The adb dumpsys command allows you to gather information about services and applications running on the system. The adb shell dumpsys command gives diagnostic output for all system services. The dumpsys command does not require root privileges to be executed and requires only USB debugging to be enabled as with any other adb command. As shown in the following screenshot, to see the list of all the services that you can use with dumpsys, run the adb.exe shell service list command:
Analyzing certain dumpsys services, such as Wi-Fi, user, and notification, can be helpful in certain scenarios. Here are some of the interesting cases where running the dumpsys command could be helpful during forensic analysis:
The dumpsys iphonesubinfo service can be used to get information about a device ID or the IMEI number, as shown in the following screenshot:
The dumpsys wifi service gives information about Wi-Fi points accessed by the user. It shows the SSIDs of the connections that have been saved. This information can be used to pin down the user to a particular location. Here is the adb dumpsys command, which gives this information:
The dumpsys usagestats service gives information about recently used applications, along with their date of usage. For example, the following screenshot shows that no apps were used on February 1, 2016, but on January 31, 2016, the Google Chrome browser was used and there was an attempt to back up the phone data:
Observe that against Date 20160201, android: 0 times denotes that no apps were used. But for Date: 20160131, android: 1 times confirms that one app was used and the later sections provide more details on what app was used and so on. Depending on the case being investigated, the forensic analyst needs to figure out whether any of the dumpsys commands can be of use. Running a dumpsys command immediately after a device seizure can be extremely helpful later on. By running the adb shell dumpsys command, you can record all of the dumpsys service information.