Analysis of Android settings during a forensic investigation

By -

During the forensic examination of a smartphone, we sometimes need to understand some basic settings of the device. Some simple examples are:

  • What is the name of the device?
  • Is the "Set time automatically" option on or off?
  • Is the "Set time zone automatically" option on or off?
  • Is mobile data switched on or off?
  • Is mobile data roaming switched on or off?
On Android devices, most of these settings are managed centrally by the Android settings provider. 

This topic is covered in a blog post by Yoghes Khatri who explores a way to extract and analyze Android settings using an Android Backup created with the "keyvalue" option.

In this blog post, I'd like to expand the discussion a bit, by exploring:
  1. How can these settings be extracted?
  2. What information is potentially more relevant for a forensic investigation?

Android Settings extraction

There are basically 3 ways to extract the Android settings, depending on your case:
  1. Extracting the settings live from the device via ADB commands
  2. Creating an Andorid backup with the "keyvalue" option
  3. Performing a full file system with one of the available tools
Above all, if you are managing a "live" device that you have access to, you should always consider triaging some data off the device before turning it off. I discussed the relevance of "Order of Volatility in Modern Smartphone Forensics" at the SANS DFIR Summit 2021.

Even if you have a powered-off device that you have access to ("known passcode") and can enable ADB, it might be advisable to first extract some data using non-invasive techniques before trying to exploit the device to get a full file system dump. I have written a tool called "Android Triage" for this purpose, but there are other free tools that provide similar results (e.g. Avilla Forensics).

Extracting settings live from the device via ADB commands is quite easy:
  • Download adb tools for your platform (Windows, Mac, Linux)
  • Connect the device to your computer and pair it
  • Execute the following commands:
    • adb shell settings list global > global_settings.txt
    • adb shell settings list system > system_settings.txt
    • adb shell settings list secure > secure_settings.txt
  • Open the 3 txt files and analyze the content
If you receive a Full File System dump, the settings are saved in three XML files stored under "\data\system\users\0\":
  • settings_global.xml
  • settings_system.xml
  • settings_secure.xml
With newer Android versions (over 12), these files are stored in ABX format (Android Binary XML). They can be converted into simple XML using an open-source script from CCL Forensics. For older Android versions, these files are in simple XML format.

It is important to note that the settings are user-based: This means that in the case where you have more than one Android user, you may find different settings. In practice, this is rather rare for smartphones, but more common for tablets or other Android-based devices.

Android Settings analysis

The settings are divided into three main categories: Global, System, and Secure.

The global settings are the most interesting from a forensic point of view, as they contain settings such as date and time, time zone, device name, data roaming, and so on.

The system settings contain information about volume and brightness, while the secure settings contain settings about screen saver, accessibility, button behavior, and so on.

I have tried identifying some of the most important and frequently analyzed settings in a forensic investigation.

For each relevant setting, I have identified:
  • the source (Global, System, Secure)
  • the description (taken from the comments in the Android source code)
  • the type (boolean, integer, string)
  • the "path" a user must follow to find the specific setting.  This "path" is based on a Google Pixel 7A running Android 14: each individual manufacturer can customize where the setting is located in the GUI (but not where the setting information is located)
There are some values whose content is not determined by a setting changed by the user. For example:
  • "boot_count" in the Global Settings, is an integer value that counts the number of times the device has booted since the last reset;
  • "time_remaining_estimate_millis" in the Global Settings, is a long value that indicates how long the system battery is estimated to last in millis;
  • "android_id" in the Secure Settings stores the Android ID of the device;
  • "bluetooth_address" in the Secure Settings stores the Bluetooth Mac Address of the device;
  • "bluetooth_name" in the Secure Settings stores the Bluetooth Name of the device
Here is a list of the most important settings that can be customized by the user.

device_name

Source: Global
Type: String
Description: The name of the device
Path: Settings --> About Phone --> Device Name

airplane_mode_on

Source: Global
Type: Boolean
Description: Whether Airplane Mode is on. (1 = on, 0 = off)
Path: Settings --> Network & Internet --> Airplane Mode

wifi_on

Source: Global
Type: Boolean
Description: Whether the Wi-Fi should be on. Only the Wi-Fi service should touch this. (1 = on, 0 = off)
Path: Settings --> Network & Internet --> Internet --> Wi-Fi

bluetooth_on

Source: Global
Type: Boolean
Description: Whether Bluetooth is enabled/disabled 0=disabled. 1=enabled.
Path: Settings --> Connected Devices --> Connection preferences --> Bluetooth --> Use Bluetooth

