Skip to content

AdroidQF output file dictionary

This document is part of a technical documentation repository whose main objective is to establish a baseline of proven, flexible and accessible knowledge to boost consensual forensic analysis in support of civil society across the globe. To organize the contents, we use the technical documentation framework Diátaxis.

This particular resource fits within the reference category in Diataxis, and contains information about files generated by the tool androidqf when conducting a forensic extraction of an Android device. The objective is to facilitate the understanding of the resulting files, including what information is included and why it could be helpful from a forensic standpoint.

This resource was last updated on June 16, 2025, and for the presentation of the information we based our research on androidqf commit bd84c2bc. This resource was originally developed in Spanish, and translated with the support of Marianne Parrott.

Androidqf is a forensic extraction tool, part of the Mobile Verification Toolkit (MVT) project. It was initially developed by Claudio Guarnieri and is actually maintained by Amnesty International Security Lab.

The name of the tool emerges from Android Quick Forensics. It is a portable tool, which means it can be executed on Windows, GNU/Linux and MacOS with a precompiled binary, without requiring an installation. This simplifies the acquisition of key forensic information from Android devices, specially in remote scenarios.

The information generated by androidqf can be grouped into 5 main categories:

  • Acquisition and extraction
  • Device information and configuration
  • System logs and events
  • Processes and applications
  • Information backed up from the device

Acquisition and extraction

acquisition.json

The information in this file is generated by the acquisition.go module.

What is included in this file?

This file is in JSON format and records information related to the data acquisition process of the device. It contains the following details:

  • UUID of the extraction, which is also used as the name of the folder where the information is stored.
  • Version of androidqf.
  • Location where the extraction is stored.
  • Date and time of start and end of the acquisition.
  • Information of the collector binary used.
  • Information of the ADB binary used.
  • Location of the SD card storage.
  • CPU architecture of the device.

Why is this important?

This file provides general information about the extraction and the device, including unique identifiers that can be helpful to ensure the chain of custody of the forensic evidence.

Example:

{
 "uuid": "0f615832-ed22-411e-9317-b429d28ecf9a",
 "androidqf_version": "v1.7.0-1-gf7642bf",
 "storage_path": "/home/user/0f615832-ed22-411e-9317-b429d28ecf9a",
 "started": "2025-01-01T18:36:37.443498116Z",
 "completed": "2025-01-01T18:50:04.947856405Z",
 "collector": {
  "ExePath": "/data/local/tmp/collector",
  "Installed": false,
  "Adb": {
   "ExePath": "/usr/bin/adb",
  },
  "Architecture": "arm64-v8a"
 },
 "tmp_dir": "/data/local/tmp/",
 "sdcard": "/sdcard/",
 "cpu": "arm64-v8a"
}

command.log

The information in this file is generated by the logger.go. This module presents detailed logs of the acquisition process of the device.

What is included in this file?

This file is in plain text with a .log extension and contains a record of the commands executed during data acquisition. It documents each command used (DEBUG) and its output on screen (INFO), warning messages (WARNING) and error messages (ERROR) during execution. It uses the following structure:

  • Date and time of the command or message
  • Type of message
  • Content of the message

Why is this important?

This file presents a log of the actions performed by the app during the data acquisition process. This allows the analyst to verify the completeness of the extraction, to ensure all steps were performed. In case of errors, it also provides information to debug and fix potential issues.

Example:

2025-01-01T14:22:39-06:00 [INFO] Started new acquisition in /home/user/1c3c6742-f225-479f-a836-4a6a86a056b7
2025-01-01T14:22:39-06:00 [INFO] Would you like to take a backup of the device?
2025-01-01T14:22:41-06:00 [INFO] Generating a backup with argument com.android.providers.telephony. Please check the device to authorize the backup...
2025-01-01T14:22:52-06:00 [INFO] Backup completed!
2025-01-01T14:22:52-06:00 [INFO] Collecting information on installed apps. This might take a while...
2025-01-01T14:22:52-06:00 [INFO] Collecting device properties...
2025-01-01T14:22:52-06:00 [INFO] Collecting device diagnostic information. This might take a while...
2025-01-01T14:24:11-06:00 [INFO] Collecting list of running processes...
2025-01-01T14:24:11-06:00 [DEBUG] Deploying collector binary 'collector_arm64' for architecture 'arm64-v8a'.
2025-01-01T14:24:11-06:00 [INFO] Collecting list of services...
2025-01-01T14:24:12-06:00 [INFO] Generating a bugreport for the device...
2025-01-01T14:26:22-06:00 [DEBUG] Bugreport completed!
2025-01-01T14:26:22-06:00 [INFO] Collecting list of files... This might take a while...
2025-01-01T14:26:22-06:00 [DEBUG] Using collector to collect list of files
2025-01-01T14:39:20-06:00 [INFO] Collecting device settings...
2025-01-01T14:39:20-06:00 [INFO] Collecting SELinux status...

hashes.csv

The information in this file is generated by the HashFiles function of the acquisition.go module.

What is included in this file?

This file is in CSV format and stores the SHA-256 hashes for each file generated during extraction or extracted from the device. It uses the following format:

  • File name and location
  • Hash value using SHA-256

Why is this important?

The hashes help to guarantee the integrity of the information and ensure that it has not been modified after acquisition, facilitating independent verification and chain of custody.

