An Often Overlooked Source of Evidence–Mobile Phone Backups
One of the items I mentioned briefly last week that I’m going to go delve a little deeper into today, is mobile phone backups. Cell Phone backups are very important, especially when you’re analyzing a computer and locate cell phone backups. There have been a good number of forensic mobile phone cases that I’ve worked on where the computers involved have backups of either Blackberry or Apple iOS devices. With how much smart phones are used nowadays, locating a backup on a computer you’re investigating can be huge, especially when you don’t have access to the individual’s phone. For today’s blog, I’m going to focus on cell phone backups supported by Cellebrite Mobile Forensics since that is the main tool in our forensic arsenal. At the moment, Cellebrite only supports the following device backups: Google’s Android OS, RIM’s Blackberry and Apple’s iOS devices. I’ll go over each of these backup options for mobile device forensics and what goes along with them.
Let’s start out with Google’s Android backup options. Unlike Apple and Blackberry, which I’ll go into soon enough, Google does not have a dedicated program to easily backup and restore data from Android to Android. Part of the reason for this situation is that while every manufacturer is starting with the Android OS, which is something any manufacturer can license to use from Google, they are then adapting it for their vision of their smart phone and the hardware they plan on using in it. Depending on how each manufacturer tweaks the Android OS, any backup program that Google creates could have issues. For this reason, it should fall to the manufacturer itself to create and provide a backup solution for their smartphone but that is not something that is happening. At the moment, there are apps available to download on Android devices that will allow people to backup and then restore data to their Android, but currently none are supported by Cellebrite. The only Android backup option that is supported by Cellebrite is created by using The Android Debug Bridge command to perform the backup. This command is included in Google’s Android SDK (Software Development Kit) and is available for use on Android 4.0 (Ice Cream Sandwich) or newer. This route also requires a computer with Oracle’s Java Development Kit installed in order to communicate with the Android phone to create and save the backup. For the average person, the whole process may be a bit too complicated, and not something we’re likely to find on a computer we’re investigating[GK1] . Now I’m not saying we wouldn’t be able to handle parsing other forms of Android backups, I’m simply stating that at this point in time Cellebrite only supports the import of Android Backups created using the Android SDK as stated above. We run into new pieces of software and technology all the time, and we are constantly taking the new information and adapting our processes and methodologies to include them.
iOS Device Backups
For Apple, it was a no brainer to make the iPhone, iPad, and iPod Touch devices and iTunes work together especially considering the success of the original iPod and their digital music sales. Apple not only made iTunes the software manager of the iOS devices, but also gave it the ability to backup and restore all user data from iOS devices as well (with a couple exceptions). Simply by a user syncing the data on their iOS device, a backup is automatically created (although a user can also manually create a backup in iTunes as well). Most of the information people are looking to obtain from a cell phone, call logs, text messages, contacts, etc., is stored in databases which are backed up in their entirety during the backup process. One of the big ticket items that is not preserved in the backup procedure, are emails. Since emails don’t solely reside on any iOS device, it makes sense that they don’t include them in the backup procedure, but we can all agree it would be pretty nice if they did. One of the best parts about Apple’s backup process, is that we can still extract deleted information from the backup. When a text message, call log entry, etc. is deleted (depending on the type of data) it is not purged from the database and still exists, so when a backup is parsed, we are still able to retrieve deleted information. This process also allows us, as stated in my previous blog, to image a phone remotely using the iTunes backup procedure, and still retrieve deleted information from the phone. One item that can cause issues with extracting data from iOS backups, is if the user encrypts the backup with a password. Encrypting backups with a password is an option for users. While it is possible for us to crack the password on an iOS backup, it can take quite some time, especially depending on the length and complexity of the password.
Now on to RIM’s Blackberry, which provides Blackberry Desktop Manager for Blackberry OS 9 and prior and Blackberry Link for Blackberry OS 10 devices to help users manage the content on their Blackberry. More importantly, these applications allow for backup and restoration of the data on a user’s Blackberry. Blackberry Desktop Manager and Link are free applications available directly from RIM for all of their devices. Their software backs up all of the settings on Blackberry devices, but more importantly, all of the user data on the device (which is what we’re really after). In my experience as an analyst, I’ve encountered a lot of computers with Blackberry backups located on them, even though this number is dwindling quickly due to the Blackberry brand becoming a bit stale. One of the really nice features of the backup process is that it pulls out and preserves all email located on the Blackberry in addition to the standard phone information. Now even though we do get emails from the backup, a down side of the backup process is that no deleted information is available. Due to how Blackberry backs up the data, only the active data is available in the backup. As with iOS devices, one of the issues we can run into is the backup being encrypted with a password. While setting up the backup process using the Blackberry Desktop Manager (Blackberry OS 9 and prior), the user can select to encrypt the backup with a password of their choice. As with iOS devices, we can crack the password on the backup, but it can take quite some time depending on the length and complexity of the password. With Blackberry Link (Blackberry OS 10), all backups are encrypted using the Blackberry ID username and password, so at this point in time, without the username and password the backups cannot be decrypted and analyzed.
As you’ve read from my blog, Blackberry and iOS devices provide an easy way for not only people to backup and restore their phones, but also an easy way for us investigators to get access to this relevant information. When we’re in the process of analyzing a computer and we locate a Blackberry Backup or iOS device backup, it can be a goldmine of information. The backup capabilities of Blackberry and iOS devices also affords us the opportunity to acquire these devices remotely, which is huge considering nowadays people can’t live without their cell phones for even an hour. Even though we can run into issues with passwords and encryption, it isn’t the end of the world as there are still options available to get access to the data.