This is my personal collection of shell scripts for forensic data collection and security auditing on Android devices. They are subject to change at any time and are updated intermittently as I use them on new or differing devices.
The Scripts run directly on-device via ADB shell or a terminal emulator β no build step, no dependencies beyond standard Android utilities. These are purposely designed to be "dumb" and run with minimal issues across any busybox or shell solution that is fully featured to heavily restricted. They also (should) fail gracefully any time a command is not available, out of scope for user permissions, etc.
Legal Notice: I'm not responsible for anything stupid you do with these. This is a personal toolset for my professional needs I have opted to share with others. Use responsibly and consult your local laws.
A delivery method (adb upload, toss on SD Card, etc)
Root access optional β scripts degrade gracefully and log permission denials
adb push Toolchain/ /data/local/tmp/android-audit/
adb shell " cd /data/local/tmp/android-audit && sh 0_RunAll.sh /sdcard/forensic_output" On-device (terminal emulator) sh 0_RunAll.sh /sdcard/forensic_output adb shell su -c " sh 0_RunAll.sh /data/local/tmp/forensic_output" sh 01_audit_usb_adb.sh [output_directory] All scripts accept an optional output directory as the first argument (defaults to current directory).
0_RunAll.sh creates a timestamped directory: forensic_YYYYMMDD_HHMMSS/
forensic_20260128_145213/
βββ master.log
βββ manifest.txt
βββ audit_usb_adb.txt
βββ audit_properties.txt
βββ audit_partitions.txt
βββ root_indicators.txt
βββ audit_android_jail.txt
βββ audit_selinux.txt
βββ audit_kernel.txt
βββ audit_debug_interfaces.txt
βββ enum_privileged_processes.txt
βββ audit_capabilities.txt
βββ audit_setuid.txt
βββ audit_privesc_surface.txt
βββ users_uids.txt
βββ device_nodes.txt
βββ audit_writable_system.txt
βββ audit_special_perms.txt
βββ probe_namespaces.txt
βββ audit_boot.txt
βββ audit_scheduled_tasks.txt
βββ vendor_customizations.txt
βββ network_interfaces.txt
βββ netstat.txt
βββ audit_network_deep.txt
βββ audit_binder.txt
βββ pipes_ipc.txt
βββ audit_unix_sockets.txt
βββ audit_content_providers.txt
βββ probe_tee_surface.txt
βββ audit_hardware_interfaces.txt
βββ audit_app_attack_surface.txt
βββ broadcast_receivers.txt
βββ audit_crypto_surface.txt
βββ scan_certificate_files.txt
βββ scan_hardcoded_secrets.txt
βββ application_hashes.txt
βββ shell_commands.txt
βββ symlinks.txt
βββ input_devices.txt
βββ forensic_logs.txt
βββ forensic_process_snapshot.txt
βββ forensic_storage_sensitive.txt
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DEVICE BASELINE β
β audit_usb_adb.txt β
β audit_properties.txt β
β vendor_customizations.txt β
β enum_privileged_processes.txt β
β audit_debug_interfaces.txt β
ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββ β βββββββββββββββββββββββββββββ
β ROOT & INTEGRITY β β β HARDWARE & TEE β
β root_indicators.txt β β β probe_tee_surface.txt β
β audit_selinux.txt β ββββββββββββββ΄ββββββββββ β audit_hardware_ β
β audit_partitions.txt β β forensic_YYYYMMDD_ β β interfaces.txt β
β audit_boot.txt β β HHMMSS/ β βββββββββββββββββββββββββββββ
β audit_android_jail.txt β β βββββββββββββββββ β
ββββββββββββββββββββββββββββ β master.log β βββββββββββββββββββββββββββββ
β forensic_context.txtβ β NETWORK & IPC β
ββββββββββββββββββββββββββββ β manifest.txt β β network_interfaces.txt β
β KERNEL & OS SECURITY β ββββββββββββββ¬ββββββββββ β netstat.txt β
β audit_kernel.txt β β β audit_network_deep.txt β
β audit_capabilities.txt β β β audit_binder.txt β
β probe_namespaces.txt β β β audit_unix_sockets.txt β
β audit_privesc_surface.txtβ β β pipes_ipc.txt β
ββββββββββββββββββββββββββββ β β audit_content_ β