Example:

2ab44150-35d3-4b40-a820-c9152fe93a13\apks\gov.dhs.cbp.cbpone_gov.dhs.cbp.cbpone-NYwrqdamzef6AVKRRGXzgA.apk,2d553aada9039d4def18a09b84c317a70d9fdde87524a043db5f0eeb1862e89a
2ab44150-35d3-4b40-a820-c9152fe93a13\backup.ab,48202a8cb422d7eeb12ff8ad13fac3a67b37600c63eae8089d9674465da32990
2ab44150-35d3-4b40-a820-c9152fe93a13\bugreport.zip,ec82812dba70891b78d7130dc16e3474918e4a0e02bb15ec00e1015679f720ee
2ab44150-35d3-4b40-a820-c9152fe93a13\command.log,c0ae883bebee7503b0ca94a54cdbb43628602046c68b770c760f730a55d6dc8c
2ab44150-35d3-4b40-a820-c9152fe93a13\dumpsys.txt,e54a613502ca362584766c0f75e17ca366d7ecdc4aa6869c50424dff83acbc15
2ab44150-35d3-4b40-a820-c9152fe93a13\env.txt,387301687084cca0e124a9c365e930b4e5e6303b3e6f9dc64e2146f168b79c1a
2ab44150-35d3-4b40-a820-c9152fe93a13\files.json,832f8121a69f131c9f434e1ca68d7b1e2deda40de72ff8396ea386a6a8cf69d3
2ab44150-35d3-4b40-a820-c9152fe93a13\getprop.txt,b8dbad7e900aeeb3c60e48dd988c44905741a7e5b124055a09c2c417aa1556b3
2ab44150-35d3-4b40-a820-c9152fe93a13\hashes.csv,cea94f56c720436d217b44ee746e2a6d69ddd226325a94bf3a3adeb32be4658a
2ab44150-35d3-4b40-a820-c9152fe93a13\logcat.txt,6c080ba0357c6e82818e5a89135ff06aa9386f811daf898fc1797e1b9e6299d3
2ab44150-35d3-4b40-a820-c9152fe93a13\logs\data\anr\anr_2024-12-20-00-11-38-831,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2ab44150-35d3-4b40-a820-c9152fe93a13\logs\sdcard\log\thermal_log-shm,e9eed4a2f55edd11e022b7b089d69a5de929d2bd484041a64e957861a5ab055b
2ab44150-35d3-4b40-a820-c9152fe93a13\packages.json,69d560bfbbb75e074a49d107811c350461badac885b3925ed816d716f1f1144a
2ab44150-35d3-4b40-a820-c9152fe93a13\processes.txt,9e933447e79e4743722691af88e9a4bdcc11029a92b84b0ebd9d54e0bfcf2694
2ab44150-35d3-4b40-a820-c9152fe93a13\root_binaries.json,4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
2ab44150-35d3-4b40-a820-c9152fe93a13\selinux.txt,1ca5672ae970bdc4f5b584898245b3d884e11deb6867e9563bdfbc8b82e8f62e
2ab44150-35d3-4b40-a820-c9152fe93a13\services.txt,b3ae6ad626b3a5ba8fc3b68771d42baf9795e03cc7b4b1ccbe361d9625e0f1fe
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_global.txt,410f788450907331183ee36979e93fc7dc0b1805e574d1ac1d5fbc9869897c53
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_secure.txt,be67f431c457edfb88d733594aba662310dbe3863c62da21cbf7dad5bcc0f136
2ab44150-35d3-4b40-a820-c9152fe93a13\settings_system.txt,b0e7452110867ca3f5c15ea52b9b9a198433a836f97d6fd8b95fcd39fd30c714

Device information and configuration

getprop.txt

The information in this file is generated by the getprop.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb getprop command, which details the system properties.

System properties are key-value pairs of strings that are stored in the global build.prop dictionary or in .sysprop files, and provide a convenient way to share information, usually settings, throughout the system.

The information can be found in the following format:

[{prefix}.]{group}[.{subgroup}]*.{name}[.{type}]

The prefix ro is used for read-only configurations, or settings that have been set after the last reboot. The prefix prefix persist is used for configurations that are persistent after a reboot. It is also possible that properties do not have a prefix, meaning they begin directly with the group they belong to.

The most common groups are:

  • bluetooth, Bluetooth related
  • boot, sysprops from kernel cmdline
  • build, sysprops that identify a build
  • telephony, telephony related
  • audio, audio related
  • graphics, graphics related
  • vold, vold related

For more details, see the list of properties already defined in the Android source code.

Why is this important?

The properties provide important information about the device's hardware and software, which can be altered by malicious software to hide its presence or to inadvertently modify the device's behaviour.

Example:

[property_name]: [value]
[aaudio.hw_burst_min_usec]: [2000]
[aaudio.mmap_exclusive_policy]: [2]
[aaudio.mmap_policy]: [2]
[apex.all.ready]: [true]
[bluetooth.device.class_of_device]: [90,2,12]
[ro.boot.product.model]: [SM-A715F]
[ro.boot.serialno]: [R58N84XXXXX]
[ro.bootimage.build.date]: [Thu Feb 29 13:55:21 +07 2024]
[ro.bootimage.build.date.utc]: [1709189721]
[ro.bootimage.build.fingerprint]: [samsung/a71naxx/a71:11/RP1A.200720.012/A715FXXSBDXB1:user/release-keys]
[ro.build.selinux]: [1]
[ro.build.selinux.enforce]: [1]
[ro.build.version.security_patch]: [2024-02-01]
[ro.gfx.driver.1]: [com.qualcomm.qti.gpudrivers.sm6150.api30]
[ro.hardware]: [qcom]
[ro.hardware.chipname]: [SM7150]
[ro.product.system.model]: [SM-A715F]
[ro.vendor.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist64]: [arm64-v8a]

Learn more

selinux.txt

The information in this file is generated by the selinux.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb shell getenforce command. It indicates the SELinux security policy applied on the device, indicating the mode that it is in (enforcing, permissive, or disabled).

