AndroidQF output file dictionary

2025-06-162026-01-06

This document is part of a technical documentation repository whose main objective is to establish a baseline of proven, flexible and accessible knowledge to boost consensual forensic analysis in support of civil society across the globe. To organize the contents, we use the technical documentation framework Diátaxis.

This particular resource fits within the reference category in Diataxis, and contains information about files generated by the tool androidqf when conducting a forensic extraction of an Android device. The objective is to facilitate the understanding of the resulting files, including what information is included and why it could be helpful from a forensic standpoint. This particular resource falls under the references category, and contains information about the files generated by androidqf when performing a forensic extraction of an Android device, so that an analyst person knows what files are generated, how to use them, where to look for specific information and in what format to find it. Additionally, the equivalent ADB commands for each module are included to show the queries that AndroidQF performs internally and how it can be replicated manually. In cases where the output of the ADB command differs from the file generated by AndroidQF, an example of the actual output of the command is also added to show these differences and facilitate its interpretation.

This resource was last updated on November 26, 2025 and the commit e6bbc564bf9d1edfb18886f4b58c05dcf5b23c9c was used as the basis for compiling the information. This resource was originally developed in Spanish, and translated with the support of Marianne Parrott.

Androidqf is a forensic extraction tool, part of the Mobile Verification Toolkit (MVT) project. It is maintained by Amnesty International Security Lab.

The name of the tool emerges from Android Quick Forensics. It is a portable tool, which means it can be executed on Windows, GNU/Linux and MacOS with a precompiled binary, without requiring an installation. This simplifies the acquisition of key forensic information from Android devices, specially in remote scenarios.

The information generated by androidqf can be grouped into 5 main categories:

• Acquisition and extraction
• Device information and configuration
• System logs and events
• Processes and applications
• Information backed up from the device

Acquisition and extraction

acquisition.json

The information in this file is generated by the acquisition.go module.

What is included in this file?

This file is in JSON format and records information related to the data acquisition process of the device. It contains the following details:

• UUID of the extraction, which is also used as the name of the folder where the information is stored.
• Version of androidqf.
• Location where the extraction is stored.
• Date and time of start and end of the acquisition.
• Information of the collector binary used.
• Information of the ADB binary used.
• Location of the SD card storage.
• CPU architecture of the device.

Why is this important?

This file provides general information about the extraction and the device, including unique identifiers that can be helpful to ensure the chain of custody of the forensic evidence.

Example:

{
 "uuid": "0f615832-ed22-411e-9317-b429d28ecf9a",
 "androidqf_version": "v1.7.0-1-gf7642bf",
 "storage_path": "/home/user/0f615832-ed22-411e-9317-b429d28ecf9a",
 "started": "2025-01-01T18:36:37.443498116Z",
 "completed": "2025-01-01T18:50:04.947856405Z",
 "collector": {
  "ExePath": "/data/local/tmp/collector",
  "Installed": false,
  "Adb": {
   "ExePath": "/usr/bin/adb",
  },
  "Architecture": "arm64-v8a"
 },
 "tmp_dir": "/data/local/tmp/",
 "sdcard": "/sdcard/",
 "cpu": "arm64-v8a"
}

command.log

The information in this file is generated by the logger.go. This module presents detailed logs of the acquisition process of the device.

What is included in this file?

This file is in plain text with a .log extension and contains a record of the commands executed during data acquisition. It documents each command used (DEBUG) and its output on screen (INFO), warning messages (WARNING) and error messages (ERROR) during execution. It uses the following structure:

• Date and time of the command or message
• Type of message
• Content of the message

Why is this important?

This file presents a log of the actions performed by the app during the data acquisition process. This allows the analyst to verify the completeness of the extraction, to ensure all steps were performed. In case of errors, it also provides information to debug and fix potential issues.

Example:

2025-01-01T14:22:39-06:00 [INFO] Started new acquisition in /home/user/1c3c6742-f225-479f-a836-4a6a86a056b7
2025-01-01T14:22:39-06:00 [INFO] Would you like to take a backup of the device?
2025-01-01T14:22:41-06:00 [INFO] Generating a backup with argument com.android.providers.telephony. Please check the device to authorize the backup...
2025-01-01T14:22:52-06:00 [INFO] Backup completed!
2025-01-01T14:22:52-06:00 [INFO] Collecting information on installed apps. This might take a while...
2025-01-01T14:22:52-06:00 [INFO] Collecting device properties...
2025-01-01T14:22:52-06:00 [INFO] Collecting device diagnostic information. This might take a while...
2025-01-01T14:24:11-06:00 [INFO] Collecting list of running processes...
2025-01-01T14:24:11-06:00 [DEBUG] Deploying collector binary 'collector_arm64' for architecture 'arm64-v8a'.
2025-01-01T14:24:11-06:00 [INFO] Collecting list of services...
2025-01-01T14:24:12-06:00 [INFO] Generating a bugreport for the device...
2025-01-01T14:26:22-06:00 [DEBUG] Bugreport completed!
2025-01-01T14:26:22-06:00 [INFO] Collecting list of files... This might take a while...
2025-01-01T14:26:22-06:00 [DEBUG] Using collector to collect list of files
2025-01-01T14:39:20-06:00 [INFO] Collecting device settings...
2025-01-01T14:39:20-06:00 [INFO] Collecting SELinux status...

hashes.csv

The information in this file is generated by the HashFiles function of the acquisition.go module.

What is included in this file?

This file is in CSV format and stores the SHA-256 hashes for each file generated during extraction or extracted from the device. It uses the following format:

• File name and location
• Hash value using SHA-256

Why is this important?

The hashes help to guarantee the integrity of the information and ensure that it has not been modified after acquisition, facilitating independent verification and chain of custody.

Example:

2ab44150-35d3-4b40-a820-c9152fe93a13\apks\gov.dhs.cbp.cbpone_gov.dhs.cbp.cbpone-NYwrqdamzef6AVKRRGXzgA.apk,2d553aada9039d4def18a09b84c317a70d9fdde87524a043db5f0eeb1862e89a
2ab44150-35d3-4b40-a820-c9152fe93a13\backup.ab,48202a8cb422d7eeb12ff8ad13fac3a67b37600c63eae8089d9674465da32990
2ab44150-35d3-4b40-a820-c9152fe93a13\bugreport.zip,ec82812dba70891b78d7130dc16e3474918e4a0e02bb15ec00e1015679f720ee
2ab44150-35d3-4b40-a820-c9152fe93a13\command.log,c0ae883bebee7503b0ca94a54cdbb43628602046c68b770c760f730a55d6dc8c
2ab44150-35d3-4b40-a820-c9152fe93a13\dumpsys.txt,e54a613502ca362584766c0f75e17ca366d7ecdc4aa6869c50424dff83acbc15
2ab44150-35d3-4b40-a820-c9152fe93a13\env.txt,387301687084cca0e124a9c365e930b4e5e6303b3e6f9dc64e2146f168b79c1a
2ab44150-35d3-4b40-a820-c9152fe93a13\files.json,832f8121a69f131c9f434e1ca68d7b1e2deda40de72ff8396ea386a6a8cf69d3
2ab44150-35d3-4b40-a820-c9152fe93a13\getprop.txt,b8dbad7e900aeeb3c60e48dd988c44905741a7e5b124055a09c2c417aa1556b3
2ab44150-35d3-4b40-a820-c9152fe93a13\hashes.csv,cea94f56c720436d217b44ee746e2a6d69ddd226325a94bf3a3adeb32be4658a
2ab44150-35d3-4b40-a820-c9152fe93a13\logcat.txt,6c080ba0357c6e82818e5a89135ff06aa9386f811daf898fc1797e1b9e6299d3
2ab44150-35d3-4b40-a820-c9152fe93a13\logs\data\anr\anr_2024-12-20-00-11-38-831,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2ab44150-35d3-4b40-a820-c9152fe93a13\logs\sdcard\log\thermal_log-shm,e9eed4a2f55edd11e022b7b089d69a5de929d2bd484041a64e957861a5ab055b
2ab44150-35d3-4b40-a820-c9152fe93a13\packages.json,69d560bfbbb75e074a49d107811c350461badac885b3925ed816d716f1f1144a
2ab44150-35d3-4b40-a820-c9152fe93a13\processes.txt,9e933447e79e4743722691af88e9a4bdcc11029a92b84b0ebd9d54e0bfcf2694
2ab44150-35d3-4b40-a820-c9152fe93a13\root_binaries.json,4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
2ab44150-35d3-4b40-a820-c9152fe93a13\selinux.txt,1ca5672ae970bdc4f5b584898245b3d884e11deb6867e9563bdfbc8b82e8f62e
2ab44150-35d3-4b40-a820-c9152fe93a13\services.txt,b3ae6ad626b3a5ba8fc3b68771d42baf9795e03cc7b4b1ccbe361d9625e0f1fe
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_global.txt,410f788450907331183ee36979e93fc7dc0b1805e574d1ac1d5fbc9869897c53
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_secure.txt,be67f431c457edfb88d733594aba662310dbe3863c62da21cbf7dad5bcc0f136
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_system.txt,b0e7452110867ca3f5c15ea52b9b9a198433a836f97d6fd8b95fcd39fd30c714

Device information and configuration

getprop.txt

The information in this file is generated by the getprop.go module.

