Smartphone backup files are an important part of any investigation. Users can wipe and delete data from their smartphones, but that doesn't delete or omit data that resides on a backup file on external media, the host computer, or in cloud databases until the data is synced again. Backup files are created when a user elects to save and back up his/her data and regularly when Google collects data for backups. Backup files may contain data that the user believes no longer exists. When a user deletes data from his/her device, that information still resides in the backup file and can be recovered during a forensic examination. The exception here is if a synced backup overwrites old backup data. Depending on the smartphone and backup method, multiple backup files may reside for the smartphone. Thus, the data continues to update, and all backups may contain unique data.
Creating a backup of a smartphone may be the only (and sometimes best) acquisition method, depending on the device.1 This concept is discussed in the upcoming slides. This may be useful to your investigation should backup file creation be the only method for pulling data from a device.
Backup files outside of what we have covered so far may exist. We recommend that you apply what you have learned so far in this course. Consider the tools that supported backup files and the device for which the backup was extracted. Use that tool first. If this fails, replicate data on a test device. Should this fail, try to replicate the backup, and see what is required to access it either via cloud or acquisition. It takes effort to get results, but you can do it! Just apply what you know.
For example, Samsung Kies/Smart Switch is a backup program designed for Samsung devices. Backup files from Samsung Kies/Smart Switch may reside on external media or on host computers. The backup files have the .sbu file extension. MSAB XRY can import and parse Samsung backup files. Currently, this is the only tool capable of doing such a thing for Android-specific backups. For more information on parsing Samsung Kies/Smart Switch files using XRY, see the bonus slides within the course media files.
References:
[1] https://for585.com/backup (Methods for creating backup files for multiple smartphones)
The Android backup extractor can be used to examine.ab
files:
[2] https://github.com/nelenkov/android-backup-extractor
The software for Samsung Kies is similar to iTunes in that it lets the user select what they want to back up.