Why is this important?

SELinux is a key security layer in Android. Changes to its configuration can be an indication of compromises to the security of the device.

Example:

Enforcing

Learn more

settings_global.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb shell cmd settings list global command, which shows preferences that always apply identically to all defined users (well-defined user). Apps can read them, but cannot write them. These are preferences that the user must explicitly modify via the system user interface or APIs specialized in these values.

These settings include development settings, boot count, and Bluetooth, Wi-Fi and telephony connection status. For the complete list of global preferences, please refer to the relevant Android documentation.

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

Phenotype_boot_count=68
adb_enabled=1
airplane_mode_on=0
bluetooth_on=1
boot_count=71
bug_report=0
default_device_name=Galaxy A14 5G
package_verifier_user_consent=1
phone_play_store_availability=0
require_password_to_decrypt=1
spam_call_enable=1
subscription_mode=0
turnOff_5g_network_mode_set=0
wifi_networks_available_notification_on=0
wifi_on=1
wifi_scan_always_enabled=1
zram_enabled=1

Learn more

settings_secure.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb shell cmd settings list secure command, which displays system security preferences that apps can read but not write. These are preferences that the user must explicitly modify through the user interface of a system app. Normal apps cannot modify the security settings database.

These settings include development settings, accessibility, location, data entry, screen lock, parental controls, text-to-speech, and Bluetooth, Wi-Fi and telephony connection.

For the complete list of security preferences, please refer to the relevant Android documentation.

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

accessibility_allow_diagonal_scrolling=1
accessibility_button_mode=1
accessibility_button_target_component=com.android.settings/com.samsung.android.settings.accessibility.shortcut.AmplifyShortcut
accessibility_display_magnification_enabled=0
accessibility_enabled=0
android_id=af4de9XXXXXXXXXX
autofill_service=null
assistant=com.google.android.googlequicksearchbox/com.google.android.voiceinteraction.GsaVoiceInteractionService
aware_enabled=0
backup_auto_restore=1
backup_encryption_opt_in_displayed=1
bluetooth_settings_foreground=0
clipboard_show_access_notifications=0
default_input_method=com.samsung.android.honeyboard/.service.HoneyBoardService
fingerprint_screen_lock=1
location_mode=3
location_time_zone_detection_enabled=1
lockscreen.disabled=0
wifi_saved_state=0

Learn more

settings_system.txt

The information in this file is generated by the settings.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb shell cmd settings list system command, which displays various general device preferences. These preferences affect the user experience and basic functionality of the device.

These settings include sensor options such as accelerometer or gyroscope, time zone, display, alarms, sound, vibration, updates, and Bluetooth, Wi-Fi and telephony connection.

For the complete list of system preferences, please refer to the relevant Android documentation.

Why is this important?

It allows the identification of anomalous settings that could compromise the security, privacy or functionality of the device. Unusual default settings may signal intentional or accidental attempts to modify system behaviour.

Example:

FOTA_CLIENT_POLLING_TIME=1710699386219
FOTA_CLIENT_REGISTRATION=1
FOTA_CLIENT_TEST=0
SEM_VIBRATION_FORCE_TOUCH_INTENSITY=4
SEM_VIBRATION_NOTIFICATION_INTENSITY=5
SOFTWARE_UPDATE_LAST_CHECKED_DATE=1728477705778
SOFTWARE_UPDATE_WIFI_ONLY2=1
alarm_alert_set=1
anykey_mode=0
aod_mode=0
automatic_unlock=1
block_unwanted_call=1
block_unwanted_call_type=1
lockscreen_sounds_enabled=1
lockscreen_wallpaper=1
login_state=0
mic_mode_enable=0
mic_mode_wificall=0
samsung_errorlog_agree=1
tty_mode=0
unknown_mode=0
volume_alarm=11
volume_alarm_ble_headset=11
volume_alarm_earpiece=11
volume_alarm_speaker=11
volume_assistant=7
wifi_call_enable1=0
wifi_call_preferred1=2
wifi_call_when_roaming1=0
wireless_fast_charging=0

Learn more

env.txt

The information in this file is generated by the env.go module.

What is included in this file?

This file is in TXT format and contains the output of the adb shell env command, which shows the configuration of the mkshrc (shell) environment variables used by Android.

By default, the mkshrc variables in Android are found in the mkshrc or profile file which can be in one of the following directories.

/system/etc
/system/etc/profile
$HOME/
/data/local

The mkshrc binary can be found in one of the following directories.

/product/bin
/apex/com.android.runtime/bin
/apex/com.android.art/bin
/system_ext/bin
/system/bin
/system/xbin
/odm/bin
/vendor/bin
/vendor/xbin

The variables contained in the file may indicate:

  • Partition locations
  • Android virtual machine runtime environment values
  • Shell settings

Why is this important?

