The Hack Lair

Working with Android logs and dumps

Android debugging logs

ADB Logcat display the system debugging file. Apps that use the Android logging API will dump logs into this file which can be open and filtered.

Official doc:

This command is especially useful to see all logs by process name.

$ adb logcat | grep `adb shell ps | grep com.example.package | cut -c10-15`

Logging bluetooth traffic

In the developper options activate Enable Bluetooth HCI snoop log. Then run adb shell “cat /sdcard/btsnoop_hci.log” to view the file or adb pull /sdcard/btsnoop_hci.log to save the file on disk.

You will need an hex editor. I recommend:

Capturing TCP/IP packets

tPacketCapture Pro allow you to dump TCP/IP packets from specific apps to .pcap files, which can then be opened in Wireshark for analysis.

RAM forensics

Analyzing allocated memory is quite complex but well documented. This official Android documentation provide all the necessary explanations.

You can use those two commands to get basics memory information:

$ adb shell dumpsys meminfo
$ adb shell dumpsys meminfo 'com.application.namespace'

Other useful forensic commands

$ adb shell ps
$ adb sell netstart

Show running process Show current connections Show all process for an app process ID

Using Android studio

If you install Android Studio you can use DDMS for complete device analysis.

Other posts from the Android forensics and security analysis series: