Per-App Network Statistics
Location
/data/system/netstats/ and dumpsys netstats outputCommon Names
Description
NetworkStatsService files and live service output tracking network usage by UID, interface, and transport type. These records capture transmitted and received byte counts over time for apps and system services across Wi-Fi and cellular networks.
Forensic Value
Per-app network statistics help investigators identify which app moved large volumes of data, when that transfer occurred, and whether the traffic used Wi-Fi or cellular links. This is especially valuable when determining likely exfiltration channels, stalkerware beaconing, or background service abuse on mobile devices where full packet capture is rarely available. The UID-based accounting can also corroborate app usage and notification artifacts when an app claims not to have transmitted data.
Tools Required
Collection Commands
adb
adb shell dumpsys netstats > netstats_dump.txt
adb
adb pull /data/system/netstats/ /forensics/netstats/ 2>/dev/null
adb
adb bugreport /forensics/bugreport.zip
Collection Constraints
- •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.
- •Accounting granularity, retention, and file layout vary by Android release and OEM. These artifacts provide byte counts and time buckets, not full packet contents or remote endpoints.