Environment variables may indicate changes in the settings of the terminal, the command shell, the Android virtual machine runtime environment or the mount points of some partitions and folders. This could indicate suspicious behaviour on the device for the execution of malicious software.

Example:

_=/system/bin/env
ANDROID_DATA=/data
ANDROID_ART_ROOT=/apex/com.android.art
LOGNAME=shell
STANDALONE_SYSTEMSERVER_JARS=/apex/com.android.btservices/javalib/service-bluetooth.jar:/apex/com.android.devicelock/javalib/service-devicelock.jar:/apex/com.android.os.statsd/javalib/service-statsd.jar:/apex/com.android.scheduling/javalib/service-scheduling.jar:/apex/com.android.tethering/javalib/service-connectivity.jar:/apex/com.android.uwb/javalib/service-uwb.jar:/apex/com.android.wifi/javalib/service-wifi.jar:/apex/com.samsung.android.lifeguard/javalib/service-lifeguard.jar
HOME=/
ANDROID_TZDATA_ROOT=/apex/com.android.tzdata
ANDROID_ROOT=/system
TERM=xterm-256color
SHELL=/bin/sh
ANDROID_BOOTLOGO=1
ANDROID_ASSETS=/system/app
ANDROID_SOCKET_adbd=21
HOSTNAME=a14x
DOWNLOAD_CACHE=/data/cache
SECONDARY_STORAGE=/storage/sdcard:/storage/usb1:/storage/usb2
ANDROID_STORAGE=/storage
USER=shell
TMPDIR=/data/local/tmp
PATH=/product/bin:/apex/com.android.runtime/bin:/apex/com.android.art/bin:/system_ext/bin:/system/bin:/system/xbin:/odm/bin:/vendor/bin:/vendor/xbin
SYSTEMSERVERCLASSPATH=/system/framework/com.android.location.provider.jar:/system/framework/knoxanalyticssdk.jar:/system/framework/mcfsdk.jar:/system/framework/uibc_java.jar:/system/framework/services.jar:/system/framework/semwifi-service.jar:/system/framework/ssrm.jar:/apex/com.android.adservices/javalib/service-adservices.jar:/apex/com.android.adservices/javalib/service-sdksandbox.jar:/apex/com.android.appsearch/javalib/service-appsearch.jar:/apex/com.android.art/javalib/service-art.jar:/apex/com.android.configinfrastructure/javalib/service-configinfrastructure.jar:/apex/com.android.healthfitness/javalib/service-healthfitness.jar:/apex/com.android.media/javalib/service-media-s.jar:/apex/com.android.ondevicepersonalization/javalib/service-ondevicepersonalization.jar:/apex/com.android.permission/javalib/service-permission.jar:/apex/com.android.rkpd/javalib/service-rkp.jar:/apex/com.samsung.android.shell/javalib/service-samsung-shell.jar
ASEC_MOUNTPOINT=/mnt/asec
ANDROID_I18N_ROOT=/apex/com.android.i18n
EXTERNAL_STORAGE=/sdcard

Learn more

System logs and events

logcat.txt and logcat_old.txt

The information in this file is generated by the logcat.go module.

What is included in this file?

These files are in plain text with a .txt extension and contain the output of the adb shell logcat \-d \-b all and adb shell logcat \-L \-b all commands respectively, which display the system message log. Some examples of the information contained are:

  • Error and warning messages (FATAL EXCEPTION).
  • Messages from operating system apps, processes and services.
  • Debug logs and informational events.

The file contains the following structure:

  • Start of record (contains record divisions).
  • Timestamp (timestamp).
  • Process and thread identifier (PID) and (TID).
  • Priority level:
    • E: Error
    • W: Warning
    • I: Information
    • D: Debugging
    • F: Fatal
    • V: Verbose
  • Label indicating the system component or process.
  • Description and details of messages or errors.

Why is this important?

This information can be used to analyze the behavior and execution of events in the system and apps on the device to identify anomalies or patterns that may indicate the presence of malware. In forensic terms, they are among the most relevant files in terms of content.

Example:

--------- beginning of crash  
2025-01-01 00:00:00.000 12345 12345 E AndroidRuntime: FATAL EXCEPTION: main  
2025-01-01 00:00:00.000 12345 12345 E AndroidRuntime: Process: example.android.app, PID: 12345  
2025-01-01 00:00:00.000 12345 12345 E AndroidRuntime: java.lang.RuntimeException: Unable to instantiate receiver example.android.app.MyBroadCastReceiver  
2025-01-01 00:00:00.000 12345 12345 E AndroidRuntime: at android.app.ActivityThread.handleReceiver(ActivityThread.java:4861)  
2025-01-01 00:00:00.000 12345 12345 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)  
2025-01-01 00:00:00.000 30144 30860 I ActivityManager: Process example.android.app has died.

Learn more

dumpsys.txt

The information in this file is generated by the dumpsys.go module.

What is included in this file?

This is a plain text file (.txt) that contains the result of the command adb shell dumpsys This command provides detailed information about running services, including processes and applications.

The file is split in the the following sections:

  • List of active services
  • Details of running services
  • Status and flags of some services

Dumpsys is a powerful ADB tool, and in addition to what is collected through androidqf, there are additional options to be used to further explore the network services, battery, and input diagnostics.

