Wi-Fi Network Configuration (WifiConfigStore.xml)

Location

Description

XML file containing all saved Wi-Fi network configurations on the device. Each network entry includes the SSID, BSSID (if pinned), security type (WPA2, WPA3, OWE, Open), pre-shared key (in plaintext on older Android versions), priority, hidden network flag, static IP configuration, proxy settings, MAC randomization preference, and creation/update timestamps.

Forensic Value

Saved Wi-Fi configurations establish the locations where the device has previously connected to wireless networks. SSIDs of home, workplace, hotel, and public networks reveal the device travel history and frequented locations. Pre-shared keys stored in plaintext (Android versions prior to 12) can be used to access the same networks for further investigation. The BSSID field, when present, uniquely identifies specific access points. Hidden network SSIDs that were manually configured reveal networks the user deliberately sought to join. MAC randomization settings indicate whether the device used a consistent or random MAC address per network, affecting network log correlation.

Tools Required

Collection Commands

adb pull /data/misc/apexdata/com.android.wifi/WifiConfigStore.xml /forensics/output/

adb shell dumpsys wifi > wifi_dump.txt

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References