Bluetooth Paired Devices (bt_config.conf)

Location

Description

Configuration file storing Bluetooth adapter settings and a record of all paired devices. Each paired device entry includes the device Bluetooth MAC address, device name, device class (indicating device type such as phone, headset, computer, or car), pairing timestamp, link key, and supported Bluetooth profiles (A2DP, HFP, HID, etc.).

Forensic Value

Bluetooth pairing records establish associations between the investigated device and other specific devices, potentially linking the device user to vehicles (hands-free pairing), other phones (file transfer), computers (tethering), wearables (fitness trackers, smartwatches), and IoT devices. Device names often contain identifiable information such as the owner name (e.g., "John's AirPods"). The device class field identifies the type of paired device even when the name is generic. Pairing timestamps establish when the association was created. These records persist after the paired device is no longer in range and survive factory resets in some cases.

Tools Required

Collection Commands

adb pull /data/misc/bluedroid/bt_config.conf /forensics/output/

adb shell dumpsys bluetooth_manager > bluetooth_dump.txt

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References