How to Read Data From Bluetooth Device in Android

Synopsis

Forensic question: How can Android Bluetooth artifacts be used in distracted driving cases?
OS: Android versions 6-10 were used in this research.
Tools: Magnet Acquire Public Roots for access Cellebrite UFED Cellebrite Physical Analyzer DCode DB Browser for SQLite

Here's how to unlock disquisitional evidence from Android devices using Bluetooth connections to vehicles.

By Heather Mahalik, Senior Director of Digital Intelligence

Author's note: I'd like to extend my special thanks to Josh Hickman for allowing me to use his public images, for taking my calls to validate my sanity during my inquiry, and for peer-reviewing this weblog.

When information technology comes to scanning and tracking paired Bluetooth devices, Android devices are completely unlike from iOS phones. Historically, more files were accessible that tracked connectivity in older Android versions. We used to be able to track connectivity to Bluetooth, NFC, USB, and more within /information/com.android.connectivity.metrics/databases/events.db. This file is no longer nowadays on the Android devices nosotros tested. In improver, connections to a car via Bluetooth be all over the Android device. If you are trying to determine if a user was driving hands-free, you accept your work cut out for yous.

This blog will focus on determining if Bluetooth devices were paired to an Android device. We'll then look at how to determine actual connection times. For the examples in this web log, I used Josh Hickman'due south public Android image^one so that you can validate my findings. This research includes validation from Josh's paradigm and the Android images from myself and my colleagues.

Diving Into The Data

The easiest manner to approach Bluetooth on Android is to outset with what is parsed within of your tool. Below nosotros tin meet what Physical Analyzer detected for Bluetooth and Bluetooth devices.

Concrete Analyzer Parsed Bluetooth

The Bluetooth listing under "Device Connectivity" shows paired devices. This device is the Bluetooth connexion to Josh Hickman'southward Nissan Rogue. (Notation: it is stored every bit "rouge" in the config file and in Josh's car. He confirmed that for me every bit the typo is foreign). Notice the lack of a timestamp? Nosotros volition circumvolve back to that before long.

Concrete Analyzer Parsed Bluetooth - Paired

The side by side connection for Bluetooth is listed every bit "Devices > Bluetooth Devices." This includes "detected" devices. For this test image, the Nissan Rogue (Rouge) was detected.

Concrete Analyzer Parsed Bluetooth - Detected

Sadly, this is where the like shooting fish in a barrel part ends. If you just needed to prove pairing, consider yourself lucky. But what if you needed timestamps for this pairing? What if yous needed to whether the user was in a hands-free country when something occurred?

Anytime a connection is made on an Android device (USB, Bluetooth, etc.) there are traces left all over the device. To outset, we can manually to examine the bt_config.conf file to decide "Paired" and "Detected" devices. The file system view of parsed Bluetooth data is shown beneath. You can easily get to the location by clicking on the "Source file" in Concrete Analyzer.

Concrete Analyzer File System View

Some may open the configuration file and start poking around. Nosotros now demand to make sense of this data.

Physical Analyzer Hex View of bt_config.conf

Upon closer examination, you may detect the timestamp at the top of the bt_config.conf file. This is not when the Bluetooth connexion was established, but when the device was first gear up up for use. Make sure your tool is not parsing this as a connectedness timestamp.

Beneath, we can see that Josh started using his device on January 29, 2020. Don't believe me? Read his documentation file for this extraction. The Bluetooth wasn't first connected until the side by side day. Stay tuned for details on how to slice that together.

Concrete Analyzer Hex View of bt_config.conf

Depending on the Bluetooth device, you may retrieve timestamps. This was non the case when I was examining Josh's device because his paired Bluetooth connection was with a vehicle. Android Auto is a beast of its own, and timestamps and correlations are everywhere. Josh and I both conducted research on Android Auto a few years agone and nosotros both go on learning equally we dig though this information.

For this weblog, I am going to provide you with a glimpse into how to put a person in a auto, connected to Android Auto, when an activity occurs. To do this, nosotros need to examine many files to constitute connection commencement times, run times, and end times. From hither, yous tin and then correlate (timeline) the activity of involvement.

There are many ways to approach this. One could simply search for "Bluetooth" beyond the parsed data or y'all can swoop right in like I did. I copied the Mac address of Josh's machine and did a Hex search in Concrete Analyzer.

To properly conduct a Hex search across the entire device extraction, yous must first go to the File Systems model and select the "FileDump" by double clicking.

Next, select the magnifying drinking glass and type in your keyword of involvement. (Refer to Hex Diving Blog for more details on this blazon of keyword search).

Physical Analyzer Hex Search

This search produced 106 results. I recommend sorting past "Source" and examining the files of interest.

Physical Analyzer Search Results

You tin can now double-click on the source and it will take you to that file in the "File Arrangement View." Determining usage is the hard office, merely nosotros now have some files to lead us downward that trail. Also note, I include all of these files for reference at the cease of this weblog.

Databases of interest can exist examined using the SQLite Wizard inside PA where you can leverage the query builder to bank check columns of interest, decode timestamps, rename columns, and add information technology equally a parser into Physical Analyzer.

SQLite Magician in Physical Analyzer

Or, you can export the database out of Concrete Analyzer and parse in your preferred tool. This query may assistance you lot decide relevance of this file to your investigation. The results will show that the "modllyear" is 18 MY, only his vehicle is actually a 2019. It appears that Nissan may acquaintance all years to specific model parts (Nissa_Bosch_SUV). I am not a vehicle expert but wanted to mention it equally the query provide this output.

