Investigating Android Bluetooth
04/08/2023 Friday
Bluetooth is a wireless communication technology that allows different devices to connect to one another, such as smartphones, tablets, laptops, headsets, and smartwatches. In the most widely used mode, its transmission power allows the communication to be established within a very short range, up to 10 meters only.
Digital Forensics Value of Bluetooth
When conducting digital forensic evidence of an Android device, analyzing Bluetooth-related data can yield valuable information that can be relevant to the investigation. Bluetooth left-behind artifacts store valuable metadata related to device connections, pairing history, communication logs, and exchanged files information. Digital forensic examiners can use this information to reconstruct the Bluetooth-related activities on the Android device.
Location of Android Bluetooth Artifacts
Android Bluetooth App artifacts can be found at the following locations:
data/misc/bluedroid/bt_config.conf
com.android.bluetooth/database/btopp.db
Analyzing Android Bluetooth Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Android Bluetooth artifacts from Android machines’ files and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Bluetooth artifacts:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Bluetooth artifacts in ArtiFast.
Android Bluetooth Transferred Files
- ID: The database row ID.
- URI: The URI of the file being sent/received.
- Hint: The filename that the incoming file request recommends.
- Data: The filename where the shared file was actually stored.
- Mimetype: The MIME type of the shared file.
- Direction: The direction (Inbound/Outbound) of the transfer.
- Destination: Bluetooth Device Address that the transfer is associated with.
- Visibility: The flag that controls whether the transfer is displayed by the user or not.
- Confirm: The current user confirmation state of the transfer.
- Status: The current status of the transfer.
- Total Bytes: The total size of the file being transferred.
- Current Bytes: The size of the part of the file that has been transferred so far.
- Timestamp Date: The timestamp when the transfer is initialized.
- Scanned: Indicates whether the file has been scanned or not.
Android Bluetooth Devices
- MAC Address: The device’s MAC Address.
- Name: The name that has been assigned to this device.
- Device Class: The device class number as given in Bluetooth specifications.
- Device Type: The device type number as given in Bluetooth specifications.
- Last Seen Date/Time: The last date and time when the device was seen.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
