Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  1. Checking Android Devices Basic

Check if Developer Options is Enabled

PreviousCheck if the Phone is RootedNextAnalyze Applications

Last updated 6 months ago

If USB Debugging in is enabled, one can control a phone using the Android Debug Bridge (ADB) over USB, or over Wifi if Wifi Debugging is enabled. ADB would also allow attackers to drop executables onto the phone in /data/local/tmp and execute it as the shell system user.

Unless the phone under check is being used for Android App development, it is not normal for USB Debugging to be enabled. You should find out the reason why and when the user enabled it.

If USB Debugging is enabled, you should:

  • Check whether there are apps installed via ADB, and if so, analyze these apps.

  • Check for suspicious files under /data/local/tmp

Once you have determined that no malware was installed using ADB, USB Debugging should be disabled.

For high risk users, checking the two items above is not sufficient, since there are many other ways ADB could be used to infect a device, and it might also be possible that after the infection the attacker cleared out their traces. Thus, we recommend factory wiping the device before continue using it.

Developer Options