Forensic logical acquisition of Android devices using adb backup

In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.

So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.

The ‘abd backup’ command is commonly utilised when performing a logical extraction of an Android device.
Generally, a standard user might use ADB to backup their device data, which they can restore at a later time.

However, ADB provides other very useful options when performing a backup:

  • -f <file>.ad: Write an archive of the devices data to a specified *.ab file.
  • -apk: Enables backup of the *.apk files themselves.
  • -shared: Enables backup of the devices shared storage/SD card contents.
  • -all: Enables backup of all installed applications.
  • -system: Includes backup of system applications (enabled by default).
  • -obb: Includes backup of any installed apk expansion (.obb) files associated with each application.

Parsing ADB backups

The resulting backup data is stored as a .ab file, but is actually a .tar file that has been compressed
with the Deflate algorithm (if a password was entered on the device when the backup was created,
the file would also be AES encrypted).

In order to turn the .ab backup file into a .tar that can be viewed you can use the Android Backup Extractor:

[email protected]:~/$ java -jar abe.jar 
Android backup extractor v20171005
Cipher.getMaxAllowedKeyLength("AES") = 2147483647
Strong AES encryption allowed, MaxKeyLenght >= 256
Usage:
 info: abe [-debug] [-useenv=yourenv] info <backup.ab> [password]
 unpack: abe [-debug] [-useenv=yourenv] unpack <backup.ab> <backup.tar> [password]
 pack: abe [-debug] [-useenv=yourenv] pack <backup.tar> <backup.ab> [password]
 pack 4.4.3+: abe [-debug] [-useenv=yourenv] pack-kk <backup.tar> <backup.ab> [password]
 If -useenv is used, yourenv is tried when password is not given
 If -debug is used, information and passwords may be shown
 If the filename is `-`, then data is read from standard input or written to standard output

 

To use the Android Backup Extractor, simply extract its files into the directory with the backup.

The command to run the utility is:

java -jar abe.jar unpack backup.ab backup.tar

Here a brief example (without saving shared storage for a more quick process, the backup process ends at 2:55):

 


References

2 Replies to “Forensic logical acquisition of Android devices using adb backup”

    1. Hi islay, thanks for the tip.

      However, during a forensic analysis, usually we manage a lot of personal/sensible informations, and isn’t a good practice to process this data outside the analysis lab. 🙂

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.