Extracting data from Android devices is becoming more and more difficult every day - sometimes even than from the iPhone. Igor Mikhailov, specialist of the Group-IB Computer Forensics Laboratory, tells what to do if you cannot extract data from an Android smartphone using standard methods.
A few years ago, my colleagues and I discussed security trends in Android devices and came to the conclusion that there will come a time when their forensic investigation will be more difficult than for iOS devices. And today we can say with confidence that this time has come.
I recently researched Huawei Honor 20 Pro. What do you think you managed to extract from its backup copy obtained using the ADB utility? Nothing! The device is full of data: call information, phone book, SMS, correspondence in instant messengers, e-mail, multimedia files, etc. And you can't extract any of it. Terrible feeling!
How to be in such a situation? A good way out is to use proprietary backup utilities (Mi PC Suite for Xiaomi smartphones, Samsung Smart Switch for Samsung, HiSuite for Huawei).
In this article, we will look at the creation and extraction of data from Huawei smartphones using the HiSuite utility and their subsequent analysis using the Belkasoft Evidence Center.
What types of data are included in HiSuite backups?
HiSuite backups contain the following types of data:
- data about accounts and passwords (or tokens)
- contacts
- challenges
- SMS and MMS messages
- multimedia files
- Database
- documents
- archives
- application files (files with extensions.odex, .only, . Apk)
- information from applications (such as Facebook, Google Drive, Google Photos, Google Mails, Google Maps, Instagram, WhatsApp, YouTube, etc.)
Let's take a closer look at how such a backup is created and how to analyze it using Belkasoft Evidence Center.
Backing up a Huawei smartphone using the HiSuite utility
To create a backup copy with a proprietary utility, you need to download it from the site and install.
HiSuite download page on Huawei website:
HDB mode (Huawei Debug Bridge) is used to pair the device with a computer. On the Huawei website or in the HiSuite program itself, there are detailed instructions on how to activate HDB mode on a mobile device. After activating the HDB mode, launch the HiSuite application on your mobile device and enter the code displayed in this application into the HiSuite program window running on the computer.
Code entry window in desktop version of HiSuite:
During the backup process, you will be asked to enter a password that will be used to protect the data retrieved from the device's memory. The created backup will be located along the path C:/Users/%User profile%/Documents/HiSuite/backup/.
Huawei Honor 20 Pro smartphone backup:
HiSuite backup analysis using Belkasoft Evidence Center
To analyze the resulting backup using create a new business. Then select as the data source Mobile Image. In the menu that opens, specify the path to the directory where the backup copy of the smartphone is located, and select the file info.xml.
Specifying the path to the backup:
In the next window, the program will prompt you to select the types of artifacts to be found. After starting the scan, go to the tab Task Manager and click the button Configure task, because the program is waiting for the password to be entered to decrypt the encrypted backup.
Button Configure task:
After decrypting the backup, Belkasoft Evidence Center will ask you to re-specify the types of artifacts to be extracted. After the analysis is completed, information about the extracted artifacts can be viewed in the tabs case explorer ΠΈ Overview .
Huawei Honor 20 Pro Backup Analysis Results:
Analyzing a HiSuite backup using Mobile Forensic Expert
Another forensic program that can extract data from HiSuite backup is .
To process the data that is in the HiSuite backup, click on the option Import backups in the main window of the program.
A fragment of the main window of the Mobile Forensic Expert program:
Or in the section Import select the type of data to import Huawei Backup:
In the window that opens, specify the path to the file info.xml. When you start the extraction procedure, a window will appear that will prompt you to either enter a known password to decrypt the HiSuite backup, or use the Passware tool to try to guess this password if it is unknown:
The result of the analysis of the backup will be the window of the Mobile Forensic Expert Expert program, which shows the types of extracted artifacts: calls, contacts, messages, files, event feed, application data. Pay attention to the amount of data extracted from various applications by this forensic program. It's just huge!
List of extracted data types from HiSuite backup in Mobile Forensic Expert:
HiSuite Backup Decryption
What to do if you do not have these wonderful programs? In this case, a Python script developed and maintained by Francesco Picasso of Reality Net System Solutions will help you. You can find this script at , and a more detailed description in "Huawei backup decryptor".
Later, the decrypted HiSuite backup can be imported and analyzed using classic forensic tools (for example, ) or manually.
Conclusions
Thus, using the HiSuite backup utility, you can extract an order of magnitude more data from Huawei smartphones than when extracting data from the same devices using the ADB utility. Despite the large number of utilities for working with mobile phones, Belkasoft Evidence Center and Mobile Forensic Expert are one of the few forensic programs that support extraction and analysis of HiSuite backups.
Sources of
Source: habr.com