This file is in txt format and contains information about device properties such as Android version, build number, serial number, network settings, manufacturer, USB debugging status, software and hardware related values. What is included in this file?

This file is in TXT format and contains the output of the adb getprop command, which details the system properties.

System properties are key-value pairs of strings that are stored in the global build.prop dictionary or in .sysprop files, and provide a convenient way to share information, usually settings, throughout the system.

The information can be found in the following format:

[{prefix}.]{group}[.{subgroup}]*.{name}[.{type}]

The prefix ro is used for read-only configurations, or settings that have been set after the last reboot. The prefix prefix persist is used for configurations that are persistent after a reboot. It is also possible that properties do not have a prefix, meaning they begin directly with the group they belong to.

The most common groups are:

• bluetooth, Bluetooth related
• boot, sysprops from kernel cmdline
• build, sysprops that identify a build
• telephony, telephony related
• audio, audio related
• graphics, graphics related
• vold, vold related

For more details, see the list of properties already defined in the Android source code.

The equivalent ADB command in this module is as follows:

adb shell getprop

Why is this important?

The properties provide important information about the device's hardware and software, which can be altered by malicious software to hide its presence or to inadvertently modify the device's behaviour.

Example:

Example of content returned by running AndroidQF:

[property_name]: [value]
[aaudio.hw_burst_min_usec]: [2000]
Example of content returned by AndroidQF execution:
[aaudio.mmap_exclusive_policy]: [2]
[aaudio.mmap_policy]: [2]
[apex.all.ready]: [true]
[bluetooth.device.class_of_device]: [90,2,12]
[ro.boot.product.model]: [SM-A715F]
[ro.boot.serialno]: [R58N84XXXXX]
[ro.bootimage.build.date]: [Thu Feb 29 13:55:21 +07 2024]
[ro.bootimage.build.date.utc]: [1709189721]
[ro.bootimage.build.fingerprint]: [samsung/a71naxx/a71:11/RP1A.200720.012/A715FXXSBDXB1:user/release-keys]
[ro.build.selinux]: [1]
[ro.build.selinux.enforce]: [1]
[ro.build.version.security_patch]: [2024-02-01]
[ro.gfx.driver.1]: [com.qualcomm.qti.gpudrivers.sm6150.api30]
[ro.hardware]: [qcom]
[ro.hardware.chipname]: [SM7150]
[ro.product.system.model]: [SM-A715F]
[ro.vendor.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist64]: [arm64-v8a]

Example of content returned by ADB command execution:

[DEVICE_PROVISIONED]: [1].
[apex.all.ready]: [true].
[bluetooth.device.class_of_device]: [90,2,12].
[bluetooth.device.default_name]: [moto g(7) power].
[bluetooth.hardware.power.operating_voltage_mv]: [3300].
[bluetooth.profile.a2dp.source.enabled]: [true].
[bluetooth.profile.asha.central.enabled]: [true].
[bluetooth.profile.avrcp.target.enabled]: [true].
[bluetooth.profile.bas.client.enabled]: [true].
[bluetooth.profile.gatt.enabled]: [true].
[bluetooth.profile.hfp.ag.enabled]: [true].
[bluetooth.profile.hid.device.enabled]: [true].
[bluetooth.profile.hid.host.enabled]: [true].
[bluetooth.profile.map.server.enabled]: [true].
[bluetooth.profile.opp.enabled]: [true].
[bluetooth.profile.pan.nap.enabled]: [true].
[bluetooth.profile.pan.panu.enabled]: [true].
[bluetooth.profile.pbap.server.enabled]: [true].
[bluetooth.profile.sap.server.enabled]: [true].
[bootreceiver.enable]: [0]
[build.version.extensions.ad_services]: [11].
[build.version.extensions.r]: [11].
[build.version.extensions.s]: [11].
[build.version.extensions.t]: [11].
[build.version.extensions.u]: [11].
[cache_key.bluetooth.bluetooth_adapter_get_connection_state]: [2184677357365305812]

Learn more

• Configuration overview | Android Open Source Project
• Implement system properties as APIs | Android Open Source Project
• Add system properties | Android Open Source Project
  Example of content returned by ADB command execution:
• Policy compatibility | Android Open Source Project

selinux.txt

The information in this file is generated by the selinux.go module.

What is included in this file?

This file is in txt format and contains information about the security policy SELinux security policy applied on the device, indicating the mode it is in (enforcing, permissive, or disabled).

The ADB equivalent command of this module is as follows:

adb shell getenforce

Why is this important?

SELinux is a key security layer in Android. Changes to its configuration can be an indication of compromises to the security of the device.

Example:

Example of content returned by running AndroidQF and ADB command:

Enforcing

Learn more

• SELinux concepts | Android Open Source Project
• SELinux Project
• What is SELinux?

settings_global.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in txt format and contains information about the preferences that apply identically to all defined users (well-defined user). Applications can read them, but cannot write them; these are preferences that the user must explicitly modify through the system user interface or specialized APIs for these values.

These settings include development settings, boot count, and Bluetooth, Wi-Fi and telephony connection status. For the complete list of global preferences, please refer to the relevant Android documentation.

The ADB equivalent command for this module is as follows:

adb shell cmd settings list global

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

Ejemplo de contenido devuelto por ejecución de AndroidQF y comando ADB:

Phenotype_boot_count=68
adb_enabled=1
The ADB equivalent command of this module is as follows:
airplane_mode_on=0
bluetooth_on=1
adb shell cmd settings list global
boot_count=71
bug_report=0
default_device_name=Galaxy A14 5G
package_verifier_user_consent=1
phone_play_store_availability=0
require_password_to_decrypt=1
spam_call_enable=1
subscription_mode=0
Example of content returned by running AndroidQF and ADB command:
turnOff_5g_network_mode_set=0
wifi_networks_available_notification_on=0
wifi_on=1
wifi_scan_always_enabled=1
zram_enabled=1

Learn more

• Settings | API reference | Android Developers
• Settings.Global | API reference | Android Developers

settings_secure.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in txt format and contains information about system security preferences that applications can read but not write. These are preferences that the user must explicitly modify through the user interface of a system application. Normal applications cannot modify the security settings database.

These settings include development settings, accessibility, location, data entry, screen lock, parental controls, text-to-speech, and Bluetooth, Wi-Fi and telephony connection.

For the complete list of security preferences, please refer to the relevant Android documentation.

The ADB equivalent command for this module is as follows:

adb shell cmd settings list secure

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

Example of content returned by running AndroidQF and ADB command:

accessibility_allow_diagonal_scrolling=1
accessibility_button_mode=1
accessibility_button_target_component=com.android.settings/com.samsung.android.settings.accessibility.shortcut.AmplifyShortcut
accessibility_display_magnification_enabled=0
The ADB equivalent command of this module is as follows:
accessibility_enabled=0
android_id=af4de9XXXXXXXXXX
adb shell cmd settings list secure
autofill_service=null
assistant=com.google.android.googlequicksearchbox/com.google.android.voiceinteraction.GsaVoiceInteractionService
aware_enabled=0
backup_auto_restore=1
backup_encryption_opt_in_displayed=1
bluetooth_settings_foreground=0
clipboard_show_access_notifications=0
default_input_method=com.samsung.android.honeyboard/.service.HoneyBoardService
fingerprint_screen_lock=1
Example of content returned by running AndroidQF and ADB command:
location_mode=3
location_time_zone_detection_enabled=1
lockscreen.disabled=0
wifi_saved_state=0

Learn more

• Settings | API reference | Android Developers
• Settings.Secure | API reference | Android Developers

settings_system.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in TXT format and contains information about various general device preferences. These preferences affect the user experience and basic functionality of the device.

These settings include sensor options such as accelerometer or gyroscope, time zone, display, alarms, sound, vibration, updates, and Bluetooth, Wi-Fi and telephony connection.

For the complete list of system preferences, please refer to the relevant Android documentation.

