Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

By -
I spent the last couple of weeks investigating iOS 13 acquisitions "Before First Unlock".

I want to start this blog post with an important point: USB Restricted Mode.

Since iOS 11.4.1, Apple introduced a new security measure called "USB Restricted Mode" that, basically, disables USB data connection under certain conditions.

The effects of USB Restricted Mode on an iOS device and possible ways to overcome it in a non-jailbroken device were intensively discussed on various blogs.

Some references on this topic are:
One of the cases in which USB Restricted Mode is activated is after a reboot: just after a reboot the USB port can be used only for charging and the passcode must be inserted to allow data transfer. 

This is true in a normal iOS boot.

With the checkm8 exploit it seems reasonable to think that the "USB Restricted Mode" limitation can be bypassed/disabled. As I wrote on Twitter, I am not an exploitation expert but I can share the results of different tests I did.

I tested Checkra1n version 0.95 on three different devices, specifically:
  • An iPhone 5s with iOS 12.4.3
  • An iPhone X with iOS 13.1.3
  • An iPhone 7 with iOS 13.2.2
In all of these cases I was able to have a successful access to the device BFU.

On a different iPhone 7, upgraded to iOS 13.2.3, I had to use checkra1n 0.96, as version 0.95 doesn't support the specific iOS version. In this case USB restricted mode was in place and I was not able to bypass it.

I am confident that someone in the forensics world will come up soon with a stable solution to allow the "exploit" of an iOS device by allowing USB data transfer also before first unlock.

In the meanwhile, it is in any case interesting to go on investigating which information can be extracted from an iOS device Before First Unlock, so basically which files are in the "NSFileProtectionNone" data protection class.

iOS 13 File System Layout

Before going into a detailed view of available files in BFU mode, it is useful to provide an overview on the file system layout in iOS 13.

Once connected to the device through SSH, by simply running the mount command you can get the partitions layout.


Unless your are doing a malware analysis on the device, all the relevant data from a forensic perspective is stored in /private/var folder.

By running df -ah you can easily examine the amount of data stored in each partition.


As a reminder: because of the complex and strong encryption method used by Apple to store files on the internal memory, at the moment there is no available/known technique that can be used to recover deleted files on an iOS device. We should then base our analysis on what can be found at the file system level.

With ls -la /private/var/ you can list the subfolders. 
Here is where you will find all the operating system configuration and user data. 

Extracting file information

By running commands like find /private/var -type f -name "*.ext" you can easily get the list of files with a specific extension. 

You can search, for example, for PDF, XLS, DOC and you will most probably find hints in the Mail folder related to an email attachment. You can find hits also in Third Party Applications like WhatsApp, Telegram or Signal.


Other useful find commands you can run are:
  • find /private/var -type d -name "*@g.us*", to extract WhatsApp groups folders name
  • find /private/var -type d -name "*@s.whatsapp.net*", to extract WhatsApp contacts list
  • find /private/var -type d -name "*IMAP-*", to extract email address configured in the native Mail app
  • find /private/var -type d -name "*Skype4LifeSlimCore*", to extract the path where the Skype username is included
  • find /private/var -type d -name "*com.twitter.TwitterSignalProtocol*", to extract the path where the Twitter username is included

Files available Before First Unlock

In this section we analyse which files are available in a "Before First Unlock" acquisition.

We can categorise these data in three types:
  • Operating system configuration
  • Operating system and applications usage log files
  • User data files
    • Native applications
    • Third party applications

Operating system configuration and preferences

In this section we include all the files storing operating system configuration and preferences.
The most relevant folders are:
  • /private/var/db/
  • /private/var/preferences/SystemConfiguration
  • /private/var/mobile/Library/Preferences/
  • /private/var/root/Library/Preferences
  • /private/var/wireless/Library/Preferences/
In /private/var/db you can find various subfolders


The dhcp_leases file contains IP addresses assigned to connected devices, when the Personal Hotspot was in use on the device.