β β providers.txt β
ββββββββββββββββββββββββββββ β βββββββββββββββββββββββββββββ
β UID Β· GID Β· PERMS β β
β ββ uncommon depth ββ β β βββββββββββββββββββββββββββββ
β users_uids.txt β β β APP SURFACE & SECRETS β
β audit_setuid.txt β β β audit_app_attack_ β
β audit_special_perms.txt β β β surface.txt β
β device_nodes.txt β β β broadcast_receivers.txt β
β audit_writable_ β β β audit_crypto_surface.txt β
β system.txt β β β scan_certificate_ β
ββββββββββββββββββββββββββββ β β files.txt β
β β scan_hardcoded_ β
ββββββββββββββββββββββββ΄βββββββββββββββββββ€ secrets.txt β
β FORENSIC COLLECTION ββββββββββββββββββββββββββββββ
β forensic_logs.txt β
β forensic_process_snapshot.txt β
β forensic_storage_sensitive.txt β
β application_hashes.txt β
β shell_commands.txt β
β symlinks.txt β
β input_devices.txt β
β audit_scheduled_tasks.txt β
βββββββββββββββββββββββββββββββββββββββββββ
Security: Output files contain sensitive device data (credentials, keys, device identifiers). Treat as confidential, store encrypted, and delete after analysis.
Findings in output files are tagged:
Tag
Meaning
[CRITICAL]Immediate exploitation risk (exposed private keys, SUID root, world-writable system files)
[HIGH]Significant attack surface (exported unprotected components, writable shell scripts)
[MEDIUM]Notable configuration weakness (user CAs, permissive SELinux domains)
[INFO]Informational β no direct risk, useful for baseline
Script
Output File
Description
01_audit_usb_adb.shaudit_usb_adb.txtADB debugging status, authorization keys, USB configuration and functions, developer options, bootloader status, USB security properties, ADB shell capabilities
18_audit_boot.shaudit_boot.txtInit RC files, services defined in RC files, services running as root/system, Zygote configuration
System Properties & Partitions
Script
Output File
Description
02_audit_properties.shaudit_properties.txtCritical security flags (ro.debuggable, ro.secure, ro.adb.secure), build and signing type, SELinux properties, encryption state, persistent/mutable tamper indicators, root/hooking framework detection (Magisk/Xposed/Frida), Keymaster/Keymint properties, full property dump
03_audit_partitions.shaudit_partitions.txtBootloader lock state, A/B partition scheme, partition layout, dm-verity status, Android Verified Boot (AVB), mount points, fstab configuration, Factory Reset Protection (FRP), partition integrity hashes
Root & Privilege Analysis
Script
Output File
Description
04_enum_root_indicators.shroot_indicators.txtSU binary detection, Magisk/KernelSU/APatch/SuperSU framework detection, Busybox indicators, modified system properties, suspicious overlayfs/bind mounts, /data/adb audit
05_audit_android_jail.shaudit_android_jail.txtCurrent process identity and decoded capabilities, Android paranoid network gate membership (GIDs), SELinux domain confinement, seccomp filter and NoNewPrivs status, privilege escalation surface, Android AID reference table
09_enum_privileged_processes.shenum_privileged_processes.txtPer-process security profile for all UID=0 processes: capabilities, seccomp, NoNewPrivs, SELinux context, FD count, mapped libraries; system server brief profile; highest-risk process summary
10_audit_capabilities.shaudit_capabilities.txtgetcap/capsh tool availability, current process capabilities, all files with Linux capabilities in /system, /vendor, /sbin, /data
11_audit_setuid.shaudit_setuid.txt[CRITICAL] SUID root binaries, all SUID binaries, all SGID binaries, binaries with both SUID and SGID set
12_audit_privesc_surface.shaudit_privesc_surface.txtWritable PATH directories, writable root-owned files, SUID/SGID enumeration as escalation vectors
