Logical acquisition (backup analysis)

Many devices (Apple iOS, BlackBerry, and a limited number of Android models, for example, Sony Xperia) are able to produce offline backups via the software installed on the user's computer. Apple iTunes, BlackBerry Link, Sony PC Companion, and many other tools can be used to produce and restore phone or tablet backups. Depending on the OS, an offline backup may or may not be password-protected. Depending on the protection status, experts may be able to extract all, some, or none of the information.

Offline backups, if available for a particular platform, tend to have as much or more information available compared to cloud backups.

Logical acquisition benefits include the following:

• One of the easiest acquisition methods
• No special expertise required
• Device disassembly not required
• Non-destructive process

Major drawbacks of logical acquisition are as follows:

• Limited amount of information extracted
• Android: Manufacturers and app developers control what is and what is not included in ADB backups
• Android: ADB backup may not work on encrypted devices
• Not available for Windows Phone 8 and Windows 10 Mobile
• No unallocated space extraction
• Backups protected with unknown passwords: No success guarantee and unknown timeframe

Apple iOS

Password-protected iTunes backups (Apple iOS) are encrypted; the expert will have to supply the correct password in order to decrypt the backup. If the password is not known, the expert can perform an attack (brute-force, dictionary, or combination) in order to recover the password. When analyzing password-protected Apple backups, experts can access items from the Apple keychain. Offline backups created without a password will be unencrypted for the most part; however, the keychain will be encrypted with a hardware key, meaning that no keychain data will be available. Making the (unlocked) iOS device produce an offline backup is a viable acquisition method. If possible, try to ensure that a backup with a known password is created (if backup password is not set, creating one before making the backup will ensure that the keychain items can be decrypted).

Backup passwords, if enabled, are more of a property of the actual iOS device rather than the backup itself. If backup password protection is enabled, the backup is encrypted on the iOS device before any data leaves the device. Once backup encryption is enabled, no unencrypted data leaves the device regardless of the tool used to make the backup. In other words, Apple iTunes is not actually creating backups; instead, the tool receives an encrypted data stream and saves it to a file.

BlackBerry 10

Backups produced by BlackBerry Link (BB 10 OS) do not have a password. Instead, they are securely encrypted on-device with a strong encryption key that is stored online. Retrieving the encryption key is possible if the user's BlackBerry ID and password are known, or by serving a government request.

Similar to Apple iOS, BlackBerry 10 devices encrypt their backups internally. No unencrypted data leaves the device. So, when the user creates a backup via BlackBerry Link or a different tool (for example, Sachesi or Darcy's BlackBerry Tools), the backup tool just passes a command to the BlackBerry device. The device handles the encryption internally and streams the encrypted data flow to BlackBerry Link (or an alternative tool). It is important to note that unencrypted data never leaves the device regardless of what tool is used.

Note

Windows Phone 8 and Windows 10 Mobile do not offer offline backups.

Android

Stock Android does not come with iTunes-like tools for making full-device backups. However, some original equipment manufacturers (OEMs) provide tools for making and restoring offline backups (for example, Sony PC Companion for Xperia devices).

The platform offers a limited capability for creating offline backups via the command line (adb backup). However, ADB backups may include a limited amount of data compared to iTunes backups. Due to Android fragmentation, manufacturers have control over what does and does not become part of the backup. As a result, some devices may back up call history, contacts, and text messages, while some other devices won't. As an example, Samsung, Sony, and HTC often omit call history, contacts, and text messages, while allowing Google Chrome data to be backed up (which, for example, will contain cached passwords and browsing history). We will discuss more on the Android logical acquisition via ADB backup in Chapter 4, Practical Steps to Android Acquisition, in the Android physical acquisition and Live imaging without root (via ADB backup) sections

Nandroid backups

Rooted Android phones with custom recoveries (CWM and TWRP) offer the ability to create so-called Nandroid backups, which contain full images of the device's filesystem. During acquisition, such devices can be booted into the Recovery Mode and instructed to produce a full Nandroid backup.

In general, the phone must have a custom recovery installed in order to produce a Nandroid backup. Installing a custom recovery (if it's not yet installed) requires an unlocked bootloader (or a bootloader hack) and/or rooting the device. Note that, in most cases, unlocking a locked bootloader will wipe all user data on the device. This Android security measure can be bypassed in certain cases via the bootloader hack.

Note that neither cloud nor offline backups include unallocated space.