Analysis of Android settings during a forensic investigation

During the forensic examination of a smartphone, we sometimes need to understand some basic settings of the device. Some simple examples are:

  • What is the name of the device?
  • Is the "Set time automatically" option on or off?
  • Is the "Set time zone automatically" option on or off?
  • Is mobile data switched on or off?
  • Is mobile data roaming switched on or off?
On Android devices, most of these settings are managed centrally by the Android settings provider. 

This topic is covered in a blog post by Yoghes Khatri who explores a way to extract and analyze Android settings using an Android Backup created with the "keyvalue" option.

In this blog post, I'd like to expand the discussion a bit, by exploring:
  1. How can these settings be extracted?
  2. What information is potentially more relevant for a forensic investigation?

Android Settings extraction

There are basically 3 ways to extract the Android settings, depending on your case:
  1. Extracting the settings live from the device via ADB commands
  2. Creating an Andorid backup with the "keyvalue" option
  3. Performing a full file system with one of the available tools
Above all, if you are managing a "live" device that you have access to, you should always consider triaging some data off the device before turning it off. I discussed the relevance of "Order of Volatility in Modern Smartphone Forensics" at the SANS DFIR Summit 2021.

Even if you have a powered-off device that you have access to ("known passcode") and can enable ADB, it might be advisable to first extract some data using non-invasive techniques before trying to exploit the device to get a full file system dump. I have written a tool called "Android Triage" for this purpose, but there are other free tools that provide similar results (e.g. Avilla Forensics).

Extracting settings live from the device via ADB commands is quite easy:
  • Download adb tools for your platform (Windows, Mac, Linux)
  • Connect the device to your computer and pair it
  • Execute the following commands:
    • adb shell settings list global > global_settings.txt
    • adb shell settings list system > system_settings.txt
    • adb shell settings list secure > secure_settings.txt
  • Open the 3 txt files and analyze the content
If you receive a Full File System dump, the settings are saved in three XML files stored under "\data\system\users\0\":
  • settings_global.xml
  • settings_system.xml
  • settings_secure.xml
With newer Android versions (over 12), these files are stored in ABX format (Android Binary XML). They can be converted into simple XML using an open-source script from CCL Forensics. For older Android versions, these files are in simple XML format.

It is important to note that the settings are user-based: This means that in the case where you have more than one Android user, you may find different settings. In practice, this is rather rare for smartphones, but more common for tablets or other Android-based devices.

Android Settings analysis

The settings are divided into three main categories: Global, System, and Secure.

The global settings are the most interesting from a forensic point of view, as they contain settings such as date and time, time zone, device name, data roaming, and so on.

The system settings contain information about volume and brightness, while the secure settings contain settings about screen saver, accessibility, button behavior, and so on.

I have tried identifying some of the most important and frequently analyzed settings in a forensic investigation.

For each relevant setting, I have identified:
  • the source (Global, System, Secure)
  • the description (taken from the comments in the Android source code)
  • the type (boolean, integer, string)
  • the "path" a user must follow to find the specific setting.  This "path" is based on a Google Pixel 7A running Android 14: each individual manufacturer can customize where the setting is located in the GUI (but not where the setting information is located)
There are some values whose content is not determined by a setting changed by the user. For example:
  • "boot_count" in the Global Settings, is an integer value that counts the number of times the device has booted since the last reset;
  • "time_remaining_estimate_millis" in the Global Settings, is a long value that indicates how long the system battery is estimated to last in millis;
  • "android_id" in the Secure Settings stores the Android ID of the device;
  • "bluetooth_address" in the Secure Settings stores the Bluetooth Mac Address of the device;
  • "bluetooth_name" in the Secure Settings stores the Bluetooth Name of the device
Here is a list of the most important settings that can be customized by the user.