In the dhcpclient/leases folder you will find a plist file, named as the Wi-Fi Mac Address of the device, containing the last IP configuration and the connected SSID.


The analyticsd folder contains files named like Analytics-Journal-YYYY-MM-DD-HHMMSS.ips


Every single file contains a timestamp and the iOS version that was installed on the device at the specific timestamp.

In the timezone subfolder, localtime is an "alias", pointing to the timezone actually set on the device.


In the systemstats subfolder the last_build file contains the actually installed build number (iOS version).


In the spindump subfolder the UUIDToBinaryLocations is a plist file containing the build number and the mapping between UDID and Binary location for System binary files.


In /private/var/preferences/SystemConfiguration you can find:

com.apple.accounts.exists.plist
Information about configured accounts on the device, grouped by type (for example, Apple, Google, Facebook, E-mail, and so on)


NetworkInterfaces.plist
Information about network interfaces of the device.
This file can be parsed with Sysdiagnose Network Interfaces script.


com.apple.wifi.plist
Information about Wi-Fi networks configured on the device.
This file can be parsed with Sysdiagnose WiFi Plist script.


preferences.plist
Hostname and network preferences
This file can be parsed with Sysdiagnose Network Preferences script.


com.apple.radios.plist
Airplane mode on or off


In /private/var/mobile/Library/Preferences/ you can find:

com.apple.madrid.plist
It contains iMessage configuration


com.apple.MobileSMS.plist
It contains SMS configuration and can contain phone numbers


com.apple.identityservices.idstatuscache.plist
It contains contact information.
A good reference about this file is available on Cellebrite website


com.apple.purplebuddy.plist
It contains language and country code


com.apple.assistant.backedup.plist
It contains iCloud sync settings


com.apple.cmfsyncagent.plist
It contains a list of blocked contacts


com.apple.locationd.plist
It contains the "Location Services" setting (Enabled = 1; Disabled = 0).


com.apple.mobile.ldbackup.plist
It contains the last iTunes and last iCloud backup date and timezone.

com.apple.Preferences.plist
It contains information about disk usage (available storage, number of installed application, number of pictures in the Camera Roll, and so on). Similar content is available in the com.apple.atc.plist file


com.apple.sharingd.plist
It contains the device AirDrop ID


com.apple.timed.plist
It contains Auto Time and Auto Time Zone settings.


com.apple.preferences.datetime.plist
It contains the timezone set on the device


com.apple.cloud.quota.plist
It contains iCloud quota information (total space, total available and total used)


In /private/var/root/Library/preferences/ you can find:

com.apple.MobileBackup.plist
It contains Information about the last device reset. In particular, it contains the backup version of iOS, the iOS version installed on the device at the time of recovery, the recovery date, and whether the backup was restored from iCloud.
This file can be parsed with Sysdiagnose Mobile Backup script.

In /private/var/wireless/Library/preferences/ you can find:

com.apple.commcenter.plist
It contains information about the carrier in use, the SIM card ICCID and the associated phone 
number.


com.apple.commcenter.counts.plist
It contains statistics on the use of data and cellular network (for example, bytes received/sent, SMS received/sent, and so on).


com.apple.callservices.plist
It contains the last known iCloud account.

com.apple.commcenter.device_specific_nobackup.plist
It contains the device IMEI.

Operating system and applications usage log files

Information about operating system and applications usage can be found in different places among the device file system. 

/private/var/installd/Library/


The most interesting files here are /Logs/MobileInstallation/mobile_installation.log.N
In our experiments only mobile_installation.log.0 is available BFU, while the other(s) become available once the device is unlocked.

These files were extensively investigated and analysed by Alexis Brignoni and a peer reviewed article is available on DFRWS DFIR Review website.
Alexis also developed a parser for these logs, available on his GitHub account.

The LastBuildInfo.plist file contains the operating system version.


/private/var/log

No useful information was found in this folder during our tests, a part the corecaptured.log file that contains timestamps and can be useful when building a timeline.