The ADB equivalent command for this module is as follows:

adb shell cmd settings list system

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

Example of content returned by running AndroidQF and ADB command:

FOTA_CLIENT_POLLING_TIME=1710699386219
FOTA_CLIENT_REGISTRATION=1
This file is in *txt* format and contains information about various general device preferences. These preferences affect the user experience and basic operation of the device.
FOTA_CLIENT_TEST=0
SEM_VIBRATION_FORCE_TOUCH_INTENSITY=4
SEM_VIBRATION_NOTIFICATION_INTENSITY=5
SOFTWARE_UPDATE_LAST_CHECKED_DATE=1728477705778
SOFTWARE_UPDATE_WIFI_ONLY2=1
The ADB equivalent command of this module is as follows:
alarm_alert_set=1
anykey_mode=0
adb shell cmd settings list system
aod_mode=0
automatic_unlock=1
block_unwanted_call=1
block_unwanted_call_type=1
lockscreen_sounds_enabled=1
lockscreen_wallpaper=1
login_state=0
mic_mode_enable=0
Example of content returned by running AndroidQF and ADB command:
mic_mode_wificall=0
samsung_errorlog_agree=1
tty_mode=0
unknown_mode=0
volume_alarm=11
volume_alarm_ble_headset=11
volume_alarm_earpiece=11
volume_alarm_speaker=11
volume_assistant=7
wifi_call_enable1=0
wifi_call_preferred1=2
wifi_call_when_roaming1=0
wireless_fast_charging=0

Learn more

• Settings | API reference | Android Developers
• Settings.System | API reference | Android Developers

env.txt

The information in this file is generated by the env.go module.

What is included in this file?

This file is in txt format and contains information about the configuration of the terminal environment variables (shell) mkshrc which is used by Android.

By default, the mkshrc variables in Android are found in the mkshrc or profile file which can be in one of the following directories.

/system/etc
/system/etc/profile
$HOME/
/data/local

The mkshrc binary can be found in one of the following directories.

/product/bin
/apex/com.android.runtime/bin
/apex/com.android.art/bin
/system_ext/bin
/system/bin
/system/xbin
/odm/bin
/vendor/bin
/vendor/xbin

The variables contained in the file may indicate:

• Partition locations
• Android virtual machine runtime environment values
• Shell settings

The ADB equivalent command of this module is as follows:

adb shell env

Why is this important?

Environment variables may indicate changes in the settings of the terminal, the command shell, the Android virtual machine runtime environment or the mount points of some partitions and folders. This could indicate suspicious behaviour on the device for the execution of malicious software.

Example:

Example of content returned by AndroidQF execution:

_=/system/bin/env
ANDROID_DATA=/data
ANDROID_ART_ROOT=/apex/com.android.art
LOGNAME=shell
STANDALONE_SYSTEMSERVER_JARS=/apex/com.android.btservices/javalib/service-bluetooth.jar:/apex/com.android.devicelock/javalib/service-devicelock.jar:/apex/com.android.os.statsd/javalib/service-statsd.jar:/apex/com.android.scheduling/javalib/service-scheduling.jar:/apex/com.android.tethering/javalib/service-connectivity.jar:/apex/com.android.uwb/javalib/service-uwb.jar:/apex/com.android.wifi/javalib/service-wifi.jar:/apex/com.samsung.android.lifeguard/javalib/service-lifeguard.jar
HOME=/
ANDROID_TZDATA_ROOT=/apex/com.android.tzdata
ANDROID_ROOT=/system
TERM=xterm-256color
SHELL=/bin/sh
ANDROID_BOOTLOGO=1
The ADB equivalent command of this module is as follows:
ANDROID_ASSETS=/system/app
ANDROID_SOCKET_adbd=21
adb shell env
HOSTNAME=a14x
DOWNLOAD_CACHE=/data/cache
SECONDARY_STORAGE=/storage/sdcard:/storage/usb1:/storage/usb2
ANDROID_STORAGE=/storage
USER=shell
TMPDIR=/data/local/tmp
PATH=/product/bin:/apex/com.android.runtime/bin:/apex/com.android.art/bin:/system_ext/bin:/system/bin:/system/xbin:/odm/bin:/vendor/bin:/vendor/xbin
SYSTEMSERVERCLASSPATH=/system/framework/com.android.location.provider.jar:/system/framework/knoxanalyticssdk.jar:/system/framework/mcfsdk.jar:/system/framework/uibc_java.jar:/system/framework/services.jar:/system/framework/semwifi-service.jar:/system/framework/ssrm.jar:/apex/com.android.adservices/javalib/service-adservices.jar:/apex/com.android.adservices/javalib/service-sdksandbox.jar:/apex/com.android.appsearch/javalib/service-appsearch.jar:/apex/com.android.art/javalib/service-art.jar:/apex/com.android.configinfrastructure/javalib/service-configinfrastructure.jar:/apex/com.android.healthfitness/javalib/service-healthfitness.jar:/apex/com.android.media/javalib/service-media-s.jar:/apex/com.android.ondevicepersonalization/javalib/service-ondevicepersonalization.jar:/apex/com.android.permission/javalib/service-permission.jar:/apex/com.android.rkpd/javalib/service-rkp.jar:/apex/com.samsung.android.shell/javalib/service-samsung-shell.jar
ASEC_MOUNTPOINT=/mnt/asec
ANDROID_I18N_ROOT=/apex/com.android.i18n
Example of content returned by AndroidQF execution:
EXTERNAL_STORAGE=/sdcard

Example of content returned by ADB command execution:

_=/system/bin/env
ANDROID_DATA=/data
LOGNAME=shell
STANDALONE_SYSTEMSERVER_JARS=/apex/com.Android.btservices/javalib/service-bluetooth.jar:/apex/com.Android.devicelock/javalib/service-devicelock.jar:/apex/com.Android.os.statsd/javalib/service-statsd.jar:/apex/com.Android.os.statsd/javalib/service-statsd.jar:/apex/com.Android.scheduling/javalib/service-scheduling.jar.Android.scheduling/javalib/service-scheduling.jar:/apex/com.Android.tethering/javalib/service-connectivity.jar:/apex/com.Android.uwb/javalib/service-uwb.jar:/apex/com.Android.wifi/javalib/service-wifi.jar
HOME=/
DEX2OATBOOTBOOTCLASSPATH=/apex/com.Android.art/javalib/core-oj.jar:/apex/com.Android.art/javalib/core-libart.jar:/apex/com.Android.art/javalib/okhttp.jar:/apex/com.Android.art/javalib/okhttp.jar:/apex/com.Android.art/javalib/bouncycastle.jar.Android.art/javalib/bouncycastle.jar:/apex/com.Android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/framework-location.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/frameworkwork-nfc.jar:/system/framework/telephony-ext.jar:/apex/com.Android.i18n/javalib/core-icu4j.jar
ANDROID_TZDATA_ROOT=/apex/com.Android.tzdata
USER=shell
ANDROID_ROOT=/system
TERM=xterm-256color
SHELL=/bin/sh
ANDROID_BOOTLOGO=1
ANDROID_ASSETS=/system/app
BOOTCLASSPATH=/apex/com.Android.art/javalib/core-oj.jar:/apex/com.Android.art/javalib/core-libart.jar:/apex/com.Android.art/javalib/okhttp.jar:/apex/com.Android.art/javalib/bouncycastle.jar:/apex/com.Android.art/javalib/apache-xml.jar:/system/framework/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/framework-location.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/system/framework/framework-n

Learn more

• Shell (computing) - Wikipedia
• mksh - Can I update the adb shell's environment variables? - Android Enthusiasts Stack Exchange
• Update mksh to latest version - Android Enthusiasts Stack Exchange

mounts.json

The information in this file is generated by the [mounts.go] module (https://github.com/mvt-project/androidqf/blob/main/modules/mounts.go).

What is included in this file?

This file is in json format and contains information about the partitions and file system directories mounted on a device in the user space and in the Android linux kernel.

The ADB equivalent command of this module is as follows:

adb shell "mount"
adb shell "cat /proc/mounts"

The mount command reads information directly from the kernel, which reflects a list of mounted file systems on the device. On the other hand, the cat /proc/mounts command directly accesses the /proc/mounts file, which is a virtual file generated and managed by the Android linux kernel. This file accurately reflects in real time the exact state of all file systems mounted on the device, including partitions, logical volumes and temporary file systems.

