Data locations within ADB backups

Now that the backup has been converted into a .tar file and then extracted, the examiner can view the data contained in the backup. In our example, there are two directories found in the root of the backup:

  • apps: Contains data from /data/data for applications that were included in the backup

  • shared: Contains all data from the SD card; only present if the shared argument was passed at the command line

Note that the files within the apps directory are stored in directories by their package name (just as seen in /data/data from within adb shell), and the shared directory is exactly what the user would see if they accessed the SD card by plugging it into a computer. For a benign example of user data that was pulled from the backup, the user's Pandora activity is shown in the following screenshot. Pandora is a streaming music service with millions of downloads in Google Play Store. Pandora's application data will be contained in the apps folder of the backup, in the folder named com.pandora.android:

The Pandora directory from the backup

This is a fairly standard layout for an Android application, as discussed in Chapter 2, Setting Up the Android Forensic Environment. The application's databases will be in the db folder:

Files within the db folder of the Pandora backup

XML configuration settings will be in the sp folder:

Files within the sp folder of the Pandora backup

Using a database viewer to view pandora.db reveals stations that the user has created, as well as the timestamp for when it was created:

Contents of pandora.db from the backup

Looking in the XML preferences file, the timestamp of the app installation can be found under firstInstallId. Note that the exact method for converting the timestamps is shown in Chapter 7, Forensic Analysis of Android Applications:

Contents of the XML preferences file

If, for some odd reason, the user's Pandora usage was a major question in the investigation, what could an examiner determine from these two seemingly innocuous files?

Firstly, the lastTransmission and firstInstallID timestamps are within milliseconds of each other, indicating that the application was never used after it was installed. Furthermore, the creation dates of each station precede the installation of the application, in some cases by years. This would be an indicator that the user has used Pandora on other devices; that may be highly relevant to the investigation.

While Pandora is generally not germane to digital forensic investigations, it is an example of data that can be gleaned from a simple backup over ADB. More detailed application analysis will be presented in Chapter 7, Forensic Analysis of Android Applications.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.199.138