The Not-so-secret Android* Backup for eDiscovery

Within the technical disciplines associated with investigations and eDiscovery, there are well-known challenges with retrieving data off of devices when a legal requirement has been identified. Forensic application vendors struggle to keep up with the pace of new devices coming to market. Often there are gaps of months to years before new devices are supported by the industry leading mobile forensic vendors. Add to this complexities with mobile device management or encryption and technicians may struggle significantly to retrieve the needed information off of devices.

One solution that technicians should be aware of is the standard backup capability that is built into the Android operating system.

Android proliferation = data recovery challenges

Android devices pose a special challenge because there are so many variations, and not all of them are supported by the mobile forensic applications that we use.

We’ve found that if your mobile forensic applications don’t support getting data off a particular Android device, you can always rely on the standard backup capability that is built into the Android, or rather in the standard Android SDK. After I mentioned that earlier this year in an Intel paper called Android* Devices in a BYOD Environment, I received many comments and questions from people dealing with this in the US, Africa, and in the UK.

With this backup utility, you can back up the whole device or specify exactly what you need for a discovery request. Using this tool is very easy to explain as it is a standard, repeatable feature of the operating system.

Any of the mobile forensics tools that ask you to ‘enable debug mode’ on an Android devices are using this same standard Android backup utility to get the data. That’s right. You can get the same access to data using the free tool.

So why spend a chunk of budget for a mobile forensics application when the Android backup capability is free? One of the answers is analysis and output format.

The mobile forensic applications output (parse) the data in formats that are easy for you and your teams to utilize, and some of them also offer additional analysis. Some tools will help you look for patterns, identify deleted data, correlate timestamp information, or build a timeline of everything that happened on a device. So for companies with the budget, forensic software makes sense.

If you just go with the standard Android backup utility, the output is an android backup (.ab) file. To get to the data you can use open source tools to convert the AB backup file to a TAR file, which you can then unzip to get to the native data as it existed on the device. These steps take time and technical capability to complete, but will expand your knowledge of the Android operating system and how data is retrieved off of the device. If you are fulfilling legal requests for data, make sure you consult with your legal teams for guidance and document your steps to explain how you retrieved the data.

If you encounter new Android devices or devices simply unsupported by your mobile forensic applications, don’t forget this additional tool in your toolbox that might be the least expensive one yet.

Why not test these steps on a sample device so you know how to accomplish the task before you need it for an active case?