Lock Screen Configuration (locksettings.db)

Location

Description

SQLite database storing the device lock screen configuration including the lock type (none, swipe, pattern, PIN, password), pattern/PIN/password hash, failed attempt count, lockout timestamps, Smart Lock trusted agents, and biometric enrollment status. The database also records whether the device is encryption-aware and the credential-encrypted storage state.

Forensic Value

The lock settings database provides critical information about the security state of the device at the time of acquisition. The lockout_attempt_deadline and failed_attempts fields reveal whether someone recently attempted to guess the passcode, which may indicate unauthorized access attempts or evidence of device seizure awareness. Smart Lock trusted agents and places indicate automatic unlock conditions such as trusted Bluetooth devices, trusted locations, or on-body detection, which could explain how the device was accessed without entering the code. The lock type and hash algorithm affect the feasibility of passcode recovery through brute-force or dictionary attacks.

Tools Required

Collection Commands

adb pull /data/system/locksettings.db /forensics/output/

adb pull /data/system/locksettings.db-wal /forensics/output/

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References