13_enum_users.shusers_uids.txtCurrent process identity, SELinux context, /etc/passwd and /etc/group (system and Android equivalents), Android system AID reference table
SELinux & Kernel Security
Script
Output File
Description
06_audit_selinux.shaudit_selinux.txtEnforcement status, policy version, permissive and unconfined domains, process domain distribution, file/property/service contexts, recent AVC denials, app data contexts, seapp_contexts, SELinux booleans, MLS/MCS status
07_audit_kernel.shaudit_kernel.txtKernel version, config exposure (/proc/config.gz), KASLR/symbol exposure, hardening settings (kptr_restrict/dmesg_restrict/perf_event_paranoid/ptrace_scope), loaded modules, taint flags, ARM64 features (PAC/BTI/MTE), CPU vulnerability mitigations, kernel cmdline analysis, IMA checks, sysctl security sweep
08_audit_debug_interfaces.shaudit_debug_interfaces.txtptrace status, debugfs/tracefs mount state and contents, perf_event paranoid setting, kprobes, /proc debug interfaces, hardware debug (JTAG/SWD), memory debugging features, tracefs write permissions, eBPF attack surface
Namespaces & Scheduled Tasks
Script
Output File
Description
17_audit_namespaces.shprobe_namespaces.txtShell namespace links, unprivileged namespace clone capability, user namespace configuration, per-process namespace identifiers, process status (capabilities/seccomp/NoNewPrivs)
19_audit_scheduled_tasks.shaudit_scheduled_tasks.txtJobScheduler jobs, AlarmManager alarms, WorkManager tasks, persistence mechanisms
File System & Permissions
Script
Output File
Description
14_audit_device_nodes.shdevice_nodes.txt/dev overview and counts, [CRITICAL] world-writable device nodes, world-readable sensitive devices
15_audit_writable_system.shaudit_writable_system.txtMount options (read-only enforcement), files/directories writable in /system and /vendor, writable shell scripts and RC/init files
16_audit_special_perms.shaudit_special_perms.txt[CRITICAL] world-writable files in system paths, [HIGH] world-writable directories, [MEDIUM] group-writable files, [HIGH] files owned by network-capable UIDs
37_enum_symlinks.shsymlinks.txtSymbolic links across critical system paths, APEX module symlinks, broken symlinks, cross-boundary links
41_forensic_storage_sensitive.shforensic_storage_sensitive.txtWorld-readable files in /data, accessible SQLite databases, world-readable app private files
Script
Output File
Description
21_enum_network.shnetwork_interfaces.txtNetwork interfaces, IP/IPv6 addresses, routing tables, ARP cache, DNS, WiFi and VPN/tunnel properties
22_enum_netstat.shnetstat.txtListening TCP/UDP ports, active connections, /proc/net/tcp, Unix domain sockets, socket statistics
23_audit_network_deep.shaudit_network_deep.txtiptables/ip6tables rules, NAT table, deep network configuration audit
24_audit_binder.shaudit_binder.txtAll registered Binder services, Binder device permissions, high-value service targets, vendor-prefix services
25_enum_pipes.shpipes_ipc.txtNamed pipes (FIFOs), Unix domain sockets
26_audit_unix_sockets.shaudit_unix_sockets.txtUnix socket accessibility audit, /dev/socket filesystem sockets, privilege escalation vectors
27_audit_content_providers.shaudit_content_providers.txtExported content providers, queryable system URIs (Settings, Media, Contacts, SMS, Call Log), data exposure testing
Script
Output File
Description
28_audit_tee.shprobe_tee_surface.txtTEE device nodes and permissions, tee_supplicant process profile, TEE-related Binder services, TA enumeration surface
29_audit_hardware_interfaces.shaudit_hardware_interfaces.txthwbinder device node permissions, ION memory allocator and DMA-BUF heaps, kernel config exposure, GPIO/SPI/I2C sysfs interfaces, physical memory map
