• Home
• Projects
• Blogs
• About
• RSS

Android Forensics - Analysing ADB Backups

In this article, we will cover how to extract data from Android ADB Backups. This process doesn’t require root access and we are only copying files and folders, not the bit-by-bit copy of the entire filesystem. This type of forensic acquisition is known as Logical acquisition.

Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device.

ADB consists of many commands to interact with Android Devices, one such command is the backup command. With this command, a user can make a full device backup of apps, and files and restore it later on.

There are limitations when backing up apps, Android has allowBackup attribute as a choice for Android app developers. With this attribute, a developer can decide whether the application should be allowed to back up or not, by default the attribute value is set as true. Most apps like Instagram, WhatsApp etc have this attribute set false, so no way of backing them up.

For a User, it is just backup and restores, but from a Forensic point of view there are lots of data that can be collected, Of course only if the apps are having allowBackup set true.

Note : With every update, Android is getting more secure, also there are many OEM ROMS with their security implemented like MIUI, OneUI etc, so the nature of ADB backup might change across devices.

adb backup [-f ] [-apk|-noapk] [-shared|-noshared] [-all] [-system|-nosystem] [<packages...>]

Here is the description of arguments accepted by adb backup tool :

• -f <file>.ab : Path to where backup file needs to be saved
• -apk | -noapk : Include / exclude .apk files of the applications
• -system | -nosystem : Include / exclude system apps data (by default system apps are included)
• -shared | -noshared : Include / exclude files and folders of Storage/SD card in backup
• -all : Include all installed apps data

Note : ADB backup supports password-protected backups as well, which are encrypted with AES encryption

Acquisition

Parsing ADB backup file

The ADB backup file (.ab) is a compressed tar file with Deflate Algorithm, we can’t directly open it with tar archiver. However with Android backup processor tool, previously known as Android backup extractor, we can convert .ab file to .tar archive.

android-backup-processor v20210812
Cipher.getMaxAllowedKeyLength("AES") = 2147483647
Strong AES encryption allowed, MaxKeyLenght >= 256
Usage:
        info:           abp [-debug] [-useenv=yourenv] info <backup.ab> [password]
        unpack:         abp [-debug] [-useenv=yourenv] unpack <backup.ab> <backup.tar> [password]
        pack:           abp [-debug] [-useenv=yourenv] pack <backup.tar> <backup.ab> [password]
        pack 4.4.3+:    abp [-debug] [-useenv=yourenv] pack-kk <backup.tar> <backup.ab> [password]
        *If -useenv is used, yourenv is tried when password is not given
        *If -debug is used, information and passwords may be shown
        *If the filename is `-`, then data is read from standard input or written to standard output

Linux Users can also use the ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz - one line command to extract files.

The ADB backup folder layout is different from normal /data/data/packagename layout. The folder layout is as follows :

backup/apps/packagename
  |-- db --> sqlite database folder
  |-- ef --> media and thumbnails folder
  |-- f --> app logs folder
  |-- r --> app webview, native-libraries and other related files folder
  |-- sp --> app preferences folder
  |-- _manifest --> package information file

In this example, I have selected a note-taking app from GitHub. This app is capable of backup. I created two notes in the app and later did an ADB backup. As you can see, the notes are exposed in the backup

VLC periodically scans and stores thumbnails. Those are available in the ef folder of the VLC ADB backup. VLC also stores information about current playing media. It is available in the sp folder.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="media_list">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
    <long name="position_in_media" value="3151" />
    <boolean name="app_onboarding_done" value="true" />
    <int name="current_settings_version" value="7" />
    <boolean name="media_shuffling" value="false" />
    <long name="VideoResumeTime" value="1151" />
    <int name="first_run" value="3050100" />
    <string name="media_list_resume">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
    <int name="position_in_media_list" value="0" />
    <string name="app_theme">-1</string>
    <int name="video_hud_timeout_in_s" value="4" />
    <boolean name="initial_permission_asked" value="true" />
    <boolean name="widget_migration_key" value="true" />
    <float name="VideoSpeed" value="1.0" />
    <int name="fragment_id" value="2131362703" />
    <int name="audio_stop_after" value="-1" />
    <string name="current_media">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
    <string name="current_media_resume">file:///storage/emulated/0/Movies/Whatsapp/VID-20220915-WA0034.mp4</string>
    <int name="ml_scan" value="0" />
    <boolean name="video_player_tips_shown" value="true" />
</map>

🎞️ VLC Thumbnails & Media Library images from an #Android ADB #DFIR extraction now available in #ALEAPP.
☑️ Thanks to Nashid P. (https://t.co/PPAGF2682x) for the test data.
🔗 ALEAPP: https://t.co/qVhp55hQuO pic.twitter.com/7k0WlbzsGr

— Brigs 💬 (@AlexisBrignoni) August 23, 2022

So it is possible to acquire artifacts from Android without root access. This shows the importance of allowBackup attribute in android development. If a developer forgets to set the value false and implements a sensitive data process in the app, there is a high chance of exposing private data.