Core Concepts
Local backup mechanisms offered by mobile operating systems can be used as a generic way to access data on smartphones, but their suitability and reliability for forensic data acquisition have not been systematically evaluated.
Abstract
The authors conducted a thorough evaluation of the local backup mechanisms provided by iOS and Android to assess their suitability for forensic data acquisition. They developed a generic evaluation procedure that compares the contents of local backups to the original storage on the devices.
For Android, the evaluation included both full backups and selective backups using app-downgrading. The results showed that in most cases, the acquired data from the local backup was correct and matched the original data on the device. However, some corner cases were identified, such as database files with pending changes, where the backup data did not fully match the original.
For iOS, the evaluation included both encrypted and unencrypted local backups. The results were similar to Android, with most of the data being correctly acquired. However, the authors found that over 10% of the data, particularly database files, showed alterations compared to the original data due to the merging of uncommitted changes during the backup process.
The authors conclude that local backup can be a suitable method for forensic data acquisition, but certain limitations and corner cases need to be considered when assessing the integrity and authenticity of the evidence.
Stats
The SMS backup file contains information about the user's SMS messages, including the address, body, date, date_sent, read, status, and type.
The call log backup file contains information about the user's call history, including the _id, number, presentation, date, duration, type, subscription_component_name, subscription_id, phone_account_address, and block_reason.
The settings backup file contains a subset of device settings from various configuration files, including settings_config.xml, settings_global.xml, settings_secure.xml, WifiConfigStore.xml, and WifiConfigStoreSoftAp.xml.