The authors conducted a thorough evaluation of the local backup mechanisms provided by iOS and Android to assess their suitability for forensic data acquisition. They developed a generic evaluation procedure that compares the contents of local backups to the original storage on the devices.
For Android, the evaluation included both full backups and selective backups using app-downgrading. The results showed that in most cases, the acquired data from the local backup was correct and matched the original data on the device. However, some corner cases were identified, such as database files with pending changes, where the backup data did not fully match the original.
For iOS, the evaluation included both encrypted and unencrypted local backups. The results were similar to Android, with most of the data being correctly acquired. However, the authors found that over 10% of the data, particularly database files, showed alterations compared to the original data due to the merging of uncommitted changes during the backup process.
The authors conclude that local backup can be a suitable method for forensic data acquisition, but certain limitations and corner cases need to be considered when assessing the integrity and authenticity of the evidence.
Til et andet sprog
fra kildeindhold
arxiv.org
Vigtigste indsigter udtrukket fra
by Julian Geus,... kl. arxiv.org 04-22-2024
https://arxiv.org/pdf/2404.12808.pdfDybere Forespørgsler