Once you have an Android backup, we recommend you attempt to open it before handing the device back to the owner. You need to ensure the acquisition worked and that the data is not encrypted. Commercial support will vary for Android backups. We hope you gain experience with the tools and where they excel in the next lab to prep you for the forensic challenge in this course, as well as your upcoming investigations in your workplace. 

The backup files can contain anything. One thing that may be glaringly missing are Android applications that are not permitted to be included in a backup. If this occurs, you may have to conduct a live acquisition of the device or use an emulator, if one is supported, assuming all other acquisition methods failed. This is the tough part of smartphone forensics, as we never know what we are going to get.

Additionally, you need to ensure your tool loads all of the backup “splits.” Physical Analyzer will accept them all in one load if the user properly points to the data. For this reason alone, we need you to try all the tools possible, so you know what to expect, what works best, and what makes the most sense for your lab. Andriller, a free tool available in you VM, will convert an .ab to .tar if that help with your access for analysis.

backup*.ab: data pulled from Android device.

shared.ab: additional internal media and SD card.

Finally, use your cheat sheet and the file names
to search for data of interest. You will find that
file paths differ for Android backups as
compared to file system or physical extractions.