The format in which the mount points are presented is as follows:

<device> <mount-point> <type> <options>

Where each parameter means the following:

• device: Partition or mounted volume, in Android the most common ones are:
  • Physical storage partitions /dev/block/sdX: Physical storage device (eMMC/UFS) exposed as sd by the kernel. /dev/block/mmcblk: eMMC storage device presented as mmcblk. /dev/block/dm-X: Device managed by device-mapper (encrypted, verity or logical partitions). /dev/block/by-name/: Symbolic links pointing to real partitions by name e.g. system, vendor, userdata.
  • Virtual kernel volume in RAM
    • proc: Virtual interface to obtain kernel and process information.
    • sysfs: exposes device, driver and kernel parameter information.
    • selinuxfs: Displays SELinux policies, status and labels.
    • tracefs: virtual system for kernel tracing and debugging tools.
    • pstore: Stores persistent kernel crash logs.
    • bpf: Exposes interfaces for eBPF programs loaded in the kernel.
  • User space /dev/fuse: Interface FUSE used by Android to mount emulated storage p.j /storage/emulated.
  • Internal kernel control interfaces
    • none: Identifier indicating that the assembly does not come from a real device.
    • binder: Android's internal IPC system for inter-process communication.
  • APEX files mounted as loopback /dev/block/loopX: Loop devices used to mount APEX packages as if they were real partitions.
• mount point: Path of the root folder of the storage where the information is accessed, in android they are usually the following: /system: Contains the main operating system.
  • Vendor: Includes components and drivers provided by the hardware manufacturer such as HALs, firmware and vendor-specific binaries.
  • product: Stores manufacturer's customizations of system functions and device-specific applications. /data: User data area and app storage.
  • cache: Temporary space used for update files and transient system data.
  • Metadata: Contains critical device information needed for AVB, encryption and system validations. /mnt/media_rw/: Mounting point for removable or adopted storage e.g. SD card /storage/emulated: Emulated view of user's internal storage. /proc: Virtual system that exposes kernel and process information (not real storage). /sys: Virtual system that exposes information about devices and kernel drivers. /mnt/user/0/emulated: Specific view of the emulated storage for user 0.
• file system type: File system type, in android are as follows:
  • ext4: Linux file system used on internal partitions.
  • f2fs: File system optimized for flash storage.
  • erofs: Optimized read-only file system.
  • vfat: FAT32 file system used for SD cards and external storage.
  • sdfat: Extended implementation of FAT/exFAT.
  • tmpfs: Temporary RAM file system used for volatile directories e.g. /dev, /run, /apex.
  • proc: Virtual file system that exposes kernel and process information.
  • sysfs: Virtual system that displays hardware information, drivers and kernel drivers.
  • selinuxfs: Virtual system that exposes SELinux parameters and status on the device.
  • functionfs: System used for USB gadget interfaces when Android acts as a USB device.
  • incremental-fs: System designed to allow installing or running apps "on demand" while they are still downloading.
  • binder: Android IPC internal communication system.
  • cgroup: Virtual system based on control groups to manage resources by processes e.g. CPU, memory. CPU, memory.
  • fuse: User-space file system used for emulated storage.
• options: Assembly parameters, these may vary according to the assembly.
  • Access modes
    • ro: read only
    • rw: read an write
  • Safety labels
    • seclabel: Enables and applies SELinux labels to the file system.
    • nodev: Prevents device files from being used in that partition.
    • nosuid: Block binaries with set-UID/set-GID to avoid scaling.
    • noexec: Prevents executing files from that partition.
    • hidepid=invisible: Hides processes from other users in /proc.
    • user_xattr: Allows user-defined extended attributes.
    • acl: Allows more detailed access control lists than rwx.
    • inlinecrypt: Uses inline encryption supported by hardware/FS (Android).
    • usrquota: Enables per-user quotas (limited space).
    • grpquota: Enables quotas per group.
  • Time stamps associated to files and directories
    • lazytime: Defer writing timestamps to storage to improve performance.
    • relatime: Update access times only if necessary.
    • noatime: Disables the access time update.
  • Users related to assemblies
    • uid=0: Owner of the assembly, who is the root user.
    • gid=1000: Android base group which is usually system or media_rw, depending on context.
    • user_id=0: Main user of the Android system.
    • group_id=0: Primary group of the root user.

Why is this important?

The mount points allow you to identify the storage areas mounted on the device, their origin and how they are configured.

With this information it is possible to know the permissions with which the partitions were mounted, the associated users and in some cases the SELinux security labels applied.

This is useful for identifying mounts that may be suspicious of malicious activity on the device, for example, a system partition such as /system, /vendor, /product partitions whose mount is usually read-only is mounted with write permissions or lacking security labels or a partition such as /data is mounted with read permissions on subfolders containing application information could indicate unauthorized fraudulent mounts evidencing highly suspicious behavior.

Example of file contents:

Example of content returned by running AndroidQF:

[
    "/dev/block/dm-13 on / type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround).",
    "tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=2839372k,nr_inodes=709843,mode=755)",
    "devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)",
    "proc on /proc type proc (rw,relatime,gid=3009,hidepid=invisible)",
    "sysfs on /sys type sysfs (rw,seclabel,relatime)",
    "selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)",
    "tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=2839372k,nr_inodes=709843,mode=755,gid=1000)",
    "tmpfs on /mnt/installer type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=2839372k,nr_inodes=709843,mode=755,gid=1000)",
    "tmpfs on /mnt/androidwritable type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=2839372k,nr_inodes=709843,mode=755,gid=1000)",
    "/dev/block/sda44 on /metadata type f2fs (rw,sync,lazytime,seclabel,nosuid,nodev,noatime,background_gc=on,nogc_merge,discard,discard_unit=block,no_heap,user_xattr,inline_xattr,acl,inline_data,inline_dentry,flush_merge,barrier,extent_cache,data_flush,mode=adaptive,active_logs=6,inlinecrypt,alloc_mode=reuse,checkpoint_merge,fsync_mode=strict,memory=normal)",
    "/dev/block/dm-14 on /vendor type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround)",
    "/dev/block/dm-15 on /vendor_dlkm type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround).",
    "/dev/block/dm-16 on /system_dlkm type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround).",
    "/dev/block/dm-17 on /product type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround)",
    "/dev/block/dm-18 on /odm type erofs (ro,seclabel,relatime,user_xattr,acl,cache_strategy=readaround)",
    "/dev/block/dm-19 on /prism type ext4 (ro,seclabel,relatime)",
    "/dev/block/dm-20 on /optics type ext4 (ro,seclabel,relatime)",
    "tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755)",
    "tmpfs on /bootstrap-apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755)",
    "tmpfs on /linkerconfig type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,mode=755)",

Example of content returned by ADB command execution:

/dev/block/mmcblk0p63 on / type ext4 (ro,seclabel,relatime,discard)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1812632k,nr_inodes=453158,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755,gid=1000)
tmpfs on /mnt/installer type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755,gid=1000)
tmpfs on /mnt/Androidwritable type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755,gid=1000)
/dev/block/mmcblk0p61 on /vendor type ext4 (ro,seclabel,relatime,discard)
tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755)
tmpfs on /bootstrap-apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755)
tmpfs on /linkerconfig type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1812632k,nr_inodes=453158,mode=755)
none on /dev/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
none on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
none on /dev/cpuctl type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
none on /dev/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
none on /dev/memcg type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
none on /dev/stune type cgroup (rw,nosuid,nodev,noexec,relatime,schedtune)

Learn more

• Details of running services
• Android partitions overview
• Background and terminology of dynamic partitions
• File System of Android
• Android kernel file system support
• SELinux compatibility
• APEX file format
• Android file system

System logs and events

logcat.txt and logcat_old.txt

The information in this file is generated by the logcat.go module.

What is included in this file?

These files are in plain text with .txt extension and contain the system message log on two levels: current logs of all buffers (logcat.txt) and logs prior to the last reboot (logcat_old.txt).

Some examples of the information contained are:

• Error and warning messages (FATAL EXCEPTION).
• Messages from operating system apps, processes and services.
• Debug logs and informational events.

The file contains the following structure:

• Start of record (contains record divisions).
• Timestamp (timestamp).
• Process and thread identifier (PID) and (TID).
• Priority level:
  • E: Error
  • W: Warning
  • I: Information
  • D: Debugging
  • F: Fatal
  • V: Verbose
• Label indicating the system component or process.
• Description and details of messages or errors.

The ADB equivalent command of this module is as follows:

#Equivalent command for the current logs
adb shell logcat -d -b all "*:V"
#Equivalent command for previous logs
adb shell logcat -L -b all "*:V"

Why is this important?

This information can be used to analyze the behavior and execution of events in the system and apps on the device to identify anomalies or patterns that may indicate the presence of malware. In forensic terms, they are among the most relevant files in terms of content.

Example of file contents:

--------- beginning of crash
--------- beginning of events
09-06 10:36:55.111 544 544 I snet_event_log: [121035042,-1,]
09-06 10:36:55.125 544 544 544 I auditd : SELinux: Loaded service context from:
09-06 10:36:55.125 544 544 544 I auditd : /system/etc/selinux/plat_service_contexts
09-06 10:36:55.125 544 544 544 I auditd : /system_ext/etc/selinux/system_ext_service_contexts
09-06 10:36:55.125 544 544 544 I auditd : /product/etc/selinux/product_service_contexts
09-06 10:36:55.125 544 544 544 I auditd : /vendor/etc/selinux/vendor_service_contexts
--------- beginning of kernel
09-06 10:36:55.187 0 0 I : [ 0.000000,0] Booting Linux on physical CPU 0x0
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Linux version 4.9.337-perf+ (root@7954fa367a89) (Android (10087095, +pgo, +bolt, +lto, -mlgo, based on r487747c) clang version 17.0.2 (https://Android.googlesource.com/toolchain/llvm-project d9f89f4d16663d5012e5c0949595f3b30ece3d2362)) #1 SMP PREEMPT Sun Sep 15 06:15:22 UTC 2024
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Boot CPU: AArch64 Processor [51af8014]
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] Machine: ocean
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] efi: Getting EFI parameters from FDT:
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] efi: UEFI not found.
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Reserved memory: created CMA memory pool at 0x00000000008f800000, size 8 MiB
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] OF: reserved mem: initialized node gpu_region@0, compatible id shared-dma-pool
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Reserved memory: created CMA memory pool at 0x000000000000c7800000, size 8 MiB
09-06 10:36:55.187 0 0 I [ 0.000000,0] OF: reserved mem: initialized node adsp_shmem_device_region@0xc0100000, compatible id shared-dma-pool
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Reserved memory: created CMA memory pool at 0x000000000000fec00000, size 20 MiB
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Reserved memory: created CMA memory pool at 0x0000000000fe800000, size 4 MiB
09-06 10:36:55.187 0 0 0 I [ 0.000000,0] OF: reserved mem: initialized node qseecom_ta_region, compatible id shared-dma-pool
09-06 10:36:55.187 0 0 0 I : [ 0.000000,0] Reserved memory: created
2025-01-01 00:00:00:00.000 12345 12345 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)
2025-01-01 00:00:00:00.000 30144 30860 I ActivityManager: Process example.android.app

Learn more

• Logcat command-line tool | Android Studio | Android Developers

dumpsys.txt

The information in this file is generated by the dumpsys.go module. Example of content returned by AndroidQF execution:

What is included in this file?

This file is in txt format and contains diagnostic information about the services on the device. The dumpsys report provides technical details about the status of services and system components which is very useful for identifying abnormal configurations or behavior.

The file is split in the the following sections:

• List of active services
• Details of each service
• Detailed logs

To know the list of services that can be found in a dumpsys of a device you can execute the command adb shell service list.

The ADB equivalent command of this module is as follows:

adb shell dumpsys

Why is this important?

This file provides information about the services running on a device and the flags and logs they generate. This is useful from a forensic standpoint since it can help identify known services or processes that are suspicious.

Example:

Currently running services:
  accessibility
  account
  adb
  alarm
  android.frameworks.cameraservice.service.ICameraService/default
  android.hardware.biometrics.face.IFace/default
  android.hardware.vibrator.IVibratorManager/default
  android.os.UpdateEngineService
  android.security.authorization
  anrmanager
  anti_root_dialog
  app_binding
  appops
  audio
  auth
  battery
  batteryproperties
  batterystats
  bluetooth_manager
  bugreport
  cpuinfo
  critical.log
  dataloader_manager
  dbinfo
  input
  logcat
  meminfo
  netstats
  ostats_pullerd
  ostats_tpd
  ostatsd
  package
  permission
  phone
  power
  processinfo
  procstats
  settings
  stats
  statsbootstrap
  usb
  wifi
  window

-------------------------------------------------------------------------------
DUMP OF SERVICE AtlasService:
--------- 0.001s was the duration of dumpsys AtlasService, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE DockObserver:
Current Dock Observer Service state:
  reported state: 0
  previous state: 0
  actual state: 0
--------- 0.007s was the duration of dumpsys DockObserver, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE ISubsysRadio:
--------- 0.005s was the duration of dumpsys ISubsysRadio, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE MMListService:
--------- 0.001s was the duration of dumpsys MMListService, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE OPLUSExService:
--------- 0.001s was the duration of dumpsys OPLUSExService, ending at: 2025-05-08 18:12:33
Example of content returned by running AndroidQF and ADB command:
-------------------------------------------------------------------------------
DUMP OF SERVICE OplusLocationManager:
--------- 0.001s was the duration of dumpsys OplusLocationManager, ending at: 2025-05-08 18:>
-------------------------------------------------------------------------------
DUMP OF SERVICE appops:
Current AppOps Service state:
  Settings:
    top_state_settle_time=+5s0ms
    fg_service_state_settle_time=+5s0ms
    bg_state_settle_time=+1s0ms

  Op mode watchers:
    Op COARSE_LOCATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    #1: ModeCallback{21558a8 watchinguid=-1 flags=0x1 op=MONITOR_LOCATION from uid=u0a124 pid=3315}
    #2: ModeCallback{c7241f6 watchinguid=-1 flags=0x1 op=COARSE_LOCATION from uid=1000 pid=1807}
    #3: ModeCallback{f993e3b watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=u0a124 pid=3315}
    Op FINE_LOCATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    #1: ModeCallback{e5bfc6d watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=1000 pid=1807}
    #2: ModeCallback{f993e3b watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=u0a124 pid=3315}
    Op READ_CONTACTS:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CONTACTS:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op READ_CALL_LOG:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CALL_LOG:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op READ_CALENDAR:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CALENDAR:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op POST_NOTIFICATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}

Learn more

• dumpsys en Android

bugreport.zip

The information in this file is generated by the bugreport.go module.

What is included in this file?

This is a compressed file in zip format and contains a complete report on the current state of the device including system data, logs and configurations.

The bugreport can be analyzed using MVT using the command mvt-android check-bugreport bugreport.zip

The files and folders included in the bugreport are as follows:

• dumpstate-yyyy-mm-dd-hh-mm-ss.txt

  • Summarizes the key specs of the mobile device and the current status.

• dumpstate_board.txt

  • File that provides logs of a system boot, including events and services that are executed upon booting the device.

• dumpstate_log.txt

  • Presents logs with the results of the bugreport creation process, including potential errors and warnings.

• main_entry.txt

  • This file serves as an index of the contents created as part of the bugreport creation.

• version.txt

  • Shows the Android bugreport release letter. When systrace is enabled, the zip file also contains a systrace.txt file.

• fs/cache/recovery/

  • last_data_partition_info
    • Provides information about the system storage, including the total size, used and free space; as well as the size of sectors and number of blocks present.
  • last_dataresizing
    • Records information about several system sensors. It also provides information about messages created to address needs of specific sensors, like auto rotation, smart alert, among others.
  • last_postrecovery
    • Provides information about communications between hardware components.

• fs/data/anr/

  • arn_yyyy-mm-dd-hh-mm-ss
    • Provides a detailed diagnostic of the system apps that are not responding. ARN comes from App Not Responding.

• fs/data/log/bt/

  • btsnooz_hci.log
    • Contains information about the Host Controller Interface (HCI) of the Bluetooth module.
  • btsnooz_hci.log.last
    • Contains older logs and records of the HCI Bluetooth module.

• fs/data/misc/recovery/

  • ro.buil.fingerprint
    Op WRITE_CONTACTS:
    • Contains a unique identifier of the software version installed on the device.
  • ro.build.fingerprint.1
    • Contains a variant of the compilation number of the device.

• fs/data/tombstones/

  • tombstone_xx
    • Tombstones are files with log data about system or app crashes that are automatically generated when a process is locked unexpectedly.

• fs/proc/

  • mountinfo
    • This file provides information about the mounting points on the system. It helps gaining an understanding of the filesystem structure and different partitions the device might have.

The ADB equivalent command of this module is as follows:

adb bugreport bugreport.zip

Why is this important?

The bugreport is highly valuable from a forensic standpoint since it contains information about errors, running processes and the filesystem that can be helpful to inspect and detect anomalies on the device that might be related with the exploitation of vulnerabilities.

Learn more:

• How to capture and interpret android bugreport
• Reading bug reports

logs/

The information in this file is generated by the logs.go module.

What is included in this file?