SELECT

id,

manufacturer,

model,

datetime(connectiontime/1000,'unixepoch','localtime') Equally "connection time",

modelyear,

vehicleid,

Example

when bluetoothConnectionAllowed = 1 and so "Bluetooth Allowed"

else "Bluetooth Non Immune"

end AS "Permissions"

from allowedcars

DB Browser for SQLite showing my query results

At this point, nosotros see a connection time of Feb 2, 2022 at 14:09 (localtime). This is where having exam data is extremely helpful and we discuss testing similar this in our Cellebrite podcast "Carved From Unallocated". Josh provides documentation with his public images so that yous can validate the data! I looked at what my query provided and found that he concluding connected his Android device to his automobile on this exact date and time.

A snippet from Josh'due south public documentation (Bluetooth Activity)

We are now getting somewhere. At present we know the concluding time Josh continued his Android device via Bluetooth to his car. Let'south keep digging! Some other file that defenseless my eye was coffee_preferences.xml. This file helped determine when the device was commencement paired via Bluetooth using Android Auto. The decoded timestamp below (yes, there are others, but this is the one that matters) shows the timestamp of January 30, 2022 at 08:56 AM (localtime).

Concrete Analyzer File Format Viewer and DCode for Validation

When nosotros look at Josh'southward testing documentation, we can see nosotros have established our primary date of interest correctly!

A snippet from Josh's public documentation (Bluetooth Activeness)

What we take washed so far is not an easy task, which is why I hope this blog helps you lot along your way. I am 100% positive that dissimilar devices volition store the information in different files. Even so, you at present have methods to guide you along the way.

Please refer to the presentation that Sarah Edwards and I provided at the DFIR Top in 2019ⁱⁱ equally it provides a look at the Samsung side of Android Auto and Apple CarPlay equally well. You volition see that this research provided fifty-fifty more information than my presentation at the DFIR Summit showed as the device was made by a dissimilar manufacturer and the Android OS was older. This is the perfect instance of why nosotros all must continue researching, learning, and sharing our findings!

The following files were tested for Android Auto connections only (you may notice more if yous search like I did in this blog):

/data/misc/bluedroid/bt_config.conf

/data/information/com.google.android.gms/shared_prefs/coffee_preferences.xml

/information/data/com.google.android.projection.gearhead/shared_prefs/app_state_shared_preferences.xml - tracks terminal runtime for Bluetooth

/data/data/com.google.android.projection.gearhead/shared_prefs/com.google.android.gms.analytics.prefs.xml - tracks commencement run time and monitoring commencement time.

/data/data/com.google.android.projection.gearhead/shared_prefs/common_user_settings.xml - Tin can be used to verify mac address for connected automobile.

/data/data/com.google.android.gms/shared_prefs/bluetooth_addresses_prefs.xml - Tin be used to verify mac accost for connected car.

/data/user_de/0/com.android.bluetooth/shared_prefs/bluetooth_volume_map.xml - contains paired mac address.

/data/user_de/0/com.android.bluetooth/shared_prefs/phonebook_access_permission.xml - contains paired mac address and tin can be associated to the peoplelog.db which updates contacts to the vehicle when the device is connected via Bluetooth or USB.

/data/information/com.google.android.gms/databases/carservicedata.db - Lists the allowed cars for the device.

/data/data/com.google.android.googlequicksearchbox/app_shared_prefs/SearchSettings.bin - Associations Google account to the vehicle mac address

/data/user_de/0/com.android.bluetooth/databases/bluetooth_db - The metadata table shows paired Bluetooth mac addresses.

References:

[one] Josh Hickman's public Android image: https://thebinaryhick.blog/2020/02/fifteen/android-10-prototype-now-available/

[2] DFIR Summit Presentation: https://www.youtube.com/sentinel?five=IGhXsfZXL6g

DFIR Review

The newspaper/blog structure and its story telling method makes it easy to read and understand. This research could exist very helpful to construct timeline analysis for Bluetooth connections fabricated between devices and is a proficient addition to the digital forensic customs. The images/figures, table, the list of the artifact paths on the device are presented conspicuously. Reviewers were able to verify the results using open up source tools including HexEditor, SQLite DB Browser, Dissection, and Notepad++.

We must consider the possibility that Bluetooth was turned off on the Android device. This means that a user could be in a vehicle, but in that location might not take been a connection. The table existence looked at in SQLite Wizard was not indicated. One of the reviewers was able to place the database every bit Pixel 3\data\data\com.google.android.gms\databases\carservicedata.db.

Future Work

A tool or plugin to excerpt these artifacts and construct the timeline assay could be a big aid. Future work could also include research on the additional timestamps bachelor in coffee_preferences.xml every bit well every bit testing to meet if multiple entries for different vehicles would be in carservicedata.db. It would also exist helpful to determine how long records final before they are overwritten past new records.

Reviewers

• Addisu Afework Birhanu (Methodology Review, Verified Review using Author Provided Datasets)

• Yohannes Yemane Brhan (Methodology Review, Verified Review using Author Provided Datasets)

• Jessica Hyde (Methodology Review, Verified Review using Author Provided Datasets)

barberroake1989.blogspot.com

Source: https://dfir.pubpub.org/pub/6ysxvhvc

Share this post