Android DFIR Notes
When examining runtime permissions, check data/system/users/0/runtime-permissions.xml. This file reveals granted/denied permissions for installed apps. For example, a redacted package showed SMS access allowed but location permissions denied:
<pkg name="[REDACTED]">
<item name="android.permission.READ_SMS" granted="true" flags="b00" />
<item name="android.permission.ACCESS_FINE_LOCATION" granted="false" flags="300" />
... (other permissions redacted for brevity)
</pkg>To determine malicious APK installation time, inspect the firstInstallTime (ft) field in system/packages.xml. Convert the hex value to decimal milliseconds for UTC timestamp. For instance:
- Hex
1909fa201a8→ 1720665113000 ms → July 11, 2024 at 02:31:53 UTC.
The corresponding package entry shows critical permissions like WRITE_SMS and REQUEST_DELETE_PACKAGES granted:
<package name="[REDACTED]" ... ft="1909fa201a8" ...>
...
<perms>
<item name="android.permission.WRITE_SMS" granted="true" flags="0" />
<item name="android.permission.REQUEST_DELETE_PACKAGES" granted="true" flags="0" />
... (other permissions)
</perms>
</package>App idle patterns can be traced via system/users/0/app_idle_stats.xml. The redacted package showed elapsedIdleTime="15700265" (≈4.3 hours) and screenIdleTime="7112575" (≈2 hours), indicating periods of background activity.
Notification logs in system/notification_log.db provide timestamps (when_ms), package identifiers (pkg), and context like muted status. For parsing Android logs, I recommend ALEAPP. For APK analysis, use apktool combined with smali2java – my typical workflow:
go run smali2java.go -path_to_smali="app_smali_directory"Key redactions: Package names, code paths, and certificate keys removed to protect sensitive data. Forensic markers like timestamps and permission patterns are preserved for analysis context.