This folder contains logs files across different folders collected from the device. This module goes through different system paths in order to extract files that contain information of the operating system behavior, including potential error and events. It include the following pahts:

• /data/system/uiderrors.txt
• /proc/kmsg
• /proc/last_kmsg
• /sys/fs/pstore/console-ramoops
• /data/anr/
• /data/log/
• /sdcard/log/

The files and folders included are the following. Be aware that some may not be accessible due to device permissions:

• anr
  • anr_yyyy-mm-dd-hh-mm-ss
    • File that provides a detailed diagnosis of the system status and activity of a specific process.
• log
  • acore
    • 0_dump_all.zip
      • File containing a dump of the system state associated with the acore process.
  • batterystats
    • newbatterystats240905095247
      • File containing metrics on the device's energy usage.
  • dropbox.txt
    • File containing logs of system events managed by DropBoxManager.
  • dumpstate_debug_history.lst
    • File containing the execution history of the system log collection process.
  • dumpstate_lastkmsg_20240423_152746_0_MP.log.gz
    • File containing the last kernel message after an unexpected reboot.
  • dumpstate_latest_lastkmsg.log.gz
    • File containing the most recent persistent kernel log after a reboot.
  • dumpstate-stats.txt
    • File containing statistics generated during the collection of the system status.
  • dumpstate_sys_error.zip
    • Compressed file containing information about critical system errors.
  • lom_log.txt
    • File containing records related to storage or monitoring of the system.
  • pm_debug_info.txt
    • File containing debugging information from the system package manager.
  • power_off_reset_reason.txt
    • File indicating the cause of the last shutdown or restart of the device.
  • prev_dump.log
    • File containing a pre-capture of the system state before a critical event.
  • radio_PRECONFG_SET.log
    • File documenting the initial configuration of the device's radio module.
  • shutdown_profile.1.txt
    • File containing the shutdown profile recorded by the system.
  • shutdown_profile_latest.txt
    • File containing the profile of the most recent system shutdown.
  • err/
    • mobiledata_dns.dat
      • File containing errors related to DNS resolution in mobile networks.
    • mobiledata_tp2.dat
      • File containing errors in the transfer of mobile packets.
    • mobiledata_tp.dat
      • File containing errors in the transfer of mobile packets.
  • ewlogd/
    • ewlog0_20240920_144426188369.log
      • File containing logs of system events generated by the ewlogd service.
  • imscr/
    • imscr.log.0
      • File containing records of the IMS component for communication services.
  • wto/
    • cidmanager.log
      • File containing information from the operator code manager (CID).
    • csc_update_log.txt File containing the CSC customization package update log.
    • home_fota_update_log.txt
      • File containing logs of FOTA updates in home network.
    • prev_csc_log.txt
      • File containing a previous configuration history of the operator.
  • search
    • 0_com.samsung.android.scs_index_encrypted.tar.gz
      • Encrypted compressed file containing data from the system's search index.
  • sfslog/
    • sfslog.0.gz
      • Compressed file containing Secure File System (SFS) records.
  • smartswitch/
    • 1726696227738SmartSwitchSimpleLog.log
      • File containing records of the data transfer process via Smart Switch.
  • update_engine_log/
    • update_engine.20240603-222843
      • File containing records of the system software update engine.
  • wfd
    • wfdDumpSource.log
      • File containing logged activity of the Wifi direct (WFD) component.
  • wifi
• system
• proc
  • kmsg
    • File containing the current kernel log with low-level system activity.
  • last_kmsg
    • File containing the last persistent kernel log after a reboot.
• sys/
  • fs/
    • pstore/

The equivalent ADB commands for this module are as follows. Equivalent command for recursive listing of each folder:

adb shell "ls -R /data/anr/"
adb shell "ls -R /data/log/"
adb shell "ls -R /sdcard/log/"

Equivalent command for downloading each file:

adb pull /data/system/uiderrors.txt
adb pull /proc/kmsg
adb pull /proc/last_kmsg
adb pull /sys/fs/pstore/console-ramoops
adb pull /data/anr/
adb pull /data/log/
adb pull /sdcard/log/

Why is it important?

This information is important because it collects system and application log files, providing detailed information about errors and other device events. This provides insight into system behavior, detects failures, identifies execution traces or anomalies.

Processes and applications

packages.json

The information in this folder is generated by the packages.go module.

What is included in this file?

This file is in json format and contains a list of applications installed on the device providing information about them such as the name of the installed package, the path where it is located, installation source, its current status or if it is a third party application.

The file contains:

• name: Name of the package with the app.
• files: Path of the APK file, including also the file hashes and certificate information.
• installer: Information indicating from which app was installed.
• uid: The PID associated with the app execution.
  The ADB equivalent command of this module is as follows:
• disabled: Indicates if the app is disabled or not.
• system: Indicates if the package is part of the operating system packages.
• third_party: Indicates if the app is from a third party.

The ADB equivalent command of this module is the following:

adb shell pm list packages -f

Why is this important?

This file contains information about the applications installed on the devices and whether they are enabled or not. The list of apps, and app names are often used as indicators to signal a potentially malicious application. By exploring the apps, their permissions and settings it might be possible to understand their usage of data and their intent.

File Structure:

Example of content returned by running AndroidQF:

[
    {
        "name": "com.whatsapp",
        "files": [
            {
                "path":"/data/app/~~~bqy7OQa_ZY_wDTFdG5YZRA==/com.whatsapp-3CExO11mXQz7SoP-3>>
                "local_name": "",
                "md5": "a6014f075183b8872d115e04f546a19a",
                "sha1": "7c52f9781c44c4902aecb4fc8a13584998e02376",
                "sha256": "26721b2669943d57f9de57614a11077b7c3f3036396d48c3e54cbf0effd2268e",
                "sha512": "21bea0ff94a748826041a1a8b3b9189090340086469ec62d31cf0d263c743fc2e>
                "error": "",
                "verified_certificate": true,
                "certificate": {
                    "Md5": "556c6019249bbc0cab70495178d3a9d1",
                    "Sha1": "38a0f7d505fe18fec64fbf343ecaaaf310dbd799",
                    "Sha256": "3987d043d10aefaf5a8710b3671418fe57e0e19b653c9df82558feb5ffce5>
                    "ValidFrom": "2010-06-25T23:07:16Z",
                    "ValidTo": "2044-02-15T23:07:16Z",
                    "Issuer": "C=US, ST=California, L=Santa Clara, O=WhatsApp Inc., OU=Engin>.
                    "Subject": "C=US, ST=California, L=Santa Clara, O=WhatsApp Inc., OU=Engi>
                    "SignatureAlgorithm": "DSA-SHA1",
                    "SerialNumber": 1277507236
                },
                "certificate_error": "",
                "trusted_certificate": true
            }
        ],
        "installer": "com.facebook.system",
        "uid": 10267,
        "disabled": false,
        "system": false,
        "third_party": true
    }
]

Example of ADB package listing command output:

package:/system/system_ext/priv-app/QuickAccessWallet/QuickAccessWallet.apk=com.Android.systemui.plugin.globalactions.wallet
package:/apex/com.Android.mediaprovider/priv-app/MediaProvider@AP2A.240905.003/MediaProvider.apk=com.Android.providers.media.module
package:/system/product/overlay/IconPackCircularAndroid/IconPackCircularAndroidOverlay.apk=com.Android.theme.icon_pack.circular.Android
package:/system/app/MotoSignatureApp/MotoSignatureApp.apk=com.motorola.motosignature.app
package:/system/product/priv-app/Eleven/Eleven.apk=org.lineageos.eleven
package:/system/app/BookmarkProvider/BookmarkProvider.apk=com.Android.bookmarkprovider
package:/system/app/CaptivePortalLogin/CaptivePortalLogin.apk=com.Android.captiveportallogin
package:/system/product/overlay/IconPackFilledSystemUI/IconPackFilledSystemUIOverlay.apk=com.Android.theme.icon_pack.filled.systemui
package:/apex/com.Android.adservices/priv-app/AdServicesApk@AP2A.240905.003/AdServicesApk.apk=com.Android.adservices.api
package:/system/system_ext/app/AccessibilityMenu/AccessibilityMenu.apk=com.Android.systemui.accessibility.accessibilitymenu
package:/system/product/priv-app/MotCamera2/MotCamera2.apk=com.motorola.camera2
package:/apex/com.Android.uwb/priv-app/ServiceUwbResources@AP2A.240905.003/ServiceUwbResources.apk=com.Android.uwb.resources
package:/system/system_ext/app/MotoActions/MotoActions.apk=org.lineageos.settings.device
package:/system/product/priv-app/AndroidAutoStub/AndroidAutoStub.apk=com.google.Android.projection.gearhead
package:/system/product/overlay/LineageSettingsProvider__lineage_ocean__auto_generated_rro_product.apk=org.lineageos.lineagesettings.auto_generated_rro_product__
package:/apex/com.Android.cellbroadcast/priv-app/CellBroadcastServiceModule@AP2A.240905.003/CellBroadcastServiceModule.apk=com.Android.cellbroadcastservice
package:/apex/com.Android.cellbroadcast/priv-app/CellBroadcastApp@AP2A.240905.003/CellBroadcastApp.apk=com.Android.cellbroadcastreceiver.module
package:/system/system_ext/app/QtiTelephonyService/QtiTelephonyService.apk=com.qualcomm.qti.telephonyservice
package:/system/system/product/overlay/FontRubik/FontRubikOverlay.apk=org.lineageos.overlay.font.rubik

apks/

The information in this folder is generated by the packages.go module.