Why is this important?

This file provides information about the services running on a device and the flags and logs they generate. This is useful from a forensic standpoint since it can help identify known services or processes that are suspicious.

Example:

Currently running services:
  accessibility
  account
  adb
  alarm
  android.frameworks.cameraservice.service.ICameraService/default
  android.hardware.biometrics.face.IFace/default
  android.hardware.vibrator.IVibratorManager/default
  android.os.UpdateEngineService
  android.security.authorization
  anrmanager
  anti_root_dialog
  app_binding
  appops
  audio
  auth
  battery
  batteryproperties
  batterystats
  bluetooth_manager
  bugreport
  cpuinfo
  critical.log
  dataloader_manager
  dbinfo
  input
  logcat
  meminfo
  netstats
  ostats_pullerd
  ostats_tpd
  ostatsd
  package
  permission
  phone
  power
  processinfo
  procstats
  settings
  stats
  statsbootstrap
  usb
  wifi
  window

-------------------------------------------------------------------------------
DUMP OF SERVICE AtlasService:
--------- 0.001s was the duration of dumpsys AtlasService, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE DockObserver:
Current Dock Observer Service state:
  reported state: 0
  previous state: 0
  actual state: 0
--------- 0.007s was the duration of dumpsys DockObserver, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE ISubsysRadio:
--------- 0.005s was the duration of dumpsys ISubsysRadio, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE MMListService:
--------- 0.001s was the duration of dumpsys MMListService, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE OPLUSExService:
--------- 0.001s was the duration of dumpsys OPLUSExService, ending at: 2025-05-08 18:12:33
-------------------------------------------------------------------------------
DUMP OF SERVICE OplusLocationManager:
--------- 0.001s was the duration of dumpsys OplusLocationManager, ending at: 2025-05-08 18:>
-------------------------------------------------------------------------------
DUMP OF SERVICE appops:
Current AppOps Service state:
  Settings:
    top_state_settle_time=+5s0ms
    fg_service_state_settle_time=+5s0ms
    bg_state_settle_time=+1s0ms

  Op mode watchers:
    Op COARSE_LOCATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    #1: ModeCallback{21558a8 watchinguid=-1 flags=0x1 op=MONITOR_LOCATION from uid=u0a124 pid=3315}
    #2: ModeCallback{c7241f6 watchinguid=-1 flags=0x1 op=COARSE_LOCATION from uid=1000 pid=1807}
    #3: ModeCallback{f993e3b watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=u0a124 pid=3315}
    Op FINE_LOCATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    #1: ModeCallback{e5bfc6d watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=1000 pid=1807}
    #2: ModeCallback{f993e3b watchinguid=-1 flags=0x1 op=FINE_LOCATION from uid=u0a124 pid=3315}
    Op READ_CONTACTS:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CONTACTS:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op READ_CALL_LOG:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CALL_LOG:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op READ_CALENDAR:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op WRITE_CALENDAR:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}
    Op POST_NOTIFICATION:
    #0: ModeCallback{12983a3 watchinguid=-1 flags=0x0 op=READ_WRITE_HEALTH_DATA from uid=1000 pid=1807}

Learn more

bugreport.zip

The information in this file is generated by the bugreport.go module.

What is included in this file?

This is a compressed file that contains that output of the command adb shell bugreport This command generates a bugreport that includes a series of system logs, configurations and error reports.

The bugreport can be analyzed using MVT using the command mvt-android check-bugreport bugreport.zip

The files and folders included in the bugreport are as follows:

  • dumpstate-yyyy-mm-dd-hh-mm-ss.txt

    • Summarizes the key specs of the mobile device and the current status.

  • dumpstate_board.txt

    • File that provides logs of a system boot, including events and services that are executed upon booting the device.

  • dumpstate_log.txt

    • Presents logs with the results of the bugreport creation process, including potential errors and warnings.

  • main_entry.txt

    • This file serves as an index of the contents created as part of the bugreport creation.

  • version.txt

    • Shows the Android bugreport release letter. When systrace is enabled, the zip file also contains a systrace.txt file.

  • fs/cache/recovery/

    • last_data_partition_info
      • Provides information about the system storage, including the total size, used and free space; as well as the size of sectors and number of blocks present.
    • last_dataresizing
      • Records information about several system sensors. It also provides information about messages created to address needs of specific sensors, like auto rotation, smart alert, among others.
    • last_postrecovery
      • Provides information about communications between hardware components.

  • fs/data/anr/

    • arn_yyyy-mm-dd-hh-mm-ss
      • Provides a detailed diagnostic of the system apps that are not responding. ARN comes from App Not Responding.

  • fs/data/log/bt/

    • btsnooz_hci.log
      • Contains information about the Host Controller Interface (HCI) of the Bluetooth module.
    • btsnooz_hci.log.last
      • Contains older logs and records of the HCI Bluetooth module.

  • fs/data/misc/recovery/

    • ro.buil.fingerprint
      • Contains a unique identifier of the software version installed on the device.
    • ro.build.fingerprint.1
      • Contains a variant of the compilation number of the device.

  • fs/data/tombstones/

    • tombstone_xx
      • Tombstones are files with log data about system or app crashes that are automatically generated when a process is locked unexpectedly.

  • fs/proc/

    • mountinfo
      • This file provides information about the mounting points on the system. It helps gaining an understanding of the filesystem structure and different partitions the device might have.

