In this article, we will cover how to extract data from Android ADB Backups. This process doesn’t require root access and we are only copying files and folders, not the bit-by-bit copy of the entire filesystem. This type of forensic acquisition is known as Logical acquisition.
Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device.
ADB
consists of many commands to interact with Android
Devices, one such command is the backup
command. With this
command, a user can make a full device backup of apps, and files and
restore it later on.
There are limitations when backing up apps, Android has allowBackup
attribute as a choice for Android app developers. With this attribute, a
developer can decide whether the application should be allowed to back
up or not, by default the attribute value is set as true
.
Most apps like Instagram
, WhatsApp
etc have
this attribute set false
, so no way of backing them up.
For a User, it is just backup and restores, but from a Forensic point
of view there are lots of data that can be collected, Of course only if
the apps are having allowBackup
set true
.
Note : With every update, Android is getting more secure, also there are many OEM ROMS with their security implemented like MIUI, OneUI etc, so the nature of ADB backup might change across devices.
adb backup [-f ] [-apk|-noapk] [-shared|-noshared] [-all] [-system|-nosystem] [<packages...>]
Here is the description of arguments accepted by
adb backup
tool :
Note : ADB backup supports password-protected backups as well, which are encrypted with AES encryption
backup without user data and system apps
The ADB backup file (.ab) is a compressed tar file with Deflate Algorithm, we can’t directly open it with tar archiver. However with Android backup processor tool, previously known as Android backup extractor, we can convert .ab file to .tar archive.
android-backup-processor v20210812
Cipher.getMaxAllowedKeyLength("AES") = 2147483647
Strong AES encryption allowed, MaxKeyLenght >= 256
Usage:
info: abp [-debug] [-useenv=yourenv] info <backup.ab> [password]
unpack: abp [-debug] [-useenv=yourenv] unpack <backup.ab> <backup.tar> [password]
pack: abp [-debug] [-useenv=yourenv] pack <backup.tar> <backup.ab> [password]
pack 4.4.3+: abp [-debug] [-useenv=yourenv] pack-kk <backup.tar> <backup.ab> [password]
*If -useenv is used, yourenv is tried when password is not given
*If -debug is used, information and passwords may be shown
*If the filename is `-`, then data is read from standard input or written to standard output
Linux Users can also use the
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -
one line command to extract files.
Converting ADB backup file using abp tool :
java -jar abp.jar unpack bak.ab bak.tar
The ADB backup folder layout is different from normal
/data/data/packagename
layout. The folder layout is as
follows :
backup/apps/packagename
|-- db --> sqlite database folder
|-- ef --> media and thumbnails folder
|-- f --> app logs folder
|-- r --> app webview, native-libraries and other related files folder
|-- sp --> app preferences folder
|-- _manifest --> package information file
keybase android app folder
In this example, I have selected a note-taking app from GitHub. This app is capable of backup. I created two notes in the app and later did an ADB backup. As you can see, the notes are exposed in the backup
Notes are exposed in ADB backup
VLC periodically scans and stores thumbnails. Those are available in the ef folder of the VLC ADB backup. VLC also stores information about current playing media. It is available in the sp folder.
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
map>
<string name="media_list">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
<long name="position_in_media" value="3151" />
<boolean name="app_onboarding_done" value="true" />
<int name="current_settings_version" value="7" />
<boolean name="media_shuffling" value="false" />
<long name="VideoResumeTime" value="1151" />
<int name="first_run" value="3050100" />
<string name="media_list_resume">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
<int name="position_in_media_list" value="0" />
<string name="app_theme">-1</string>
<int name="video_hud_timeout_in_s" value="4" />
<boolean name="initial_permission_asked" value="true" />
<boolean name="widget_migration_key" value="true" />
<float name="VideoSpeed" value="1.0" />
<int name="fragment_id" value="2131362703" />
<int name="audio_stop_after" value="-1" />
<string name="current_media">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
<string name="current_media_resume">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
<int name="ml_scan" value="0" />
<boolean name="video_player_tips_shown" value="true" />
<map> </
VLC Media Player Thumbnails in ef
folder
🎞️ VLC Thumbnails & Media Library images from an #Android ADB #DFIR extraction now available in #ALEAPP.
— Brigs 💬 (@AlexisBrignoni) August 23, 2022
☑️ Thanks to Nashid P. (https://t.co/PPAGF2682x) for the test data.
🔗 ALEAPP: https://t.co/qVhp55hQuO pic.twitter.com/7k0WlbzsGr
So it is possible to acquire artifacts from Android without root access. This shows the importance of allowBackup attribute in android development. If a developer forgets to set the value false and implements a sensitive data process in the app, there is a high chance of exposing private data.