Systematic Evaluation of Forensic Data Acquisition using Smartphone Local Backup
Julian Geus, Jenny Ottmann, Felix Freiling
TL;DR
It is shown that in most cases (but not all) local backup actually yields a correct copy of the original data from storage, and highlights corner cases that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.
Abstract
Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.