device_name

Source: Global
Type: String
Description: The name of the device
Path: Settings --> About Phone --> Device Name

airplane_mode_on

Source: Global
Type: Boolean
Description: Whether Airplane Mode is on. (1 = on, 0 = off)
Path: Settings --> Network & Internet --> Airplane Mode

wifi_on

Source: Global
Type: Boolean
Description: Whether the Wi-Fi should be on. Only the Wi-Fi service should touch this. (1 = on, 0 = off)
Path: Settings --> Network & Internet --> Internet --> Wi-Fi

bluetooth_on

Source: Global
Type: Boolean
Description: Whether Bluetooth is enabled/disabled 0=disabled. 1=enabled.
Path: Settings --> Connected Devices --> Connection preferences --> Bluetooth --> Use Bluetooth

multi_sim_data_call
multi_sim_sms
multi_sim_voice_call

Source: Global
Type: Boolean
Description: Subscription Id to be used for data call, SMS and voice call on a multi sim device.
Path: Settings --> Network & Internet --> Internet --> <SIM operator> --> Settings --> Use SIM

mobile_data
mobile_data1

Source: Global
Type: Boolean
Description: Whether mobile data connections are allowed by the user.
Path: Settings --> Network & Internet --> Internet --> <SIM Operator> --> Settings --> Mobile Data

data_roaming
data_roaming1

Source: Global
Type: Boolean
Description: Whether or not data roaming is enabled. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> <SIM Operator> --> Settings --> Roaming

wifi_networks_available_notification_on

Source: Global
Type: Boolean
Description: Whether to notify the user of open networks. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> Network Preferences --> Notify for public networks

wifi_wakeup_enabled

Source: Global
Type: Boolean
Description: Value to specify if Wi-Fi Wakeup feature is enabled. (0 = false, 1 = true).
Path: Settings --> Network & Internet --> Internet --> Network Preferences --> Turn on Wi-Fi automatically

auto_time

Source: Global
Type: Boolean
Description: Value to specify if the device's UTC system clock should be set automatically, e.g. using telephony signals like NITZ, or other sources like GNSS or NTP. (0 = false, 1 = true).
Path: Settings --> System --> Date & Time --> Set time automatically

auto_time_zone

Source: Global
Type: Boolean
Description: Value to specify if the device's time zone system property should be set automatically, e.g. using telephony signals like MCC and NITZ, or other mechanisms like the location. (0 = false, 1 = true).
Path: Settings --> System --> Date & Time --> Timezone --> Set Automatically

ble_scan_always_enabled

Source: Global
Type: Boolean
Description: Settings to allow BLE scans to be enabled even when Bluetooth is turned off for connectivity. (0 = false, 1 = true).
Path: Settings --> Location --> Location Services --> Bluetooth Scanning

wifi_scan_always_enabled

Source: Global
Type: Boolean
Description: Setting to allow scans to be enabled even wifi is turned off for connectivity. (0 = false, 1 = true).
Path: Settings --> Location --> Location Services --> Wi-Fi Scanning

assisted_gps_enabled

Source: Global
Type: Boolean
Description: Whether assisted GPS should be enabled or not.
Path: Settings --> Location --> Location Services --> Google Location Accuracy

development_settings_enabled

Source: Global
Type: Boolean
Description: Whether user has enabled development settings.
Path: Settings --> System --> Developer options --> Use developer options

adb_enabled

Source: Global
Type: Boolean
Description: Whether user has enabled development settings.
Path: Settings --> System --> Developer options --> USB debugging

stay_on_while_plugged_in

Source: Global
Type: Boolean
Description: Whether we keep the device on while the device is plugged in.
Path: Settings --> System --> Developer Options --> Stay awake

ota_disable_automatic_update

Source: Global
Type: Boolean
Description: Whether to disable the automatic scheduling of system updates.
        * 1 = system updates won't be automatically scheduled (will always present notification instead).
        * 0 = system updates will be automatically scheduled. (default)
Path: Settings --> System --> Developer Options --> Automatic system update

verifier_verify_adb_installs

Source: Global
Type: Boolean
Description: Run package verification on apps installed through ADB/ADT/USB
        * 1 = perform package verification on ADB installs (default)
        * 0 = bypass package verification on ADB installs
Path: Settings --> System --> Developer Options --> Verify apps over USB

user_switcher_enabled

Source: Global
Type: Boolean
Description: Whether or not switching/creating users is enabled by user.
Path: Settings --> System --> Multiple users --> Allow multiple users


I am sure other relevant values could be helpful in a forensic investigation. I'll keep this list updated!

Comments

Popular posts from this blog

A first look at Android 14 forensics

Huawei backup decryptor

Dissecting the Android WiFiConfigStore.xml for forensic analysis