Why is this important?

The bugreport is highly valuable from a forensic standpoint since it contains information about errors, running processes and the filesystem that can be helpful to inspect and detect anomalies on the device that might be related with the exploitation of vulnerabilities.

Learn more:

logs/

The information in this file is generated by the logs.go module.

What is included in this file?

This folder contains logs files across different folders collected from the device using the command adb pull.

This module goes through different system paths in order to extract files that contain information of the operating system behavior, including potential error and events. It include the following folders:

  • /data/anr/
  • /data/log/
  • /sdcard/log/

The files and folders included are:

  • anr/anr_yyyy-mm-dd-hh-mm-ss**

    • anr_yyyy-mm-dd-hh-mm-ss
      • File with information about “applications not responding” (ANR) issues and processes.

  • log/acore/

    • 0_dump_all.zip
      • Dump of system records related to process acore.

  • log/batterystats/

    • newbatterystats240905095247
      • File with metrics about energy consumption of the device.

  • log/dropbox.txt

    • dropbox.txt
      • File with logs from DropBoxManager.

  • log/dumpstate_debug_history.lst

    • dumpstate_debug_history.lst
      • File with history of dumpstate executions.

  • log/dumpstate_lastkmsg_20240423_152746_0_MP.log.gz

    • dumpstate_lastkmsg_20240423_152746_0_MP.log.gz
      • File with the last kernel message after an unexpected reboot.

  • log/dumpstate_latest_lastkmsg.log.gz

    • dumpstate_latest_lastkmsg.log.gz
      • File with persistent kernel logs following a reboot.

  • log/dumpstate-stats.txt

    • dumpstate-stats.txt
      • File with stats of dumpstate execution.

  • log/dumpstate_sys_error.zip

    • dumpstate_sys_error.zip
      • File with information about critical system errors.

  • log/lom_log.txt

    • lom_log.txt
      • File with logs from storage or system monitoring processes.

  • log/pm_debug_info.txt

    • pm_debug_info.txt
      • File with logs and information of the debugger for the system packet manager.

  • log/power_off_reset_reason.txt

    • power_off_reset_reason.txt
      • File with information about the last reboot or system shutdown.

  • log/prev_dump.log

    • prev_dump.log
      • File with system information before a critical event.

  • log/radio_PRECONFG_SET.log

    • radio_PRECONFG_SET.log
      • File with initial configuration information for the radio module of the device.

  • log/shutdown_profile.1.txt

    • shutdown_profile.1.txt
      • File with the shutdown profile recorded by the system.

  • log/shutdown_profile_latest.txt

    • shutdown_profile_latest.txt
      • File with the most recent system shutdown profile.

  • log/err/

    • mobiledata_dns.dat
      • File with errors on DNS resolution using mobile data.
    • mobiledata_tp2.dat
      • File with errors in data packet transfer for mobile data.
    • mobiledata_tp.dat
      • File with errors in data packet transfer for mobile data.

  • log/ewlogd/

    • ewlog0_20240920_144426188369.log
      • System logs generated by the service ewlogd.

  • log/imscr/

    • imscr.log.0
      • Logs of the IMS communication component.

  • log/omc/

    • cidmanager.log
    • csc_update_log.txt
      • File with record of updates for the personalization package CSC.
    • home_fota_update_log.txt
      • File with records of firmware-over-the-air (FOTA) updates.
    • prev_csc_log.txt
      • File with previous Consumer Software Customization (CSC) configuration logs.

  • log/search/

    • 0_com.samsung.android.scs_index_encrypted.tar.gz
      • Compressed and encrypted file that contains information about the Consumer Software Customization package.

  • log/sfslog/

    • sfslog.0.gz
      • Compressed file with logs from the Secure File System (SFS).

  • log/smartswitch/

    • 1726696227738SmartSwitchSimpleLog.log
      • File that contains logs about data transfer process using Smart Switch.

  • log/update_engine_log/

    • update_engine.20240603-222843
      • File with logs about the software update engine of the system.

  • log/wfd/

    • wfdDumpSource.log
      • File with logs related to Wi-Fi Direct.

  • log/wifi/

  • system/proc/
    • kmsg: File with low-level kernel logs.
    • last_kmsg: File with last persistent kernel logs following a reboot.
  • sys/fs/pstore/

Processes and applications

packages.json

The information in this file is generated by the module packages.go.

Información contenida

This file is in json format, and contains the output of the command adb shell pm list packages It shows a list of the applications installed on the device.

The file contains:

  • name: Name of the package with the app.
  • files: Path of the APK file, including also the file hashes and certificate information.
  • installer: Information indicating from which app was installed.
  • uid: The PID associated with the app execution.
  • disabled: Indicates if the app is disabled or not.
  • system: Indicates if the package is part of the operating system packages.
  • third_party: Indicates if the app is from a third party.

¿Por qué es importante?

This file contains information about the applications installed on the devices and whether they are enabled or not. The list of apps, and app names are often used as indicators to signal a potentially malicious application. By exploring the apps, their permissions and settings it might be possible to understand their usage of data and their intent.