38_enum_input_devices.shinput_devices.txt/dev/input device enumeration, kernel input events (getevent), key layout and character map files, keylogging/injection surface
Script
Output File
Description
20_enum_vendor_customizations.shvendor_customizations.txtOEM-specific system properties, vendor custom services and apps, hidden/diagnostic functionality
30_audit_app_attack_surface.shaudit_app_attack_surface.txtApps with allowBackup enabled, debuggable APKs, WebView remote debugging, overlay permissions, accessibility service abuse surface
31_enum_broadcast_receivers.shbroadcast_receivers.txtAll registered broadcast receivers, unprotected receivers (injection risk), high-risk actions (SMS/BOOT_COMPLETED), sticky broadcasts
35_enum_app_hashes.shapplication_hashes.txtInstalled packages with APK paths, SHA256/MD5 hashes, system vs third-party, disabled packages, package UIDs
36_enum_shell_commands.shshell_commands.txtEnvironment variables, PATH, /system/bin and /vendor/bin contents, Toybox/Busybox applets, security-sensitive binaries (su, tcpdump, strace)
Cryptography, Certificates & Secrets
Script
Output File
Description
32_audit_crypto_surface.shaudit_crypto_surface.txtKernel keyring (/proc/keys), Keystore2 key inventory, hardware-backed key detection
33_scan_certificate_files.shscan_certificate_files.txt[CRITICAL] private key files (PEM/DER/PKCS#12 by extension and content), APK-embedded certificates, world-readable cert files
34_scan_hardcoded_secrets.shscan_hardcoded_secrets.txtSSH private keys, cloud credentials (AWS/GCP/Azure), API keys (Google/Firebase/Stripe/Twilio), JWT tokens, SharedPreferences credentials, APK-embedded secrets
Script
Output File
Description
39_collect_logs.shforensic_logs.txtSystem logcat, kernel dmesg, tombstone crash logs, ANR traces, dropbox entries, SELinux denial log entries
40_forensic_process_snapshot.shforensic_process_snapshot.txtDeliverable-grade process snapshot: full process table, per-UID=0 process security profile (capabilities, SELinux, seccomp), process count summary
Toolchain/
βββ 0_RunAll.sh # Orchestrator β runs scripts 01β41 in sequence
βββ 01_audit_usb_adb.sh
βββ 02_audit_properties.sh
βββ 03_audit_partitions.sh
βββ 04_enum_root_indicators.sh
βββ 05_audit_android_jail.sh
βββ 06_audit_selinux.sh
βββ 07_audit_kernel.sh
βββ 08_audit_debug_interfaces.sh
βββ 09_enum_privileged_processes.sh
βββ 10_audit_capabilities.sh
βββ 11_audit_setuid.sh
βββ 12_audit_privesc_surface.sh
βββ 13_enum_users.sh
βββ 14_audit_device_nodes.sh
βββ 15_audit_writable_system.sh
βββ 16_audit_special_perms.sh
βββ 17_audit_namespaces.sh
βββ 18_audit_boot.sh
βββ 19_audit_scheduled_tasks.sh
βββ 20_enum_vendor_customizations.sh
βββ 21_enum_network.sh
βββ 22_enum_netstat.sh
βββ 23_audit_network_deep.sh
βββ 24_audit_binder.sh
βββ 25_enum_pipes.sh
βββ 26_audit_unix_sockets.sh
βββ 27_audit_content_providers.sh
βββ 28_audit_tee.sh
βββ 29_audit_hardware_interfaces.sh
βββ 30_audit_app_attack_surface.sh
βββ 31_enum_broadcast_receivers.sh
βββ 32_audit_crypto_surface.sh
βββ 33_scan_certificate_files.sh
βββ 34_scan_hardcoded_secrets.sh
βββ 35_enum_app_hashes.sh
βββ 36_enum_shell_commands.sh
βββ 37_enum_symlinks.sh
βββ 38_enum_input_devices.sh
βββ 39_collect_logs.sh
βββ 40_forensic_process_snapshot.sh
βββ 41_forensic_storage_sensitive.sh
βββ 99_Zip_Reports.sh # Archives output (zip β tar.gz β tar fallback)
Each script follows this template:
#! /system/bin/sh" ${1:- .} " " ${OUTPUT_DIR} /output_name.txt" echo " === SECTION HEADER ===" echo " Timestamp: $( date) " # collection commands here> " ${OUTPUT_FILE} " 2>&1 Key rules:
Shebang must be #!/system/bin/sh β no bashisms, no arrays, no [[ ]], no local
Accept output directory as $1, default to .
Redirect all stderr into the output file (2>&1)
Tag findings with [CRITICAL], [HIGH], [MEDIUM], or [INFO]