/private/var/logs

Various timestamped logs are available in this folder: in particular keybagd.log* and lockdownd.log* can be useful to determine device usage. During our tests in BFU mode we were able to extract the keybagd.log.0 file and both the lockdownd logs.


/private/var/root/Library/

This folder contains various subfolders with application usage logs.


The /Logs/MobileContainerManager contains Mobile Container Manager logs, named containermanagerd.log.
These logs can be parsed with Sysdiagnose Mobile Container Manager script.


The MobileContainerManager folder contains the contaniners3.sqlite database, where you can find information about installed applications.


The Lockdown folder contains the pair_records and the the escrow_records subfolder where pairing plist files are stored. Here the data_ark.plist is also stored, containing various information about the device like the device name, the language, the timezone, the iOS version and the computer type and name where the last backup was executed.


The /Caches/locationd/cache.plist file contains the device UDID


Additional files are available only AFU like, for example:
  • /Caches/locationd/cache_encryptedB.db
  • /Caches/locationd/cache_encryptedC.db
  • /Caches/locationd/gyroCal.db
  • /Caches/com.apple.wifid/ThreeBars.sqlite
/private/var/wireless/

This folder contains various subfolders. 


The most interesting files are Library/Databases/CellularUsage.db and Library/Databases/DataUsage.sqlite.


The CellularUsage.db contains the list of SIM card ICCID’s which have been present in the device iPhone. This file is covered in a article on BlackBag website and on the Salt4n6.com blog.

The DataUsage.sqlite contains information about application usage and its content was analysed by Sarah Edwards on her blog. The APOLLO tool can be used to parse this file.

Two queries to extract information from this database are available in the APOLLO opensource tool.

Native and third party application data

The most important folder containing user information is the /private/var/mobile: it contains  data for native and third party applications and a lot of configuration and log files.


The most interesting folder during an analysis are: Containers, Library and Media.

/private/var/mobile/Library/ folder

The Library folder contains data and logs for native applications.


Most of the data in this folder is encrypted with the passcode, and so is available only After First Unlock, but a lot of information is not encrypted with the passcode and so is available also Before First Unlock.

The Accounts folder contains a database named Accounts3.sqlite: it stores details of the accounts configured on the device (for example, username and type of stored credentials such as password, OAuth, and so on). 


A simple SQL query that can be used to parse this file is

SELECT
ZACCOUNTTYPEDESCRIPTION,
ZUSERNAME,
DATETIME(ZDATE+978307200,'UNIXEPOCH','UTC' ) AS 'ZDATE TIMESTAMP',
ZACCOUNTDESCRIPTION,
ZACCOUNT.ZIDENTIFIER,
ZACCOUNT.ZOWNINGBUNDLEID
FROM ZACCOUNT
JOIN ZACCOUNTTYPE ON ZACCOUNTTYPE.Z_PK=ZACCOUNT.ZACCOUNTTYPE
ORDER BY ZACCOUNTTYPEDESCRIPTION


The AggregatedDictionary contains the ADDataStore.sqlitedb
This file was covered by Sarah Edwards in a blog post.


Two queries to extract information from this database are available in the APOLLO opensource tool.


The AppConduit folder contains two plist files. 


AvailableCompanionApps.plist contains a list of installed Apps


AvailableApps.plist seems containing the list of installed apps on the synced Apple Watch.


The ApplicationSync folder contains a single plist file. 


AssetSortOrder.plist
This file contains the application order on the SpringBoard. In my test this file was not recently updated, so it is possibly a remanence from previous iOS versions.


The Calendar folder contains various file, but not all of them are available BFU.
In particular the Calendar.sqlitedb, containing user calendar entries, is not available BFU.


Notifications.Calendar.Protected is a plist file that can contain references to calendar entries.


The CallHistoryDB folder contains Call History databases. In a BFU acquisition you can typically find this folder layout


The CallHistory.storedata file contains the real call history, and is not available BFU. The CallHistoryTemp.storedata file contains all the calls received on the device after the last successfull first unlock. This file is available, as expected, BFU.

