Huawei backup decryptor

When doing Mobile Forensics the first and usually the hardest step is to get access to user's data. It depends on the case type, but the so called physical acquisition is the analyst object of desire.

The reason is simple: iOS and Android native backups, respectively adb and iTunes, contain a subset of user data, because they respect the various apps configurations where they can specify "you can't include me in backups". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups.

In the scenario where device is unlocked or the lock code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Almost totally manual, lots of screenshot, hard to search for keywords, etc.

Applications downgrade is a chance for some well-known apps, not for everything. What left? Android vendors often provide their own backup solution, as for example Samsung Smart Switch)and Huawei Backup. The latter has a very nice capability: it's able to include the applications data in the backups. Yes, exactly what inside the object of desire data/data folder.

By using the HiSuite software solution, thus with the aid of a computer, or directly using the Huawei Backup App (on a SD card or by USB OTG) the user has the choice to backup apps too. This open a nice scenario for an analyst: the opportunity to grab all the intimate files inside the data/data folders.

Well, that's good but with one downside: the backups are encrypted with a password chosen by the user or with a sort of device password (not explored in the post). So, once the analyst gets the backup, how could he decrypt it?


Decrypting Huawei backups

Recently on the Digital Investigation Journal Myungseo Park and others had published the paper "Decrypting password-based encrypted backup data for Huawei smartphones" (Volume 28, March 2019, Pages 119-125). This research goes into great details regarding how the Huawei backups work, from the folder structures to their decryption.

It's strongly suggested to read the paper, because in the following lines it's assumed a lot from it, starting from the difference between backups done with HiSuite and backups done with the KoBackup app, up to encryption keys derivations and algorithms. If not interested in details, jump to the section related to the provided software.

Worth noting, the HiSuite version used in the paper was 8.0.1.303_OVE and the KoBackup version was not reported, most likely the same version.

In RealityNet I created a python script able to decrypt a Huawei backup, both when created with HiSuite and when created with KoBackup: please remember that they use a different folder structure and, with KoBackup, multimedia files are not encrypted. The hard job was done by the paper's authors, so it was easy to develop the script.

Decrypting Huawei backups version > 9...

It worked out well since we had a case with a Huawei phone. The phone had the USB connector not working properly and it was only used to recharge the device. Luckily it had the possibility to add an SD card, so we created the apps backup encrypted by using KoBackup and the SD card.

An issued raised when using our script: it was unable to decrypt the backup or, better, the decrypted files were totally wrong, most likely due to a wrong key. The KoBackup version was 9.1.1.300_OVE. This version seems released in May 2019, few months after the paper published: did Huawei change anything?

Armed with this idea, I took a look at the KoBackup.apk file by using the awesome jadx. The code was obfuscated as reported in the paper but no signs of native libraries. I started to dig around the obfuscated code and I was lucky to spot the proper place where things started to make sense. To be extremely short, Huawei changed a bit the encryption schema.

In the old schema (called v3), the user provided password was directly used to decrypt the data or to derive the decryption key. In the new schema (called v4), the user password is used to decrypt the (so-called) backup password, which becomes the 'user password' in the previous schema. Indeed the data decryption process remained the same.

I will not push details here: for the curious ones, given the paper knowledge, this is the addendum I had to write to make the script work again.


    def __decrypt_bkey_v4(self):
        key_salt = self._pwkey_salt[:16]
        logging.debug('KEY_SALT[%s] = %s', len(key_salt),
                      binascii.hexlify(key_salt))

        key = PBKDF2(self._upwd, key_salt, Decryptor.dklen, Decryptor.count,
                     Decryptor.prf)
        logging.debug('KEY[%s] = %s', len(key), binascii.hexlify(key))

        nonce = self._pwkey_salt[16:]
        logging.debug('KEY NONCE[%s] = %s', len(nonce),
                      binascii.hexlify(nonce))

        cipher = AES.new(key, mode=AES.MODE_GCM, nonce=nonce)
        self._bkey = cipher.decrypt(self._e_perbackupkey)[:32]
        logging.debug('BKEY[%s] =   %s',
                      len(self._bkey), binascii.hexlify(self._bkey))


kobackupdec.py

In the end, the script is able to parse both HiSuite and KoBackup backups and to decrypt v3 and v4 encryption. The python code is available at https://github.com/RealityNet/kobackupdec. Please take into account that it probably needs more testing, so please give feedback on the GitHub project page.

As reported on GitHub, there are some notes and caveats that should be known to not misuse the script:

  • the latest HiSuite seems to always use  v3 encryption schema when creating backups
  • the latest KoBackup app uses v4 encryption schema
  • when using HiSuite, multimedia files are encrypted
  • when using the KoBackup app, multimedia files are not encrypted
  • data as messages, call logs and contacts seem to be processed and the resulting database files have not the usual format found in Android
  • the script assumes the backups were created by specifying a user password. As reported in the paper, if the user tries to create a backup with HiSuite without providing a password, "a 32-byte fixed password [is] transmitted from the PC". This part was not reversed thus the script should not work.
  • the script tries to mimic the typical Android output folders, e.g. it will recreate data/data paths and it will explode the apps tar data files

Updates

[01 August 2019] Thanks for the feedback received, here are some updates based on them.

First, it's worth noting that you can use the KoBackup App to create a backup (on SD or through OTG) which is not encrypted: simply don't put a password when asked by the app. This is most likely the best approach because you don't need any decryption step, even if the backup structure is a bit weird. Note that it seems you can't do the same when using HiSuite.

Second, and this is a very good question, are there any differences when using encrypted vs non-encrypted backups? Will you get the same data? What about the KoBackup version installed on the phone? The app rules the way backups are done, even when using HiSuite.

To answer the previous questions more testing should be done, and it's a good opportunity for a community effort, to share results related to what they get when using a specific version of the app. I can actually say I had no differences when using encrypted versus non-encrypted backups.

Some guys reported differences when using the latest version of the app (9.1.1.300), which did not insert the Facebook and its Messenger in the backups, while version 9.0.2.233 did. This is a major warning, but again more testing is needed: let's find a way to share them. In any case, checking if there is a missing app collected should be part of the acquisition process.

Conclusions

Having the possibility to get a nearly full file system acquisition by using the HiSuite/KoBackup tools provided by Huawei is a must. When the device is unlocked, or the lock code known, and it's not possible to perform a physical acquisition, the native Huawei backup represents a good forensically sound opportunity. Let's hope they will not change this behavior and that they will not change again the encryption schema. For now, you could use the proposed script, or use it to write your own one.

Comments

  1. When you produce the backup through the KoBackup you can opt to NOT encrypt it by choosing "Ignore" when it asks to set a password so the decryption part would be automagically solved but the part of your script that deals with the data/data paths and tar data files would help [i usually do that part manually :-( ].
    A question: have you noticed if choosing to encrypt the backup expands the list of what it includes, like happens with iOS devices?

    Thanks for sharing.

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows ReVaulting

WhatsApp Forensics