Posts

Showing posts from July, 2019

Huawei backup decryptor

When doing Mobile Forensics the first and usually the hardest step is to get access to user's data. It depends on the case type, but the so called physical acquisition is the analyst object of desire.
The reason is simple: iOS and Android native backups, respectively adb and iTunes, contain a subset of user data, because they respect the various apps configurations where they can specify "you can't include me in backups". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups.
In the scenario where device is unlocked or the lock code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Almost totally man…