Example: 

[
    {
        "name": "com.whatsapp",
        "files": [
            {
                "path": "/data/app/~~bqy7OQa_ZY_wDTFdG5YZRA==/com.whatsapp-3CExO11mXQz7SoP-3>
                "local_name": "",
                "md5": "a6014f075183b8872d115e04f546a19a",
                "sha1": "7c52f9781c44c4902aecb4fc8a13584998e02376",
                "sha256": "26721b2669943d57f9de57614a11077b7c3f3036396d48c3e54cbf0effd2268e",
                "sha512": "21bea0ff94a748826041a1a8b3b9189090340086469ec62d31cf0d263c743fc2e>
                "error": "",
                "verified_certificate": true,
                "certificate": {
                    "Md5": "556c6019249bbc0cab70495178d3a9d1",
                    "Sha1": "38a0f7d505fe18fec64fbf343ecaaaf310dbd799",
                    "Sha256": "3987d043d10aefaf5a8710b3671418fe57e0e19b653c9df82558feb5ffce5>
                    "ValidFrom": "2010-06-25T23:07:16Z",
                    "ValidTo": "2044-02-15T23:07:16Z",
                    "Issuer": "C=US, ST=California, L=Santa Clara, O=WhatsApp Inc., OU=Engin>
                    "Subject": "C=US, ST=California, L=Santa Clara, O=WhatsApp Inc., OU=Engi>
                    "SignatureAlgorithm": "DSA-SHA1",
                    "SerialNumber": 1277507236
                },
                "certificate_error": "",
                "trusted_certificate": true
            }
        ],
        "installer": "com.facebook.system",
        "uid": 10267,
        "disabled": false,
        "system": false,
        "third_party": true
    }
]

apks/

The information in this folder is generated by the packages.go module.

Información contenida

This directory contains the APKs extracted from the device. These are the files used for the installation of apps that were present in the system upon conducting the analysis.

¿Por qué es importante?

The analysis of the APKs installed on the device can lead to potential malicious software either embedded in existing apps or masking itself as a different application. The information in this folder also helps in doing more in-depth review of APKs, including verifying their authenticity and potentially engaging in reverse engineering to gather further intelligence and indicators of compromise.

processes.txt

The information in this file is generated by the processes.go module.

What is included in this file?

This file is in JSON format and contains the output of the command adb shell ps \-A which provides detailed information about the process being executed on the device.

Why is this important?

This file provides additional information about the processes that are executed in the device. Information about processes is sometimes available as part of IOC of certain malicious activities, and it is also helpful to analyze apps and processes in depth, understanding relationships between them (by exploring parent processes), among other characteristics.

Ejemplo del contenido del archivo

[
    {
        "pid": 1,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(init)",
        "priority": 0,
        "state": "S",
        "user_time": 0,
        "kernel_time": 0,
        "path": "/system/bin/init",
        "context": "u:r:init:s0",
        "previous_context": "u:r:kernel:s0",
        "command_line": ["/system/bin/init", "second_stage"],
        "env": null,
        "cwd": "/"
    },
    {
        "pid": 2,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(kthreadd)",
        "priority": 0,
        "state": "S",
        "user_time": 0,
        "kernel_time": 0,
        "path": "",
        "context": "u:r:kernel:s0",
        "previous_context": "u:r:kernel:s0",
        "command_line": null,
        "env": null,
        "cwd": ""
    },
    {
        "pid": 20430,
        "uid": 0,
        "ppid": 0,
        "pgroup": 0,
        "psid": 0,
        "filename": "(com.whatsapp)",
        "priority": 0,
        "state": "",
        "user_time": 0,
        "kernel_time": 0,
        "path": "",
        "context": "u:r:untrusted_app:s0:c11,c257,c512,c768",
        "previous_context": "u:r:init:s0",
        "command_line": [
            "com.whatsapp"
        ],
        "env": null,
        "cwd": ""
    },
]

Learn more

services.txt

The information on this file is generated by the services.go module.

What is included in this file?

This file is in txt format and contains the output of the command adb shell service list This command displays detailed information about the services in execution. The structure of the file is the name of the service and the process or package related to the service.

Why is this important?

This file can help identify suspicious services, or similarly detect if some other expected services have been halted and are not running.

Example: 

