System Settings Database

Location

Description

SQLite database and XML files storing Android system settings across three namespaces: system (user-facing settings like screen brightness and volume), secure (security-related settings like lock screen timeout, accessibility services, and device admin components), and global (device-wide settings like ADB debugging, install from unknown sources, and airplane mode).

Forensic Value

The settings database reveals critical security configuration states including whether ADB debugging was enabled (allowing sideloading and data extraction), whether installation from unknown sources was permitted (enabling malware sideloading), which accessibility services were active (a common persistence mechanism for stalkerware and banking trojans), and which device administrator components were registered. The secure namespace contains the list of enabled notification listeners and input methods, both of which are abused by spyware to intercept user data. Changes to these settings during the investigation timeline can indicate device compromise or tampering.

Tools Required

Collection Commands

adb pull /data/data/com.android.providers.settings/databases/settings.db /forensics/output/

adb shell settings list secure > secure_settings.txt && adb shell settings list global > global_settings.txt

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References