The com.apple.itunesstored contains various SQLite databases related to activities on the iTunes store. 


The kvs.sqlitedb, for example, contains references to installed applications. In particular it contains an embedded plist file containing the list of downloaded apps.


The itunesstored2.sqlitedb also contains references to installed applications, with timestamps


The DataAccess folder contains a subfolder for each email account set in the native Mail app. In my tests the modified timestamp of the various subfolders where quite old, so probably this folder is not used anymore in recent iOS versions. 


The DeviceRegistry and the DeviceRegistry.state folders contain information synced from the paired AppleWatch.



Various interesting files are available in these folders. I suggest you to read my blog post on Elcomsoft website on Apple Watch Forensics Analysis.
As an example, the NanoMail/Registry.sqlite contains the list of synced email accounts.


The NanoAppRegistry folder contains a subfolder for each installed application. Every single folder contains a plist file detailing the version of the application, and other useful information.


The Frontboard folder contains a database named applicationState.db.


This database was covered by Alexis Brignoni in a blog post titled "Identifying installed and uninstalled apps in iOS". A good query to parse this file is available on Alexis GitHub account.


The Logs folder contains various files and subfolders.


The most interesting folders available BFU are AppConduit, CrashReporter and mobileactivationd.

The AppConduit folder typically contains two log files named AppConduit.log.0 and AppConduit.log.1. In my tests, only the first one is available BFU.


An AppConduit log file can be processed with the Sysdiagnose AppConduit Script.

The mobileactivationd folder typically contains 5 log files named mobileactivationd.log.N where N is a between 0 and 4. In my tests, only the first one is available BFU.


A mobileactivationd log file can be processed with the Sysdiagnose MobileActivation Script.

The CrashReporter folder contains Crash Logs, WiFi Manager logs and, eventually, user created Sysdiagnose logs. I strongly suggest you to read the document I wrote with Heather Mahalik and Adrian Leong on Crash and Sysdiagnose Logs

The WiFi subfolder is the most interesting one as it contains WiFi Manager logs. 


These files can be processed with Sysdiagnose WiFi Net Script and with Sysdiagnose WiFi KML Script.

The SMS folder contains SMS databases. Most of the files are not available BFU, but you could find a file named sms-temp.db that contains all the SMS messages received on the device after the last successful first unlock. 


The SpringBoard folder contains various file related to the Springboard.


The IconState.plist file contains the icons layout on the SpringBoard


The LockBackgroundThumbnail.jpg contains the background picture used when the device is locked.


The TCC folder contains a SQLite database name TCC.db


The TCC.db database contains access privileges assigned to applications (for example permissions to access Camera, Photos, Address Book, Microphone and so on).


Additional information can be found in the Caches folder, where, for example, I was able to find references to Wallet Passes in /private/var/mobile/Library/Caches/com.apple.mobilesms.compose/com.apple.Passbook

/private/var/mobile/Media/ folder

The Media folder contains data related to images, videos and audios.


The DCIM folder, containing the list of images and videos stored in the Photo Roll, is not available BFU. You can run an ls command in this folder BFU to extract the list of pictures, with related filesystem timestamps.


The iTunesControl/iTunes/MediaLibrary.sqlitedb database contains the user iCloud account ID and the shopping database on the iTunes Store. 

