Forensic logical acquisition of Android devices using adb backup
In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.
So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.
The ‘abd backup’ command is commonly utilised when performing a logical extraction of an Android device.
Generally, a standard user might use ADB to backup their device data, which they can restore at a later time.
However, ADB provides other very useful options when performing a backup:
- -f <file>.ad: Write an archive of the devices data to a specified *.ab file.
- -apk: Enables backup of the *.apk files themselves.
- -shared: Enables backup of the devices shared storage/SD card contents.
- -all: Enables backup of all installed applications.
- -system: Includes backup of system applications (enabled by default).
- -obb: Includes backup of any installed apk expansion (.obb) files associated with each application.
Parsing ADB backups
The resulting backup data is stored as a .ab file, but is actually a .tar file that has been compressed
with the Deflate algorithm (if a password was entered on the device when the backup was created,
the file would also be AES encrypted).
In order to turn the .ab backup file into a .tar that can be viewed you can use the Android Backup Extractor:
andrea@patroclo:~/$ java -jar abe.jar Android backup extractor v20171005 Cipher.getMaxAllowedKeyLength("AES") = 2147483647 Strong AES encryption allowed, MaxKeyLenght >= 256 Usage: info: abe [-debug] [-useenv=yourenv] info <backup.ab> [password] unpack: abe [-debug] [-useenv=yourenv] unpack <backup.ab> <backup.tar> [password] pack: abe [-debug] [-useenv=yourenv] pack <backup.tar> <backup.ab> [password] pack 4.4.3+: abe [-debug] [-useenv=yourenv] pack-kk <backup.tar> <backup.ab> [password] If -useenv is used, yourenv is tried when password is not given If -debug is used, information and passwords may be shown If the filename is `-`, then data is read from standard input or written to standard output
To use the Android Backup Extractor, simply extract its files into the directory with the backup.
The command to run the utility is:
java -jar abe.jar unpack backup.ab backup.tar
Here a brief example (without saving shared storage for a more quick process, the backup process ends at 2:55):