What is included in this file?

This directory contains the APKs extracted from the device. These are the files used for the installation of apps that were present in the system upon conducting the analysis.

The ADB equivalent command of this module is as follows:

adb pull <path_apk> <path_local>

Why is this important?

The analysis of the APKs installed on the device can lead to potential malicious software either embedded in existing apps or masking itself as a different application. The information in this folder also helps in doing more in-depth review of APKs, including verifying their authenticity and potentially engaging in reverse engineering to gather further intelligence and indicators of compromise.

Example of content returned by executing ADB command to download APKs:

$ adb pull
/system/system_ext/priv-app/QuickAccessWallet/QuickAccessWallet.apk
/system/system_ext/priv-app/priv-app/QuickAccessWallet... 0 skipped. 8.6 MB/s (745270 bytes in 0.083s)

processes.txt

The information in this file is generated by the processes.go module.

What is included in this file?

This file is in json format and contains detailed information about running processes.

This file presents the information in a structured form in the following order: identifiers, execution details, resource consumption and process status.

The ADB equivalent command of this module is as follows:

adb shell ps -A

Why is this important?

This file provides additional information about the processes that are executed in the device. Information about processes is sometimes available as part of IOC of certain malicious activities, and it is also helpful to analyze apps and processes in depth, understanding relationships between them (by exploring parent processes), among other characteristics.

Ejemplo del contenido del archivo

[
    {
        "pid": 1,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(init)",
        "priority": 0,
        "state": "S",
        "user_time": 0,
        "kernel_time": 0,
        "path": "/system/bin/init",
        "context": "u:r:init:s0",
        "previous_context": "u:r:kernel:s0",
        "command_line": ["/system/bin/init", "second_stage"],
        "env": null,
        "cwd": "/"
    },
    {
        "pid": 2,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(kthreadd)",
        "priority": 0,
        "state": "S",
        "user_time": 0,
        "kernel_time": 0,
        "path": "",
        "context": "u:r:kernel:s0",
        "previous_context": "u:r:kernel:s0",
        "command_line": null,
        "env": null,
        "cwd": ""
    },
    {
        "pid": 20430,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(com.whatsapp)",
        "priority": 0,
        "state": "",
        "user_time": 0,
        "kernel_time": 0,
        "path": "",
        "context": "u:r:untrusted_app:s0:c11,c257,c512,c768",
        "previous_context": "u:r:init:s0",
        "command_line": [
            "com.whatsapp"
        ],
        "env": null,
        "cwd": ""
    },
]

Example of content returned by ADB command execution:

USER PID PPID VSZ RSS RSS WCHAN ADDR S NAME
root 1 0 11066580 10020 0 0 S init
root 2 0 0 0 0 0 0 0 S [kthreadd] root 4 2 0 0 0 0 0 0 S [kthreadd] root 4 2 0 0 0 0 0 0 S
root 4 2 0 0 0 0 0 0 S [kworker/0:0H] root 4 2 0 0 0 0 0 0 S [kworker/0:0H] root 5 2 0 0 0 0 0 S
root 5 2 0 0 0 0 0 0 S [kworker/u16:0] root 5 2 0 0 0 0 0 S [kworker/u16:0] root 6 2 0 0 0 0 0 S
root 6 2 0 0 0 0 0 0 S [ksoftirqd/0] root 6 2 0 0 0 0 0 S [ksoftirqd/0] root 7 2 0 0 0 0 0 S
root 7 2 0 0 0 0 0 0 S [rcu_preempt] root 7 2 0 0 0 0 0 S [rcu_preempt] root 8 2 0 0 0 0 0 S
root 8 2 0 0 0 0 0 0 S [rcu_sched] root 8 2 0 0 0 0 0 0 S [rcu_sched] root 9 2 0 0 0 0 0 S
root 9 2 0 0 0 0 0 0 S [rcu_bh] root 9 2 0 0 0 0 0 0 S [rcu_bh] root 10 2 0 0 0 0 0 S
root 10 2 0 0 0 0 0 0 S [rcuop/0] root 10 2 0 0 0 0 0 S [rcuop/0] root 11 2 0 0 0 0 0 S
root 11 2 0 0 0 0 0 0 S [rcuos/0] root 11 2 0 0 0 0 0 0 S [rcuos/0] root 12 2 0 0 0 0 0 S
root 12 2 0 0 0 0 0 0 S [rcuob/0] root 13 2 0 0 0 0 0 S [rcuob/0] root 13 2 0 0 0 0 0 S
root 13 2 0 0 0 0 0 0 S [migration/0] root 14 2 0 0 0 0 0 S [migration/0] root 14 2 0 0 0 0 0 S
root 14 2 0 0 0 0 0 S [lru-add-drain] root 15 2 0 0 0 0 0 S [lru-add-drain] root 15 2 0 0 0 0 S
root 15 2 0 0 0 0 0 0 S [cpuhp/0] root 16 2 0 0 0 0 0 0 S [cpuhp/0] root 16 2 0 0 0 0 0 S
root 16 2 0 0 0 0 0 0 S [cpuhp/1] root 16 2 0 0 0 0 0 0 S [cpuhp/1] root 16 2 0 0 0 0 0 S
system 987 1 10866216 3536 0 0 0 0 S Android.hardware.graphics.allocator@2.0-service
system 988 1 11113564 10352 0 0 0 S Android.hardware.graphics.composer@2.1-service
system 989 1 10791636 3268 0 0 0 S Android.hardware.health@2.1-service
system 990 1 10784848 3080 0 0 S Android.hardware.light@2.0-service.msm8953
system 991 1 10836444 3044 0 0 S Android.hardware.memtrack@1.0-service
system 992 1 10866528 4276 0 0 S Android.hardware.power-service-qti
system 996 1 10820064 2996 0 0 S Android.hardware.thermal@1.0-service
system 999 1 10802340 3188 0 0 S Android.hardware.usb@1.0-service
wifi 1002 1 11082236 5180 0 0 0 S Android.hardware.wifi-service
system 1003 1 10870516 3864 0 0 S vendor.display.color@1.0-service
system 1004 1 10830264 3552 0 0 S vendor.lineage.health-service.default

Learn more

• General description of android processes and subprocesses

services.txt

The information on this file is generated by the services.go module.

What is included in this file?

This file is in txt format and contains detailed information about the running services.

The structure of the file is the name of the service and the process or package that is running for that service.

The ADB equivalent command for this module is as follows:

adb shell service list

Why is this important?

This file can help identify suspicious services, or similarly detect if some other expected services have been halted and are not running. This is useful to identify that all necessary services are running to maintain the security integrity of the device.

Example:

Found 368 services:
0   AtlasService: [android.atlas.service]
1   DockObserver: []
9   accessibility: [android.view.accessibility.IAccessibilityManager]
10  account: [android.accounts.IAccountManager]
11  activity: [android.app.IActivityManager]
13  adb: [android.debug.IAdbManager]
16  alarm: [android.app.IAlarmManager]
26  android.hardware.power.IPower/default: [android.hardware.power.IPower]
27  android.hardware.power.stats.IPowerStats/default: []
43  anrmanager: [android.app.IAnrManager]
44  anti_root_dialog: [com.oplus.exsystemservice.antirootdialog.IAntiRootDialog]
50  appops: [com.android.internal.app.IAppOpsService]
56  audio: [android.media.IAudioService]
61  battery: []
63  batterystats: [com.android.internal.app.IBatteryStats]
68  bugreport: [android.os.IDumpstate]
70  cacheinfo: []
72  clipboard: [android.content.IClipboard]
78  connectivity: [android.net.IConnectivityManager]
84  cpuinfo: []
85  critical.log: []
89  dbinfo: []
130 input: [android.hardware.input.IInputManager]
133 installd: []
146 location: [android.location.ILocationManager]
149 logcat: [android.os.logcat.ILogcatManagerService]
169 meminfo: []
181 netstats: [android.net.INetworkStatsService]
191 notification: [android.app.INotificationManager]
234 package: [android.content.pm.IPackageManager]
238 permission: [android.os.IPermissionController]
240 permissionmgr: [android.permission.IPermissionManager
242 phone: [com.android.internal.telephony.ITelephony]
247 power: [android.os.IPowerManager]
248 power_hal_mgr_service: [com.mediatek.powerhalmgr.IPowerHalMgr]
249 power_monitor: [com.oplus.os.IOplusPowerMonitor]
250 powerstats: []
252 processinfo: [android.os.IProcessInfoService]
253 procstats: [com.android.internal.app.procstats.IProcessStats]
255 recovery: [android.os.IRecoverySystem]
273 sensorservice: [android.gui.SensorServer]
274 serial: [android.hardware.ISerialManager]
276 settings: []
298 system_server_dumper: []
299 system_update: [android.os.ISystemUpdateManager]
301 telecom: [com.android.internal.telecom.ITelecomService]
302 telephony.registry: [com.android.internal.telephony.ITelephonyRegistry]
314 tracing.proxy: [android.tracing.ITracingServiceProxy]
322 usb: [android.hardware.usb.IUsbManager]
323 user: [android.os.IUserManager]
354 virtualdevice: [android.companion.virtual.IVirtualDeviceManager]
355 vodata: [com.mediatek.ims.internal.IVoDataService]
357 vold: []
358 vpn_management: [android.net.IVpnManager]
363 wifi: [android.net.wifi.IWifiManager]
367 window: [android.view.IWindowManager]

Learn more:

• How services work on Android

root_binaries.json

The information on this file is generated by the root_binaries.go module, and is intended to provide guidance on whether the device is running with root privileges or not.