multi_sim_data_call
multi_sim_sms
multi_sim_voice_call

Source: Global
Type: Boolean
Description: Subscription Id to be used for data call, SMS and voice call on a multi sim device.
Path: Settings --> Network & Internet --> Internet --> <SIM operator> --> Settings --> Use SIM

mobile_data
mobile_data1

Source: Global
Type: Boolean
Description: Whether mobile data connections are allowed by the user.
Path: Settings --> Network & Internet --> Internet --> <SIM Operator> --> Settings --> Mobile Data

data_roaming
data_roaming1

Source: Global
Type: Boolean
Description: Whether or not data roaming is enabled. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> <SIM Operator> --> Settings --> Roaming

wifi_networks_available_notification_on

Source: Global
Type: Boolean
Description: Whether to notify the user of open networks. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> Network Preferences --> Notify for public networks

wifi_wakeup_enabled

Source: Global
Type: Boolean
Description: Value to specify if Wi-Fi Wakeup feature is enabled. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> Network Preferences --> Turn on Wi-Fi automatically

auto_time

Source: Global
Type: Boolean
Description: Value to specify if the device's UTC system clock should be set automatically, e.g. using telephony signals like NITZ, or other sources like GNSS or NTP. (0 = false, 1 = true).
Path: Settings --> System --> Date & Time --> Set time automatically

auto_time_zone

Source: Global
Type: Boolean
Description: Value to specify if the device's time zone system property should be set automatically, e.g. using telephony signals like MCC and NITZ, or other mechanisms like the location. (0 = false, 1 = true).
Path: Settings --> System --> Date & Time --> Timezone --> Set Automatically

ble_scan_always_enabled

Source: Global
Type: Boolean
Description: Settings to allow BLE scans to be enabled even when Bluetooth is turned off for connectivity. (0 = false, 1 = true).
Path: Settings --> Location --> Location Services --> Bluetooth Scanning

wifi_scan_always_enabled

Source: Global
Type: Boolean
Description: Setting to allow scans to be enabled even wifi is turned off for connectivity. (0 = false, 1 = true).
Path: Settings --> Location --> Location Services --> Wi-Fi Scanning

assisted_gps_enabled

Source: Global
Type: Boolean
Description: Whether assisted GPS should be enabled or not.
Path: Settings --> Location --> Location Services --> Google Location Accuracy

development_settings_enabled

Source: Global
Type: Boolean
Description: Whether user has enabled development settings.
Path: Settings --> System --> Developer options --> Use developer options

adb_enabled

Source: Global
Type: Boolean
Description: Whether user has enabled development settings.
Path: Settings --> System --> Developer options --> USB debugging

stay_on_while_plugged_in

Source: Global
Type: Boolean
Description: Whether we keep the device on while the device is plugged in.
Path: Settings --> System --> Developer Options --> Stay awake

ota_disable_automatic_update

Source: Global
Type: Boolean
Description: Whether to disable the automatic scheduling of system updates.
        * 1 = system updates won't be automatically scheduled (will always present notification instead).
        * 0 = system updates will be automatically scheduled. (default)
Path: Settings --> System --> Developer Options --> Automatic system update

verifier_verify_adb_installs

Source: Global
Type: Boolean
Description: Run package verification on apps installed through ADB/ADT/USB
        * 1 = perform package verification on ADB installs (default)
        * 0 = bypass package verification on ADB installs
Path: Settings --> System --> Developer Options --> Verify apps over USB

user_switcher_enabled

Source: Global
Type: Boolean
Description: Whether or not switching/creating users is enabled by user.
Path: Settings --> System --> Multiple users --> Allow multiple users


I am sure other relevant values could be helpful in a forensic investigation. I'll keep this list updated!

Comments

Post a Comment

Popular posts from this blog

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information

By -
Image
As explained in the first blog post, I would like to start discussing the acquisition and processing details. The acquisition was done by Josh Hickman using the Cellebrite Premium tool and the result is a Full File System capture in the traditional file format created by UFED. If you open the file EXTRACTION _FFS.zip ZIP you will see that UFED organizes the extracted full file system into 5 subfolders; filesystem1 : extraction of system partition, without the mount point “/private/var/mobile/” (“user data") filesystem2: extraction of the mount point for user data (“/private/var/mobile”) metadata1: metadata for files stored in “filesystem1” metadata1: metadata for files stored in “filesystem2” extra: iOS Keychain As always, when an acquisition is made with UFED, the ZIP file is accompanied by a UFD file that contains all the details of the acquisition process. UFED PA can load an acquisition created with UFED 4PC/Premium by simply loading the UFD file into PA GUI. The user has just
Keep reading

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading