Battery Usage Statistics (batterystats)

Location

Description

Binary statistics file and system service data maintained by the Android BatteryStatsService, tracking detailed per-application battery consumption metrics. Records include wakelock acquisitions and durations, CPU time per UID, network bytes sent and received per app, sensor usage (GPS, accelerometer), camera and flashlight usage, Bluetooth scan counts, Wi-Fi scan counts, and foreground/background process time, all correlated with battery charge and discharge cycles.

Forensic Value

Battery statistics provide an indirect but comprehensive record of application activity through resource consumption patterns. Applications with high wakelock times were actively preventing the device from sleeping, which is characteristic of stalkerware, cryptocurrency miners, and C2 beaconing malware. Per-app network byte counts reveal which applications transferred significant data, identifying potential exfiltration channels. GPS sensor usage entries indicate which apps were actively tracking the device location. Camera and microphone usage metrics expose surveillance activity. The historical discharge cycle data establishes device usage patterns across multiple charge cycles, providing multi-day activity timelines.

Tools Required

Collection Commands

adb shell dumpsys batterystats > batterystats_dump.txt

adb pull /data/system/batterystats.bin /forensics/output/

adb shell dumpsys batterystats --checkin > batterystats_checkin.txt

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References