What is included in this file?

This file is in json format and contains a list of binaries to know if they are present in the system.

The binaries to which it applies are used to gain root access or elevate privileges on the device.

The list of binaries and files is:

• su
• busybox
• supersu
• Superuser.apk
• KingoUser.apk
• SuperSu.apk
• magisk
• magiskhide
• magiskinit
• magiskpolicy

If none of these files are present on the device then the contents of the file will be empty.

The equivalent ADB commands for this module are as follows:

adb shell "which -a su"
adb shell "which -a busybox" adb shell "which -a busybox" adb shell "which -a supersu"
adb shell "which -a supersu" adb shell "which -a supersu" adb shell "which -a Superuser.apk"
adb shell "which -a Superuser.apk" adb shell "which -a Superuser.apk" adb shell "which -a KingoUser.apk"
adb shell "which -a KingoUser.apk" adb shell "which -a KingoUser.apk" adb shell "which -a Superuser.apk"
adb shell "which -a SuperSu.apk" adb shell "which -a SuperSu.apk" adb shell "which -a SuperSu.apk"
adb shell "which -a magisk" adb shell "which -a magisk" adb shell "which -a magisk
adb shell "which -a magiskhide" adb shell "which -a magiskhide" adb shell "which -a magiskhide.apk
adb shell "which -a magiskinit" adb shell "which -a magiskinit" adb shell "which -a magiskhide
adb shell "which -a magiskpolicy" adb shell "which -a magiskpolicy"

Why is this important?

This file can help detect tools used to obtain root access on the device. This might be an indication of unauthorized access or an escalation of privileges. It might also be an indication that the phone was rooted by the owner. The command provides also a list of the binaries found, which can be helpful to understand how it was rooted.

Example:

In case the device is not rooted, the output will be something like:

[]

When the module identifies rooting-related binaries in the standard system paths on the device, it will contain a list of these paths to the detected binaries.

Example of content returned by running AndroidQF and ADB command:

[
    "/system/xbin/su",
    "/system/bin/su",
    "/data/local/xbin/su",
    "/data/local/bin/busybox",
    "/sbin/su",
    "/su/bin/magisk",
    "/system/bin/.ext/.su",
    "/data/local/tmp/Superuser.apk",
    "/data/local/tmp/magiskhide".
]

Information about files on the device

backup.ab

The information in this file is generated by the backup.go module.

This module is specifically designed for backing up data that is stored on Android mobile devices.

What is included in this file?

This file is in binary format and contains data related to backing up applications and device settings. The binary data in this file is compressed and includes sensitive device information.

Depending on the option selected in androidqf the content of the file can be only the SMS or it can be a copy of data from those applications that have declared in their manifest the possibility of making copies. It is worth noting that this function is rarely used nowadays, so it does not represent a reliable backup of the device.

This compressed file can be analyzed by the MVT using the command mvt-android check-backup backup.ab.

The equivalent ADB commands for this module are as follows: SMS-only equivalent command:

adb backup com.Android.providers.telephony

Equivalent command for full backup:

adb backup -all

Why is this important?

This information allows to generate a backup copy of the device, which helps to keep relevant evidence such as SMS or system configurations. It also facilitates the preservation of information potentially related to security incidents or phishing attacks in an integral manner with possibilities to be used for further analysis.

Example:

Example of content returned by running AndroidQF:

(Binary data containing app backups and settings)
414e 4452 4f49 4420 4241 434b 5550 0a35
0a30 0a6e 6f6e 650a 6170 7073 2f63 6f6d
2e61 6e64 726f 6964 2e63 7473 2e63 7473
7368 696d 2f5f 6d61 6e69 6665 7374 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 3030 3036
3030 2000 3031 3735 3000 0000 3031 3735
3000 0000 3030 3030 3030 3034 3537 3600
3000 0000 0000 0000 0000 0000 3031 3430
3134 0020 3000 0000 0000 0000 0000 0000

Learn more:

• Extracción de archivos de respaldo | Android Backup Extractor
• Analysis of Android backup file
• Check an Android Backup (SMS messages) - Mobile Verification Toolkit

files.json

The information on this file is generated using the files.go module.

What is included in this file?

This file is in json format and generates a record of files and metadata in the following paths:

• /sdcard/
• /system/
• /system_ext/
• /vendor/
• /cust/
• /product/
• /apex/
• /data/local/tmp/
• /data/media/0/
• /data/misc/radio/
• /data/vendor/secradio/
  Example of content returned by AndroidQF execution:
• /data/log/
• /tmp/
• /
• /data/data/

Each file includes metadata such as: the full file path, size, timestamp (indicates last file modification and last file access), file permissions, owner identifier, error messages and hashes sha1, sha256, sha512, md5 if pre-computed.

The equivalent ADB commands of this module are as follows:

adb shell "find /sdcard/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /system/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /system_ext/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /vendor/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /cust/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /product/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /apex/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /data/local/tmp/ -printf '%T@ %m %s %u %u %g %p\n' 2>/dev/null"
adb shell "find /data/media/0/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /data/misc/radio/ -printf '%T@ %m %s %u %u %g %p\n' 2>/dev/null"
adb shell "find /data/vendor/secradio/ -printf '%T@ %m %s %u %u %g %p\n' 2>/dev/null"
adb shell "find /data/log/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /tmp/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find / -maxdepth 1 -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"
adb shell "find /data/data/ -printf '%T@ %m %s %u %g %p\n' 2>/dev/null"

Each file includes information including the path, size, timestamp of last modification and last access, permissions, owner, error messages and hashes.

Why is this important?

Example of content returned by running AndroidQF:

This file has relevance for identifying files of interest in a forensic investigation, including potential files used by attackers to compromise a device and perform timely analysis to track malicious activity.

Example:

{
"path":"/sdcard/Android/.Trash/com.sec.android.app.myfiles/.nomedia",
        "size": 62,
        "mode":"-rw-rw----",
        "user_id": 10276,
        "user_name": "",
        "group_id": 1023,
        "group_name": "",
        "changed_time": 1722868692,
        "modified_time": 1722868692,
        "access_time": 1714937715,
        "error": "",
        "context": "u:object_r:fuse:s0",
        "sha1": "",
        "sha256": "",
        "sha512": "",
        "md5": ""
}

Example of content returned by ADB command execution:

1762885286.638000649 770 3464 root everybody /sdcard/
1762885284.208000407 770 3464 root everybody /sdcard/Android
1762886328.989657481 771 3464 root sdcard_rw /sdcard/Android/data
1230768000.0 755 4096 root root root /system/
1230768000.0 755 16384 root root root /system/lib
1230768000.0 644 56516 root root /system/lib/aaudio-aidl-cpp.so
174618780.323371170 755 4096 root root root /system_ext/
1230768000.0 755 4096 root root /system_ext/lib
1230768000.0 644 197552 root root /system_ext/lib/com.qualcomm.qti.imscmservice@2.0.so
1230768000.0 755 4096 root root shell /vendor/
1230768000.0 755 4096 root root shell /vendor/vendor_dlkm
1230768000.0 755 4096 root root shell /vendor/vendor_dlkm/etc
174618784.276704897 755 4096 root root root root /product/
174618779.613371100 755 4096 root root root /product/lib
174618779.620037767 644 943652 root root root /product/lib/libjni_latinimegoogle.so
210875820.303334210 755 1380 root root root /apex/
210875816.683333849 771 3464 shell shell /data/local/tmp/
1726625293.972938149 755 4096 root root root /
210875815.30000351 710 80 shell everybody /storage
1230768000.0 644 11 root root root /etc
1762885284.64667059 771 24576 system system system /data/data/

Comments

Do you have any comment or suggestion about this resource? You can use the comment function provided below to leave your ideas, corrections or thoughts. Please make sure to follow our code of conduct when leaving your comment. If you prefer, you can also participate in the discussion directly in the github repository.