Capturing Android Dumpsys/Logcat Logs

by | Jan 30, 2025 | Accident, Cell Phone, Crash, Data, Deleted, Deleted, Digital, Distracted Driving, Forensics, Incident Response, Mobile Device, Phone, Private Investigations, Smart Phone, Traffic

I started this blog a while ago, but was pushed over the finish line after watching a great webinar yesterday by Chris Vance at Magnet Forensics: ADB – It’s Easy as ABC: Understanding the Power of ADB Commands. If you’re doing Android forensics, it’s worth a watch.

This guide covers an overview of Android ADB, the manual process of collecting Logcat and Dumpsys logs/reports using ADB, and a script at the end that streamlines and automates log extraction.

What is ADB?

The Android Debug Bridge (ADB) is a command-line tool that allows developers and forensic analysts to communicate with an Android device over USB or a network (even WIFI). ADB is part of the Android SDK Platform-Tools and provides a powerful interface for debugging, file transfer, and log retrieval.

Setting Up ADB

  1. Download and install the Android SDK Platform-Tools.
  2. Enable Developer Options on the Android device.
  3. Enable USB Debugging under Developer Options.

Once ADB is set up, it can be used to capture volatile logs that may be lost after a reboot or overwritten due to circular logging. The following ADB commands help manually extract logs before they disappear. 2. Enable Developer Options on the Android device. 3. Enable USB Debugging under Developer Options.

When working with Android forensic investigations, capturing volatile logs is important. These logs contain information that may be lost after a reboot or overwritten due to circular logging. Below are key ADB commands that help manually extract volatile logs before they disappear.

1. Check for Connected Devices

To list all connected Android devices:

adb devices

This will return a list of attached devices with their unique identifiers. If no devices are listed, ensure that USB debugging is enabled on the target device.

2. Get Device Information

To retrieve basic details about the connected device:

adb shell getprop

This command displays various system properties, including the device model, OS version, and security patch level.

3. Extracting Logcat Logs

The logcat command is one of the most valuable tools for extracting real-time and historical logs from an Android device. It collects logs from various sources, including system events, application activity, and crash reports. These logs can provide insights into device behavior, app crashes, and security-related events.

Key Logcat Buffers:

  • main – General application and system logs.
  • radio – Logs related to network operations like telephony and Wi-Fi.
  • events – Logs specific to Android event tracking.
  • system – System-related logs from the Android framework.
  • crash – Crash-related logs for apps and system services.
  • all – Captures logs from all available buffers.

Common Logcat Options:

  • -b <buffer> – Specify a log buffer (e.g., -b main, -b crash).
  • -v UTC,usec – Formats logs with Coordinated Universal Time (UTC) and microsecond precision (credit to Christopher Vance).
  • -d – Dumps the logs and exits, instead of continuously streaming logs.
  • -t <count> – Shows only the most recent logs (e.g., -t 100 for the last 100 log entries).
  • -s <tag> – Filters logs by a specific tag (e.g., -s ActivityManager).

To capture all logs app activity with normalized timestamps in UTC:

adb logcat -b all -v UTC,usec -d > logcat.txt

Filtering Logcat Output with Grep

Using grep with logcat helps focus on specific keywords, app activity, or system events. This can be done in real-time or after saving the logs.

To filter for entries related to a specific app or tag:

adb logcat -b all -v UTC,usec -d | grep’ActivityManager’

This will return only lines containing ‘ActivityManager’, which logs app lifecycle events.

If logs are saved to a file, use:

grep’error’ logcat.txt

This helps quickly identify key forensic artifacts.

4. Capture Dumpsys Reports and Key Arguments

The dumpsys command provides a detailed snapshot of system services and states, making it a valuable tool for forensic analysis. Using specific arguments can help focus on important forensic artifacts:

Commonly Used Dumpsys Arguments:

  • adb shell dumpsys meminfo – Shows memory usage statistics.
  • adb shell dumpsys media.audio_flinger – Extracts audio playback history.
  • adb shell dumpsys sensorservice – Displays motion and environmental sensor activity.
  • adb shell dumpsys adb – Provides ADB connection information.
  • adb shell dumpsys accounts – Lists user accounts on the device.
  • adb shell dumpsys persona – Displays multi-user profile data.
  • adb shell dumpsys fingerprint – Extracts fingerprint authentication data.
  • adb shell dumpsys netstats – Shows network usage statistics.
  • adb shell dumpsys meminfo – Shows memory usage statistics.
  • adb shell dumpsys mount – Lists mounted storage volumes.
  • adb shell dumpsys power – Provides device power management details.
  • adb shell dumpsys persona – Displays multi-user profile data.
  • adb shell dumpsys dropbox – Lists system crash reports and events.
  • adb shell dumpsys location – Displays GPS and location service activity.
  • adb shell dumpsys notification – Shows active and dismissed notifications.
  • adb shell dumpsys telecom – Extracts call logs and telephony data.
  • adb shell dumpsys lock_settings – Provides lock screen settings and credentials.
  • adb shell dumpsys package – Retrieves installed package details.
  • adb shell dumpsys wifi – Extracts WiFi connection and history.
  • adb shell dumpsys window – Lists active windows and screen state.
  • adb shell dumpsys stats – Retrieves system performance metrics.
  • adb shell dumpsys batterystats – Shows battery usage history.
  • adb shell dumpsys usb – Shows USB connection history.
  • adb shell dumpsys sensorservice – Shows motion and proximity data.
  • adb shell dumpsys power – Shows power and screen activity.
  • adb shell dumpsys notification – Lists active and dismissed notifications.
  • adb shell dumpsys dropbox – Shows crash reports and events.
  • adb shell dumpsys telecom – Shows call logs and telephony data.
  • adb shell dumpsys clipboard – Shows clipboard history.
  • adb shell dumpsys stats – Shows system performance metrics.

Using these arguments helps target relevant forensic artifacts without having to sift through unnecessary system data.

For a full list of available dumpsys arguments, refer to the official Android Developer documentation: Dumpsys Command Reference.

To capture all dumpsys data for further analysis:

adb shell dumpsys > dumpsys.txt

This will output a complete system report, which can be useful for capturing a broad snapshot before filtering specific services.

5. List Installed Applications

To get a list of all installed apps:

adb shell pm list packages -f

This can help determine which applications are installed.

Python Script Overview

Now that we’ve covered some manual ADB commands, let’s look at a Python script that automates ADB log collection and makes things a little easier. Here’s what it does:

  1. Detects connected Android devices using adb devices.
  2. Captures all available logcat logs.
  3. Retrieves all available dumpsys logs.
  4. Compresses logs into a zip file for easy storage.
  5. Generates an MD5 hash of the zip file.

How to Use the Script

Before running this script on any evidence device, be sure to test it on a non-evidentiary test device first.

Before running the script, make sure:

  • ADB is installed on your system.
  • USB debugging is enabled on the target device.

Running the Script

  1. Connect the Android device via USB.
  2. Open a terminal or command prompt.
  3. Run:python Android_volatile_data.py
  4. If multiple devices are connected, select the target device.
  5. The script will save, compress, and hash the logs automatically.

Please let me know if you have any questions, comments, or encounter any issues running the script.

Call Now Button