Android Bluetooth Connection Configuration

While putting together my previous post on battery information for Bluetooth devices, I was curious about more information regarding these devices. Turbo didn't track much other than the MAC address so I decided to take a peek at the SANS FOR585 for path information. While stumbling through the "misc" folder I came across the file at the following path:

data/misc/bluedroid/bt_config.conf

It's a simple text file that contains some information about the Bluetooth adapter for the phone itself as well as Bluetooth connected devices and their setup information. As we can see with the Android 11 test image from Josh Hickman, he had some paired devices including a Fitbit Charge 3 and a Nissan Rogue.

Figure 1: bt_config.conf snippet from Josh Hickman's Android 11 test image

The major items that we can pull out quick wins for include MAC address of the Bluetooth device, the first connection date and time of the device, the name of the device and a LinkKey. There are multiple other fields available that have not been fully fleshed out to determine their usefulness at this point.

Heather Mahalik has a great publication out on DFIR Review on Android Auto and Bluetooth connections and helped me confirm some of the reasons why I wasn't seeing timestamps for some entries. Working with Alexis Brignoni (all credit due to him and his Python skills), he was able to assist in turning around a working ALEAPP parser for this information in less than 24 hours, so go get that update!

Figure 2: Bluetooth adapter info for the phone

Figure 3: Bluetooth connections report

You can see that referring back to Josh's documentation, the first connected timestamps match exactly.

Figure 4: Josh Hickman's documentation

I hope these quick triage wins can help with further casework as well as help verify what other tools are pulling.

Comments