordinates. However, location search data is only stored in specific location spoofing apps. Apps like Fake GPS Location and Fly GPS support this feature, but does not retain location search history.

The save paths and target files containing location search data for each app are summarized below.

2.2 Location Spoofing History

Location spoofing history records coordinates and related data. GPS Emulator and Fly GPS support this feature. In GPS Emulator, spoofing history can be deleted within the app, removing corresponding entries from the target file. Fly GPS does not support deleting spoofing history, making it valuable for forensic analysis.

The save paths and target files containing location spoofing history data for each app are summarized below.

2.3 Movement Route

Location spoofing apps allow users to simulate movements. GPS Emulator and Fly GPS offer this feature. In GPS Emulator, you can manually or automatically manipulate the movement route. In Fly GPS, you can navigate the arrow icons after setting a start point.

The save paths and target files containing movement route data for each app are summarized below.

2.4 Favorites

Favorites allow you to bookmark frequently used locations for quick access, eliminating the need to repeatedly enter addresses. This feature is supported by all three apps, enabling faster and more convenient spoofing of recurring locations.

The save paths and target files containing favorites data for each app are summarized below.

3. Summary

Location spoofing is an anti-forensic practice that disrupts investigations by concealing or altering digital evidence. It falls under the category of data modification, in which data is manipulated to hinder forensic analysis.

Typical features of location spoofing apps include location search, fixed location spoofing, movement path simulation, and favorites.

All three apps store data when the favorites feature is used.

Among them, GPS Emulator retains the most extensive data, including search records, location spoofing history, and movement paths. Fly GPS is particularly noteworthy because spoofing history cannot be deleted, making it especially useful for forensic analysis.