The resulting backup data is stored as a .ab file, but is actually a TAR file that has been compressed with the Deflate algorithm. If a password was entered on the device when the backup was created, the file would also be AES encrypted. It should also be mentioned that these files may exist on a suspect's computer and can be analyzed using the same methods.

There are many free utilities to turn the .ab backup file into a .tar file that can be viewed. One such utility is the Android Backup Extractor found at: http://sourceforge.net/projects/adbextractor/.

To use the Android Backup Extractor, simply extract its files into the directory with the backup. The command to run the utility is shown in the following:

java –jar abe.jar unpack backup.ab backup.tar

The .tar file will be at the path specified on the command line, or the current working directory if no path is specified. Decompressing the .tar file may be done manually on a Linux command line or with one of the many Windows archive utilities such as WinRAR or 7Zip: