- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of Android wireless history — WifiConfigStore.xml, Bluetooth bt_config.conf, paired-device history, netpolicy.xml, netstats, and per-app cellular/Wi-Fi byte counters — to prove venues visited, peripherals in use, and network activity over time.
Quick Answer. Android retains a detailed record of every Wi-Fi network configured and every Bluetooth peripheral paired. Wi-Fi state lives in /data/misc/wifi/WifiConfigStore.xml (and WifiConfigStore.xml.encrypted-checkpoint) with SSID, BSSID, security type, PSK (encrypted), creation time, and last-connected time. Bluetooth pairings live in /data/misc/bluedroid/bt_config.conf (legacy) or /data/misc/bluetooth/ with MAC addresses, device names, class of device, and pairing timestamps. Together these place a device at named venues and identify every headset, car, watch, or beacon it interacted with.
| Artifact | Path | Contents |
|---|---|---|
| WifiConfigStore.xml | /data/misc/wifi/WifiConfigStore.xml | Configured networks: SSID, BSSID, security, PSK (encrypted), Creator UID, creation and update times |
| WifiConfigStoreNetworkSuggestion.xml | /data/misc/wifi/ | Networks suggested by installed apps |
| Wi-Fi scan results | dumpsys wifi / Radio logs | BSSIDs observed with RSSI/timestamp (transient) |
| Passpoint / Hotspot 2.0 | /data/misc/wifi/PasspointConfigStore.xml | Carrier hotspot credentials |
| netpolicy.xml | /data/system/netpolicy.xml | Per-app metered background restrictions |
| netstats | /data/system/netstats/ | Per-app cellular and Wi-Fi byte counters over time |
| dumpsys wifi | Live | Current association state, last associated BSSIDs, RSSI |
| Artifact | Path | Contents |
|---|---|---|
| bt_config.conf (legacy) | /data/misc/bluedroid/bt_config.conf | Local MAC, adapter name, paired devices with MAC, Name, Class, LinkKey, Timestamp |
| bt_config-* (Android 12+) | /data/misc/bluetooth/bt_config.conf | Same schema with per-user split |
| Bluetooth logs | bt_stack.log / logcat (Bluetooth) | Connect / disconnect / pair events |
| BLE scan results | dumpsys bluetooth_manager | BLE advertisements seen (beacons, tags) |
| A2DP / HFP profile state | shared_prefs and system logs | Which audio and phone profiles connected to which devices |
Each configured Wi-Fi network includes the last-connected timestamp and last-associated BSSID. Matching BSSIDs against WiGLE (or manufacturer databases) resolves them to street addresses. Passpoint entries reveal carrier Wi-Fi (xfinitywifi, attwifi) used at specific locations. Scan-result logs capture BSSIDs observed without connecting — placing the device within receive range of the AP (typically 30–100 m).
bt_config.conf lists every peripheral the device has been paired with — car head units, AirPods/earbuds, smartwatches, hearing aids, fitness sensors, keyboards, printers, medical devices, and BLE beacons. The Timestamp field records last-connected time. Bluetooth Class of Device (CoD) identifies the peripheral type (2360344 = car audio, 2360324 = headset). BLE scan results additionally capture beacons broadcasting at retail locations, transit hubs, and events — placing the device at that venue at that time.
netstats retains per-app cellular and Wi-Fi byte counters in daily buckets for ~2 years. This proves an app was actively transferring data at a given time even when UsageStats foreground time is unclear (background sync). netpolicy.xml shows which apps were flagged for restricted background use — often correlating with the user’s awareness of an app.
The Radio Interface Layer writes cellular attach records under /data/vendor/radio/ with MCC/MNC/LAC/CID, signal strength, and timestamp. On many devices this survives reboots and reaches back weeks. Attach records place the device within the serving-cell footprint at the timestamp — typically 200 m urban, up to 5 km rural.
Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.
PSKs in WifiConfigStore.xml are encrypted with a key held by the Wi-Fi HAL. With root/physical access the encryption is defeated and PSKs recovered. Without root, we recover SSID/BSSID/timestamps but not PSK.
Indefinitely unless the user “Forgets” the device. Even then, prior bugreports, backups, and system logs frequently retain the record.
Yes, when the car’s head-unit MAC is in bt_config.conf with a plausible Timestamp and CoD 2360344 (car audio). Cross-corroborate with Bluetooth logs for pair/connect events and location artifacts.
When multiple independent BSSIDs are observed at a venue with WiGLE-verifiable addresses, and cross-corroborated with cell attach, photo EXIF, or app-specific caches, Wi-Fi evidence is regularly admitted under FRE 702.
Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant