What is Android Backup :
All android phones have inbuilt functionality to take back up of entire logical data of phone into a single encrypted file . the logical data contains (App data,images,videos etc) of phone. This file has extension *.ab. initially this file is compressed and encrypted and while taking backup user can provide password to secure this file.
How to take Backup?
1 .First of all Enable developer mode in phone
- Open phone settings
- If you enabling developer mode first time then
- select about phone option
- Tap Build Number option 5-6 times
- Now you can easily view developer option in settings menu
**Enabling this developer options may differ for different phones here i am using MOTO G phone (with android 5.0)
- Now tap on developer mode and enable it
- in developer mode you can find a another option which is known as USB DEBUGGING , enable it.
2 .To take successful back up in a android 5.0 we have to enable Desktop backup password
Settings > Developer Options > Desktop backup password
provide some appropriate password over there ,
3 .connect your phone to pc
4 .now open adb shell and run following command
above command confirms the particular device is connected to system or not
5 .Now Execute following command:
adb backup -shared -all -f D:/backup.ab
-f shows the location of backup files,
-shared : reflects the backup of shared memory as well
6 .Now a process will be initiated and you will be prompted to unlock your device /phone
7 .as you unlock your device following screen will appear on your phone screen
8 .Enter your Desktop background password here and tap on backup my data
9 .Enter Desktop password , which you provided earlier
10 .After above step you will get file in .ab format which is android backup format.We need to convert it in tar or jar format Run abe.jar (abe.jar is convertor file).
11 .Before decrypting password protected backup file , we have to download and copy java cryptography extension from oracle site and copy it in following path:
12 .Now run following command
backup.ab is our backup file and backup.tar is our converted .tar file
by now we have converted .ab file into .tar file now we can use any filecompress-uncompress utility like winrar or 7zip to extract content
Now as you open app folder it will be shown like this
Each and every folder which is starting from com. is known as package
Analysis & Identification of Potential Evidence
- Wi-Fi net works name(SSID) and their password: SSID and Password of all wi-fi networks to which phone was connected
package name: com.android.provider.settings
2. Details of all dialed number/call log with timestamp
package/folder Name: com.android.dialer
- In this folder a file named “dialer.db “ exists which stores detail of all dialed number.
- We can open this file in Sqlite browser and view details as show in figure:
Note : Last_smart_dial_update time shows last time date and time when particular number was dialled
This time is in epoch(unix time stamp) format , it can be easily converted into general timestamp by using many online converters like http://www.epochconverter.com/
3. Detail of all installed apps
Package Name: com.google.android.googlequicksearch:
As shown figure below following files are there to which contains useful information:
Lets start with icingcopora database file:
- This files contains information about all apps details with installation timestamp .
- All google sync contacts with respective mail id, we can say it shows gmail contacts
4.Media files (Images & video) name , capturer model name,Timestamp
Package name: com.google.android.apps.photos
Database Name: gphotos0.db( .db file name)
this table contains information of all image and video files which are captured by phone itself or received by other source ,irrespective of this there is another database “local_media” stores only those media files which are captured by phone itself.
- in the same database “local_media” table also contains model name of capturer phone, along with this it contains longitude and latitude info ,if phone GPS was enabled at this time capture
5 .Deleted images and videos details with timestamp
pacakge name : com.google.android.apps.photos
Table Name: local
6. Package Name: com.motorola.android.providers.userpreferredsim
- Detail about all previously used sim
- sim Serial no with service provider name
- call detail with sim Serial number
- DB name: userpreferredsim.db
- Sim serial number with service provider name , with all sim used till now
- Phone calls detail with timestamp.
Here we tried our best to find unique artifacts , still these artifacts may differ in different phones.
Thanks & Regards