05/07/2025
1. The Android Logging System: How Does It Work?#
1.1 Temporary Storage in RAM#
On an Android device, the logging system is a set of circular buffers structured and managed by the logd system process (the buffers are of fixed size; once full, the pointer starts over and overwrites the oldest messages, hence the name circular buffer).
The logs contained in these buffers are consulted by logcat, which is the main tool for viewing logs.
To summarize the technical operation of logging: Android components (apps, services, kernel) send logs to logd -> logd stores them in circular buffers -> logcat allows you to read these buffers in real time or retrospectively via ADB.
Here are the ‘official’ buffers of logcat via logd:
| Buffer Name | Function | Presence |
|---|---|---|
main | User application logs | Always |
system | System component logs | Always |
radio | Telephony, modem | Often (sometimes restricted) |
events | System events (binary) | Always |
crash | Application crash logs | Android 10+ |
kernel | Linux kernel (dmesg) | Indirectly (not via logcat, but sometimes integrated into rooted forensic tools) |
In-memory logs, managed by logd circular buffers, have inherent volatility, which is a key issue in forensics. These buffers are stored in RAM, meaning they are automatically erased when the device is rebooted or powered off. Furthermore, the buffers are limited in size, and when they are full, new logs overwrite old ones in a circular fashion, resulting in the loss of important information if extraction is not performed quickly. This log rotation makes access to these logs crucial but ephemeral, requiring rapid response when acquiring data in the event of an incident.
1.2 Persistent Disk Storage#
In addition to logcat buffers, Android also generates persistent logs stored on disk, which do not depend on RAM and are therefore preserved even after reboots. These files, although outside the logd loop, can contain critical forensic information. These include:
- internal application logs in
/data/data/<package>/(often in.log,.db, or.xmlformat), - system crash reports in
/data/system/dropbox/, - recover logs in
/cache/recovery/log - network statistics via
/proc/net/ordumpsys netstatscommands, - and sometimes custom log files created by apps or system processes.
Because these artifacts are written to storage memory (eMMC/UFS), they are less susceptible to volatility than logcat buffers. They therefore represent a more durable source of evidence, but their extraction generally requires root access or a specialized forensic tool.
| Log Type | Access without root | Access with root | Comments |
|---|---|---|---|
Application logs (/data/data/<package>/) | Accessible if the device is unlocked and developer mode is enabled | Full access to all applications, including system apps | User apps can be accessed without root, but system apps require root |
System crash reports (/data/system/dropbox/) | Accessible if the device is unlocked | Full access to system and preinstalled app crashes | Crash reports may be accessible without root, but some sensitive logs might be protected |
Recovery logs (/cache/recovery/log) | Accessible in recovery mode without root | Full access from the normal operating system | Accessible without root in recovery mode, but requires root to access from Android normally |
Network logs (/proc/net/, dumpsys netstats) | Accessible via adb shell dumpsys netstats | Full access to detailed network connection data | Viewable via ADB without root, but advanced details require root |
System logs (logcat) | Access to main, system, crash, events buffers | Full access to radio, kernel, etc. buffers | logcat can read certain buffers without root, but access to radio or kernel requires root |
Kernel logs (dmesg, kernel logs) | Not accessible without root | Full access via dmesg or logcat -b kernel | Kernel logs are generally accessible only with root |
| Custom application logs | Access to logs stored in custom files under /data/data/ | Full access, including system apps | Custom logs may be accessible without root for user apps |
Recent versions of Android, such as Android 10 and later, have introduced stricter restrictions on access to logs and system memory for security and privacy reasons. And yes, in some older versions of Android, each app had read permissions to other apps’ logs. Later, Android 7 began imposing full storage encryption, and newer versions restrict access to certain system resources, such as radio and kernel logs. Recent versions also favor fast storage technologies, such as UFS, to improve system responsiveness.