Here follows a good query to parse this database.

select
ext.title AS "Title",
ext.media_kind AS "Media Type",
itep.format AS "File format",
ext.location AS "File",
ext.total_time_ms AS "Total time (ms)",
ext.file_size AS "File size",
ext.year AS "Year",
alb.album AS "Album Name",
alba.album_artist AS "Artist", 
com.composer AS "Composer", 
gen.genre AS "Genre",
art.artwork_token AS "Artwork",
itev.extended_content_rating AS "Content rating",
itev.movie_info AS "Movie information",
ext.description_long AS "Description",
ite.track_number AS "Track number",
sto.account_id AS "Account ID",
strftime('%d/%m/%Y %H:%M:%S', datetime(sto.date_purchased + 978397200,'unixepoch'))date_purchased,
sto.store_item_id AS "Item ID",
sto.purchase_history_id AS "Purchase History ID",
ext.copyright AS "Copyright"
from
item_extra ext
join item_store sto using (item_pid)
join item ite using (item_pid)
join item_stats ites using (item_pid)
join item_playback itep using (item_pid)
join item_video itev using (item_pid)
left join album alb on sto.item_pid=alb.representative_item_pid
left join album_artist alba on sto.item_pid=alba.representative_item_pid
left join composer com on sto.item_pid=com.representative_item_pid
left join genre gen on sto.item_pid=gen.representative_item_pid
left join item_artist itea on sto.item_pid=itea.representative_item_pid
left join artwork_token art on sto.item_pid=art.entity_pid 


The iTunesControl/iTunes/iTunesPrefs contains the list of computer where the device was connected to.

/private/var/mobile/Containers/ folder

The Containers folder contains data related to Native and Third Party Applications.
It contains two useful subfolders: Data and Shared


Here follows a list of files I was able to find in different extractions BFU for some of the most commonly used applications.

Mail

The native Mail application stores data in /private/var/Library/Mail, and email files are not available BFU. 

The app stores cached images in the /private/var/Containers/Application/<GUID>/Caches folder: these files are available also BFU and here you can typically find images sent or received by email.


The app also stores some emails in PDF format in the /private/var/Containers/Application/<GUID>/tmp/MFScreenshotsService folder.

WhatsApp

The WhatsApp app stores data both in Data and Shared subfolder.
Most of the Databases and plist configuration files are not available BFU, but log files are available.

In particular the folder /private/var/mobile/Containers/Application/<GUID>/Library/Logs contains various logs file about WhatsApp activities.


Viber

The Viber app stores data both in Data and Shared subfolder.
Most of the Databases and plist configuration files are not available BFU, but log files are available.

In particular the folder /private/var/mobile/Containers/Application/<GUID>/Documents contains a database named Settings.data containing user account information.

Conclusions

As you can see, although most of the user data is encrypted BFU, a lot of information can be extracted from an iOS device also when the passcode is not available.

Additional research is needed to find configuration and data files for both native and third party applications, but you can start your investigation by processing the following list of files and folders.

If you see any error or discrepancy, please let me know and I will be happy to integrate this list.

Operating System Configuration and Preferences

  • /private/var/db/analyticsd
  • /private/var/db/dhcp_leases
  • /private/var/db/dhcpclient/leases
  • /private/var/db/spindump
  • /private/var/db/systemstats
  • /private/var/db/timezone
  • /private/var/mobile/Library/Preferences/com.apple.madrid.plist
  • /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist
  • /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
  • /private/var/mobile/Library/Preferences/com.apple.purplebuddy.plist
  • /private/var/mobile/Library/Preferences/com.apple.assistant.backedup.plist
  • /private/var/mobile/Library/Preferences/com.apple.cmfsyncagent.plist
  • /private/var/mobile/Library/Preferences/com.apple.locationd.plist
  • /private/var/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist
  • /private/var/mobile/Library/Preferences/com.apple.Preferences.plist
  • /private/var/mobile/Library/Preferences/com.apple.sharingd.plist
  • /private/var/mobile/Library/Preferences/com.apple.timed.plist
  • /private/var/mobile/Library/Preferences/com.apple.preferences.datetime.plist
  • /private/var/mobile/Library/Preferences/com.apple.atc.plist
  • /private/var/mobile/Library/Preferences/com.apple.cloud.quota.plist
  • /private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist
  • /private/var/preferences/SystemConfiguration/NetworkInterfaces.plist
  • /private/var/preferences/SystemConfiguration/com.apple.wifi.plist
  • /private/var/preferences/SystemConfiguration/preferences.plist
  • /private/var/preferences/SystemConfiguration/com.apple.radios.plist
  • /private/var/root/Library/preferences/com.apple.MobileBackup.plist
  • /private/var/root/Library/Caches/locationd/cache.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.device_specific_no_backup.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.counts.plist
  • /private/var/wireless/Library/preferences/com.apple.callservices.plist

