Introduction to Android Network Forensics with ADB

Android devices are ubiquitous, making them frequent targets in digital investigations ranging from corporate espionage to criminal cases. Understanding how to analyze their network activity is paramount for forensic analysts. The Android Debug Bridge (ADB) is a versatile command-line tool that facilitates communication with an Android device, providing a powerful gateway into its inner workings, including its network stack. This article provides an expert-level guide on leveraging ADB shell commands for comprehensive Android network forensics, covering traffic interception, log analysis, and configuration extraction.

Prerequisites for ADB Network Forensics

Before diving into forensic analysis, ensure the following are in place:

• ADB Installation: Android SDK Platform-Tools must be installed on your workstation. This suite includes the adb executable. Ensure it’s added to your system’s PATH variable for easy access.
• USB Debugging Enabled: On the Android device, navigate to Developer Options (which may require tapping the build number multiple times in About Phone) and enable USB debugging. This is crucial for ADB to communicate with the device.
• Device Connection: Connect the Android device to your computer via USB. Authorize your computer on the device if prompted. Verify the connection by running adb devices.
• Root Access (Optional but Recommended): For some advanced traffic interception techniques, especially raw packet capture across all interfaces, root access can be highly beneficial, allowing deeper access to system files and network interfaces.

To verify ADB connection:

adb devices

Expected output should list your connected device:

List of devices attached
XXXXXXXXXXXXXXX    device

Monitoring Active Network Connections

Understanding which applications are communicating over the network is crucial for identifying suspicious activity. The netstat and ss commands, available via ADB shell, provide real-time insights into active connections and listening ports on the Android device.

Using netstat via ADB

To view all active connections (TCP and UDP) and listening sockets:

adb shell netstat -an

To view listening ports and the process IDs (PIDs) associated with them:

adb shell netstat -ap | grep LISTEN

Analyzing the output helps identify suspicious open ports, unusual outbound connections, and the applications (via PIDs) responsible for them. For example, an unexpected service listening on a high port might indicate malware.

Using ss (Socket Statistics) via ADB

The ss command is a more modern, faster, and often more feature-rich alternative to netstat, providing detailed socket statistics. It’s available on most newer Android versions.

adb shell ss -tupna

• -t: Display TCP sockets.
• -u: Display UDP sockets.
• -p: Show process using socket (requires root on some devices/versions for full details).
• -n: Don’t resolve service names or hostnames.
• -a: Display all sockets (listening and non-listening).

The output provides detailed information including local/remote addresses and ports, state of connection, and associated process names, making it easier to pinpoint suspicious network activity.

Capturing Network Traffic with tcpdump

Directly capturing raw network packets on the device provides the most granular level of network forensic data. This often requires root access or pushing a tcpdump binary to the device. The captured .pcap file can then be analyzed using tools like Wireshark on a forensic workstation.

Steps to Use tcpdump via ADB

1. Download tcpdump: Obtain an ARM-compatible tcpdump binary. Many resources online provide pre-compiled binaries for Android. Ensure it matches your device’s architecture (ARM, ARM64).
2. Push to Device: Transfer the binary to a temporary, writable location on the device, such as /data/local/tmp/.

adb push /path/to/your/tcpdump /data/local/tmp/tcpdump

3. Set Permissions: Make the binary executable on the device.

adb shell chmod 755 /data/local/tmp/tcpdump

4. Start Capture: Execute tcpdump on the device. You’ll need to specify a network interface (e.g., wlan0 for Wi-Fi, rmnet_data0 for mobile data) and an output file path (e.g., /sdcard/ which is typically user-accessible).

adb shell "su -c '/data/local/tmp/tcpdump -i wlan0 -s 0 -w /sdcard/capture.pcap'"

The su -c part is crucial if root is required for interface access. Press Ctrl+C in your host terminal to stop the capture.

5. Pull Capture File: Retrieve the generated .pcap file from the device to your workstation for detailed analysis.

adb pull /sdcard/capture.pcap .

Note: For unrooted devices, capturing all traffic across all interfaces may be restricted due to Android’s security model. You might only be able to capture traffic from specific applications (if permissions allow) or require more advanced proxying techniques.

Analyzing DNS Resolution

DNS queries can reveal the domains a device is communicating with, which is critical for identifying malicious Command and Control (C2) servers, data exfiltration attempts, or user browsing habits.

Examining DNS Resolver Configuration

Check the configured DNS servers on the device. Android uses properties to store DNS server information.

adb shell getprop | grep dns

This command often shows the DNS servers used by various interfaces (e.g., [net.dns1], [dhcp.wlan0.dns1]).

Monitoring DNS Traffic (with tcpdump)

If you’re capturing traffic with tcpdump, you can specifically filter for DNS queries (which typically use UDP or TCP port 53):

adb shell "su -c '/data/local/tmp/tcpdump -i wlan0 -s 0 -w /sdcard/dns_capture.pcap 'port 53''"

After pulling dns_capture.pcap, open it in Wireshark and apply a display filter like dns to review all DNS queries and responses.

Extracting Network Configuration Files

Android’s network configurations are stored in various system files, which can be pulled for offline analysis to understand the device’s network setup and history.

• Network Interfaces: Get information about the device’s network interfaces and their status.

adb shell cat /proc/net/dev

• ARP Cache: The Address Resolution Protocol (ARP) cache shows recently resolved IP-to-MAC address mappings, which can indicate local network interactions.

adb shell cat /proc/net/arp

• IP Routing Table: Displays the device’s routing table, indicating how network traffic is directed.

adb shell ip route

• Wi-Fi Configuration: (Requires root) Wi-Fi network configurations, including saved SSIDs and passwords (often hashed or encrypted), are typically found in /data/misc/wifi/.

adb shell "su -c 'ls /data/misc/wifi/'"
adb pull /data/misc/wifi/wpa_supplicant.conf .

Logging Network-Related Events with logcat

logcat is Android’s primary logging system, capturing events from the kernel, system services, and applications. It can be filtered to display network-related events, errors, or application-specific logs, providing a chronological record of activity.

To filter logs for verbose output from key network components:

adb logcat -s NetworkController:V ConnectivityService:V DhcpClient:V WifiMonitor:V

You can further filter by application PID or tag. For a broader capture of all network-relevant events and to save them to a file on the device:

adb shell "logcat -b main -b system -b radio -b events -v time -f /sdcard/network_logs.txt"

After capturing for a sufficient period (or recreating the suspicious activity), pull the logs from the device:

adb pull /sdcard/network_logs.txt .

Analyzing these logs involves parsing for keywords such as