Dumpsys is a tool built into the Android OS, generally used for development purposes to show the status of services running on the device. However, it can also contain forensically interesting information. Dumpsys does not require root access, but, like all ADB commands, does require USB Debugging to be enabled on the device and Secure USB Debugging to be bypassed.
The exact services that can be viewed differ across devices and Android versions. To view a list of all possible services that can be dumped, run the following command:
adb shell service list
The output of the command will appear as a list, as shown here:
The service name located before the colon is the argument we will pass to dumpsys. A valid dumpsys command, using the previously seen service number seven (iphonesubinfo), looks like this:
adb shell dumpsys iphonesubinfo
In the following, we see that the output of the iphonesubinfo service includes the device IMEI:
There are many forensically interesting dumpsys services; several examples follow. As the dumpsys services may vary by OS version and device, this list is not all-inclusive and is merely intended to show the usefulness of dumpsys to a forensic examiner:
- iphonesubinfo
- batterystats
- procstats
- user
- appops
- wifi
- notification