Operating system and applications usage log files

  • /private/var/installd/Library/Logs/MobileInstallation/
  • /private/var/installd/Library/MobileInstallation/LastBuildInfo.plist
  • /private/var/log
  • /private/var/logs
  • /private/var/root/Library/Logs/MobileContainerManager
  • /private/var/root/Library/MobileContainerManager/containers.sqlite3
  • /private/var/root/Library/Lockdown/data_ark.plist
  • /private/var/root/Library/Lockdown/pair_record
  • /private/var/root/Library/Lockdown/escrow_records
  • /private/var/wireless/Library/Databases/CellularUsage.db
  • /private/var/wireless/Library/Databases/DataUsage.db

Native and third party application data

  • /private/var/mobile/Library/Accounts/Accounts3.sqlite
  • /private/var/mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb
  • /private/var/mobile/Library/AppConduit/AvailableCompanionApps.plist
  • /private/var/mobile/Library/AppConduit/AvailableApps.plist
  • /private/var/mobile/Library/ApplicationSync/AssetSortOrder.plist
  • /private/var/mobile/Library/Calendar/Notifications.Calendar.Protected
  • /private/var/mobile/Library/CallHistoryDB/CallHistoryTemp.storedata
  • /private/var/mobile/Library/com.apple.itunesstored/kvs.sqlitedb
  • /private/var/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb
  • /private/var/mobile/Library/DataAccess
  • /private/var/mobile/Library/DeviceRegistry
  • /private/var/mobile/Library/DeviceRegistry.state
  • /private/var/mobile/Library/Frontboard/applicationState.db
  • /private/var/mobile/Library/Logs/AppConduit
  • /private/var/mobile/Library/Logs/mobileactivationd
  • /private/var/mobile/Library/Logs/CrashReporter
  • /private/var/mobile/Library/SMS/sms-temp.db
  • /private/var/mobile/Library/SpringBoard/IconState.plist
  • /private/var/mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg
  • /private/var/mobile/Library/TCC/TCC.db
  • /private/var/mobile/Media/DCIM
  • /private/var/mobile/Media/iTunesControl/iTunes/MediaLibrary.sqlitedb
  • /private/var/mobile/Media/iTunesControl/iTunes/iTunesPrefs
  • /private/var/mobile/Containers/Application/<WHATSAPP-GUID>/Library/Logs/whatsapp-YYYY-MM-DD-HH-MM-SSS*.log
  • /private/var/mobile/Containers/Application/<MAILAPP-GUID>/Caches
  • /private/var/mobile/Containers/Application/<VIBER-GUID>/Documents/Settings.data

Comments

Post a Comment

Popular posts from this blog

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information

By -
Image
As explained in the first blog post, I would like to start discussing the acquisition and processing details. The acquisition was done by Josh Hickman using the Cellebrite Premium tool and the result is a Full File System capture in the traditional file format created by UFED. If you open the file EXTRACTION _FFS.zip ZIP you will see that UFED organizes the extracted full file system into 5 subfolders; filesystem1 : extraction of system partition, without the mount point “/private/var/mobile/” (“user data") filesystem2: extraction of the mount point for user data (“/private/var/mobile”) metadata1: metadata for files stored in “filesystem1” metadata1: metadata for files stored in “filesystem2” extra: iOS Keychain As always, when an acquisition is made with UFED, the ZIP file is accompanied by a UFD file that contains all the details of the acquisition process. UFED PA can load an acquisition created with UFED 4PC/Premium by simply loading the UFD file into PA GUI. The user has just
Keep reading

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading