Playing CTF's has taught me so many things over the past years, case in point this blog post. In the recent Cellebrite CTF, there was a question for the Samsung phone evidence about battery life and shutdown events.
How many times did Heisenberg's Android power off due to the battery being fully depleted between May and August? The answer must be an integer (i.e 4).
No tools I saw readily made this information, so what better than make my own parser via ALEAPP. Pulling the data files from the following paths we can see what can be manipulated:
Dump\data\log\power_off_reset_reason.txt
Dump\data\log\power_off_reset_reason_backup.txt
These files are new to me and show other information regarding shutdowns of the device. The main thing we are pulling from this is the timestamps of shutdown and restart events, as well as the reason why these actions occurred. Here is a sample of the device shutting down because having no power:
Figure 1: power_off_reset_reason_backup.txt
We get a timestamp following by the full date and timestamp along with the timezone offset. After that we get the action, SHUTDOWN, and also the REASON, no power. There is some extra space between columns that wasn't filled in on my sample devices but maybe there is more information that is added to this log for other actions perhaps. For now you can now parse this from Samsung from what I can tell, not sure if other manufacturers have it. Get the latest release of ALEAPP now.