Android Dumpsys Analysis to Indicate Driver Distraction
Lukas Bortnik
1
, Arturs Lavrenovs
1
1
NATO Cooperative Cyber Defence Centre of Excellence,
Filtri Tee 12, 10132 Tallinn, Estonia
{lukas.bortnik, arturs.lavrenovs}@ccdcoe.org
Abstract. Police officers investigating car accidents have to consider the driver’s
interaction with a mobile device as a possible cause. The most common activities
such as calling or texting can be identified directly via the user interface or from
the traffic metadata acquired from the Internet Service Provider (ISP). However,
‘offline activities’, such as a simple home button touch to wake up the screen, are
invisible to the ISP and leave no trace at the user interface. A possible way to
detect this type of activity could be analysis of system level data. However, se-
curity countermeasures may limit the scope of the acquired artefacts.
This paper introduces a non-intrusive analysis method which will extend the
range of known techniques to determine a possible cause of driver distraction.
All Android dumpsys services are examined to identify the scope of evidence
providers which can assist investigators in identifying the driver’s intentional in-
teraction with the smartphone. The study demonstrates that it is possible to iden-
tify a driver’s activities without access to their personal content. The paper pro-
poses a minimum set of requirements to construct a timeline of events which can
clarify the accident circumstances. The analysis includes online activities such as
interaction with social media, calling, texting, and offline activities such as user
authentication, browsing the media, taking pictures, etc. The applicability of the
method are demonstrated in a synthetic case study.
Keywords: digital evidence, mobile forensics, car accident, driver’s distraction,
Android dumpsys
1 Introduction
The scope of digital evidence is growing in parallel with minor improvements and
newly added functionalities in mobile devices. In general, newly introduced operating
system (OS) upgrades are targeted to improve the security and ergonomics of the mo-
bile devices. While security upgrades challenge the investigator’s ability to acquire de-
tailed digital evidence, the opposite is the case when enhancing the usability of the
system: an improved user environment requires integrating new hardware and software
components, which results in new streams of evidence ready to be investigated by fo-
rensic practitioners.
In comparison to traditional host-based digital forensic techniques, mobile forensic
solutions must consider a range of different mobile-device specific requirements.
Firstly, mobile device data is highly volatile. Some evidence will simply not survive