Back in February 2017 I wrote an article relevant to "HERREVAD Databases Geo Location Artefacts" (http://trewmte.blogspot.com/2017/02/herrevad-databases-geo-location.html) and I regularly conduct searches for any useful updates or supporting information that maybe of use.
-----
I see SANS DFIR in May 2018 published "Advanced Smartphone Forensics Poster - SANS Forensics" a poster to identify "Most Relevance Evidence Per Gigabyte" and includes the database 'Herrevad' (https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf).
-----
dmoreno1994's GeoAndroid .py script (https://github.com/NoSuitsSecurity/GeoAndroid)
positions an android phone without GPS by utilising the Herrevad database. "Herrevad: This database contains the WiFi connections history of preinstalled Google apps in Android OS devices. It can be WIFI connections of Google Play, Google Maps, Youtube, etc..
/data/com.google.android.gms/databases/herrevad"
-----
Posted yesterday 06/07/2018 Hybrid Analysis Incident Response malware analysis website (https://www.hybrid-analysis.com/sample/338a08badc67f40697db278e20390cf6dc2247e79e4b1845ea25e6c033c2572f?environmentId=200) illustrated Receiver and Intent involving Herrevad.
Receiver
com.google.android.gms.herrevad.receivers.CaptivePortalReceiver
Intent
android.net.conn.NETWORK_CONDITIONS_MEASURED
Receiver
com.google.android.gms.herrevad.receivers.GservicesReceiver
Intent
com.google.gservices.intent.action.GSERVICES_CHANGED
-----
An earlier version of Receiver and Intent is recorded in Joe Sandbox Cloud Analysis (https://www.joesandbox.com/analysis/39495/0/pdf) published 12 August 2017.
-----
Herrevad has an interest to those on Security Stack Exchange wanting to understand how the database can reveal SSID/Cell ID geolocation info. "How do you get Geolocation information from the CellID field in the herrevad database from Google Mobile Services? (https://security.stackexchange.com/questions/180971/how-do-you-get-geolocation-information-from-the-cellid-field-in-the-herrevad-dat)
-----