Found 368 services:
0   AtlasService: [android.atlas.service]
1   DockObserver: []
9   accessibility: [android.view.accessibility.IAccessibilityManager]
10  account: [android.accounts.IAccountManager]
11  activity: [android.app.IActivityManager]
13  adb: [android.debug.IAdbManager]
16  alarm: [android.app.IAlarmManager]
26  android.hardware.power.IPower/default: [android.hardware.power.IPower]
27  android.hardware.power.stats.IPowerStats/default: []
43  anrmanager: [android.app.IAnrManager]
44  anti_root_dialog: [com.oplus.exsystemservice.antirootdialog.IAntiRootDialog]
50  appops: [com.android.internal.app.IAppOpsService]
56  audio: [android.media.IAudioService]
61  battery: []
63  batterystats: [com.android.internal.app.IBatteryStats]
68  bugreport: [android.os.IDumpstate]
70  cacheinfo: []
72  clipboard: [android.content.IClipboard]
78  connectivity: [android.net.IConnectivityManager]
84  cpuinfo: []
85  critical.log: []
89  dbinfo: []
130 input: [android.hardware.input.IInputManager]
133 installd: []
146 location: [android.location.ILocationManager]
149 logcat: [android.os.logcat.ILogcatManagerService]
169 meminfo: []
181 netstats: [android.net.INetworkStatsService]
191 notification: [android.app.INotificationManager]
234 package: [android.content.pm.IPackageManager]
238 permission: [android.os.IPermissionController]
240 permissionmgr: [android.permission.IPermissionManager
242 phone: [com.android.internal.telephony.ITelephony]
247 power: [android.os.IPowerManager]
248 power_hal_mgr_service: [com.mediatek.powerhalmgr.IPowerHalMgr]
249 power_monitor: [com.oplus.os.IOplusPowerMonitor]
250 powerstats: []
252 processinfo: [android.os.IProcessInfoService]
253 procstats: [com.android.internal.app.procstats.IProcessStats]
255 recovery: [android.os.IRecoverySystem]
273 sensorservice: [android.gui.SensorServer]
274 serial: [android.hardware.ISerialManager]
276 settings: []
298 system_server_dumper: []
299 system_update: [android.os.ISystemUpdateManager]
301 telecom: [com.android.internal.telecom.ITelecomService]
302 telephony.registry: [com.android.internal.telephony.ITelephonyRegistry]
314 tracing.proxy: [android.tracing.ITracingServiceProxy]
322 usb: [android.hardware.usb.IUsbManager]
323 user: [android.os.IUserManager]
354 virtualdevice: [android.companion.virtual.IVirtualDeviceManager]
355 vodata: [com.mediatek.ims.internal.IVoDataService]
357 vold: []
358 vpn_management: [android.net.IVpnManager]
363 wifi: [android.net.wifi.IWifiManager]
367 window: [android.view.IWindowManager]

Learn more:

root_binaries.json

The information on this file is generated by the root_binaries.go module, and is intended to provide guidance on whether the device is running with root privileges or not.

What is included in this file?

This file is in json format and contains the output of the command adb shell which \-a applied to a list of binaries to determine whether they are present on the system or not.

The binaries included are commonly used to obtain root access, or to elevate privileges in the system. The list of binaries that is checked using this command is the following:

  • su
  • busybox
  • supersu
  • Superuser.apk
  • KingoUser.apk
  • SuperSu.apk
  • magisk
  • magiskhide
  • magiskinit
  • magiskpolicy

If none of these files is present in the system, then the content of the file will be empty.

¿Por qué es importante?

This file can help detect tools used to obtain root access on the device. This might be an indication of unauthorized access or an escalation of privileges. It might also be an indication that the phone was rooted by the owner. The command provides also a list of the binaries found, which can be helpful to understand how it was rooted.

Example:

In case the device is not rooted, the output will be something like: 

[]

In case the device is rooted, the command will provide a list of the binaries found: 

[
    "/system/xbin/su",
    "/system/bin/su",
    "/data/local/xbin/su",
    "/data/local/bin/busybox",
    "/sbin/su",
    "/su/bin/magisk",
    "/system/bin/.ext/.su",
    "/data/local/tmp/Superuser.apk",
    "/data/local/tmp/magiskhide"
]

Information backed up from the device

backup.ab

The information on this file is generated by the backup.go module. This module is specifically designed to create security copies of data stored on Android devices.

What is included in this file?

This is a binary file, and contains data extracted using the command adb backup using parameters depending on the options selected from: “only SMS”, “everything” or “no backup”. These binary files might contain personal information.

The resulting file can be analyzed using MVT through the command mvt-android check-backup backup.ab

Why is this important?

When SMS backup is allowed, the information from the SMS messages can be used to locate potential malicious links or other indicators of compromise.

Example: 

(Binary data containing app backups and settings)
414e 4452 4f49 4420 4241 434b 5550 0a35
0a30 0a6e 6f6e 650a 6170 7073 2f63 6f6d
2e61 6e64 726f 6964 2e63 7473 2e63 7473
7368 696d 2f5f 6d61 6e69 6665 7374 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 3030 3036
3030 2000 3031 3735 3000 0000 3031 3735
3000 0000 3030 3030 3030 3034 3537 3600
3000 0000 0000 0000 0000 0000 3031 3430
3134 0020 3000 0000 0000 0000 0000 0000

Aprende más

files.json

The information on this file is generated using the files.go module.

What is included in this file?

This is a file in json format that contains the result of using the find command to gather information about specific system locations. The exact command used is as follows adb shell find '/' \-maxdepth 1 \-printf '%T@ %m %s %u %g %p\\n' 2\> /dev/null and it is applied on the following folders:

  • /sdcard/
  • /system/
  • /system_ext/
  • /vendor/
  • /cust/
  • /product/
  • /apex/
  • /data/local/tmp/
  • /data/media/0/
  • /data/misc/radio/
  • /data/vendor/secradio/
  • /data/log/
  • /tmp/
  • /
  • /data/data/

Each file includes information including the path, size, timestamp of last modification and last access, permissions, owner, error messages and hashes.

Why is this important?

Information in this file can be helpful to identify malicious files or traces of activity from a potential intrusion on the device.

Example: 

{
"path": "/sdcard/Android/.Trash/com.sec.android.app.myfiles/.nomedia",
        "size": 62,
        "mode": "-rw-rw----",
        "user_id": 10276,
        "user_name": "",
        "group_id": 1023,
        "group_name": "",
        "changed_time": 1722868692,
        "modified_time": 1722868692,
        "access_time": 1714937715,
        "error": "",
        "context": "u:object_r:fuse:s0",
        "sha1": "",
        "sha256": "",
        "sha512": "",
        "md5": ""
}