Implementation of Wi-Fi Forensics for Investigating Android Connections

Carl Wilson | Last Modified: June 27th, 2017 | Updates

Usage of wireless communications in association with the Android smartphones, have become the very obvious and frequent choice for committing cyber crimes by the cyber crooks. The wireless technology, despite being a boon for the techies’ race of mankind, has also become the toughest challenge for digital forensic investigators from an investigative point of view. “Wireless Forensics”, a terminology for Wireless Network Wifi Forensics, that has become a nightmare for the experts, was coined by Mr. Marcus Ranum in 1997.

Wireless forensics, eventually turning into WiFi Forensics, includes the acquisition and analysis of the complete data moved to and fro over the network. The cyber – crooks have started making usage of highly specialized technologies to hide their footprints. These technologies include: –

  1. Anonymizer: – An advanced technology based proxy tool that excels in showcasing false path of the activity that took place over the internet.
  2. Bittorent Bitblinder: – Tool that maintains the privacy of the users surfing Bittorrent and many more.

Let’s Dig into the Anatomy of WiFi – Conducting WiFi Forensics

wireless network wifi forensics

The very first step that intelligent hackers follow during usage of any WiFi is to access it via some remote location, as tracing the Geo location through IP addresses is a piece of cake for the investigators. The Android devices that are very frequently used by people actually store plenty of information about the WiFi network to which it has been connected. The file systems that an investigator may come across during the investigation include FAT, YAFFS2, etc.

The two primary tools being used in WiFi forensics via Android smartphones include: –

wireless network wifi forensics

Pre – requisites for WiFi forensics in respect to connecting with an android device: –

  • The smart phone must have an SD card with a considerably huge amount of space.
  • The Airplane mode must be enabled.
  • USB Debugging code must be activated.
  • Rooting of the Android device.

Evidence Acquisition: –

The very first file that can be located after complete investigation of the Android smartphone is “/misc/wifi” folder. The file is available with the name:


This wpa_supplicant.conf is a key negotiation technology used by WPA authenticator with the wireless driver. The passwords of all the connected WiFi networks are stored in plain text format in this file.

All the crucial information about the connected WiFi hotspots gets stored in the SQLite file with the name: –


The checkin.db file has different locations based on different brand of smartphones. This file is a sqlite file and stores information about the WiFi hotspots that were indulged. This sqlite database file can be viewed using any free tool such as SQLite Viewer. Click on the download button placed below, to get SQLite Viewer.

Virtual Machine Computer Forensics

On the basis of WiFi info provided by the checkin.db file, the WiFi forensics investigation becomes very easier as the location can be traced on the basis of IP address.