System Log Buffers (Logcat)
Location
/data/log/ (vendor-specific), /data/logd/ or accessible via ADB logcat commandDescription
Circular log buffers maintained by the Android logging daemon (logd) capturing system events, application debug messages, kernel messages, radio/telephony events, and crash reports. The main, system, events, radio, and crash buffers each capture different categories of log messages with timestamps, process IDs, log level (verbose, debug, info, warn, error), tag names, and message content.
Forensic Value
Logcat output provides granular real-time system and application activity that is unmatched by any other Android artifact. Application crash logs reveal malware execution failures and exploit attempts. System events record application installs, permission grants, and component starts. The events buffer contains structured entries for screen on/off, battery state, connectivity changes, and notification posts. Radio logs capture cellular registration events and SMS protocol messages. Because logcat buffers are circular and limited in size, they capture only recent activity and should be collected immediately during device seizure to preserve maximum temporal coverage.
Tools Required
Collection Commands
adb
adb logcat -d > logcat_dump.txt
adb
adb logcat -b events -d > logcat_events.txt
adb
adb logcat -b radio -d > logcat_radio.txt
adb
adb shell dmesg > kernel_log.txt
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.