Android Backup File(.ab) Analysis

Introduction:

What is Android Backup :

All android phones have inbuilt functionality to take back up of entire logical data of phone into a single encrypted file . the logical data contains  (App data,images,videos etc) of phone.  This file  has extension *.ab.  initially this file is compressed and encrypted  and while taking backup user can provide password to secure this file.

How to take Backup?

1 .First of all Enable developer mode in phone

  •  Open phone settings
  •  If you enabling developer mode first time then
    •  select about phone option
    • Tap Build Number option 5-6 times
    • Now you can easily view developer option  in settings menu
      **Enabling this developer options may differ for different phones here i am using MOTO G phone (with android 5.0)
  • Now tap on developer mode and enable it
  • in developer mode you can find a another option which is known as USB DEBUGGING , enable it.

2 .To take successful  back up  in a android 5.0 we have to enable Desktop backup        password

Settings > Developer Options > Desktop backup password

provide some appropriate password over there ,

3 .connect your phone to pc

4 .now open adb shell and run following command

1

above command confirms the particular device is connected to system or not

5 .Now Execute following command:

adb backup  -shared -all -f D:/backup.ab

-f shows the location of backup files,

-shared : reflects the backup of shared memory as well

6 .Now a process will be initiated and you will be prompted to unlock your device /phone

7 .as you unlock your device following screen will appear on your phone screen

backup

8 .Enter your Desktop background password here and tap on backup my data

9 .Enter Desktop password , which you provided earlier

10 .After above step you will get file in .ab format which is android backup format.We need        to convert it in tar or jar format Run abe.jar (abe.jar is convertor file).

11 .Before decrypting password protected backup file , we have to download and copy                    java cryptography extension from oracle site and copy it in  following path:

       program files/java/jre/lib/security

 12 .Now run following commandCapture2

 

backup.ab is our backup file and backup.tar is our converted .tar file

by now we have converted .ab file into .tar file now we can use any filecompress-uncompress utility like winrar or 7zip to extract content

a1

Now as you open app folder it will be shown like this

a2

Each and every folder which is starting from com. is known as package

Analysis & Identification of Potential Evidence

  1. Wi-Fi net works name(SSID) and their password: SSID and Password of all wi-fi networks to which phone was connected
    package name: com.android.provider.settings

 

wifi

wifi1

2. Details of all dialed number/call log with timestamp

package/folder Name: com.android.dialer

dialer

  • In this folder a file named “dialer.db “ exists which stores detail of all dialed number.

dialer1

  • We can open this file in Sqlite browser and view  details as show in figure:

dialer2

Note : Last_smart_dial_update time shows last time date and time when particular number was dialled

This time is in epoch(unix time stamp) format , it can be easily converted into general timestamp by using many online converters like  http://www.epochconverter.com/

3. Detail of all installed apps

Package Name: com.google.android.googlequicksearch:

appdetails

As shown figure below following files are there to which contains useful information:

appdetails1

Lets start with icingcopora database file:

  • This files contains information about all apps details with installation timestamp .appdetails2

 

  • All google sync contacts with respective mail id, we can say it shows gmail contacts

appdetails3

 

4.Media files (Images & video) name , capturer model name,Timestamp

Package name:  com.google.android.apps.photos

  Database Name: gphotos0.db( .db file name)

media

this table contains information of all image and video files which are captured by phone  itself or received by other source ,irrespective of this there is another database “local_media” stores only those media files which are captured by phone itself.

  • in the same database “local_media” table  also contains model name of capturer phone, along with this it contains longitude and latitude info ,if phone GPS was enabled at this time capture

local_media

 

 

 

 

 

5 .Deleted images and videos details with timestamp

pacakge name : com.google.android.apps.photos

Table Name: local

deletedimage

6.  Package Name: com.motorola.android.providers.userpreferredsim

  • Detail about all previously used sim
  • sim Serial no with service provider name
  • call detail with sim Serial number
    • DB name: userpreferredsim.db
    • Sim serial number with service provider name , with all sim used till now

sim

  •      Phone calls detail with timestamp.

phonecalls

Here we tried our best to find unique artifacts , still these artifacts may differ in different phones.

Thanks & Regards

Dhiren Bhardwaj

 

One Reply to “Android Backup File(.ab) Analysis”

Leave a Reply