Forensic analysis of HiSuite backups

Retrieving data from Android devices is becoming more complex every day – sometimes even more difficultthan from the iPhone. Igor Mikhailov, specialist in the Laboratory of Computer Forensics Group-IB, tells what to do if you cannot extract data from your Android smartphone in standard ways.

A few years ago, my colleagues and I discussed trends in the development of security mechanisms in Android devices and came to the conclusion that the time will come when their forensic investigation will become more difficult than for iOS devices. And today we can say with confidence that this time has come.

I recently researched the Huawei Honor 20 Pro. What do you think you managed to extract from its backup copy obtained using the ADB utility? Nothing! The device is full of data: information about calls, phone book, SMS, correspondence in messengers, e-mail, multimedia files, etc. And you cannot extract any of this. Awful feelings!

How to be in such a situation? A good way out is to use proprietary backup utilities (Mi PC Suite – for Xiaomi smartphones, Samsung Smart Switch for – Samsung, HiSuite for – Huawei).

In this article, we will consider the creation and extraction of data from Huawei smartphones using HiSuite and their subsequent analysis using Belkasoft Evidence Center.

What types of data fall into HiSuite backups?

The following data types fall into HiSuite backups:

  • account and password information (or tokens)
  • contacts
  • challenges
  • SMS and MMS
  • Email
  • multimedia files
  • Database
  • documents
  • archives
  • application files (files with extensions.odex, .so, .apk)
  • information from applications (such as Facebook, Google Drive, Google Photos, Google Mails, Google Maps, Instagram, WhatsApp, YouTube, etc.)

We will analyze in more detail how such a backup is created and how to analyze it using Belkasoft Evidence Center.

Backing up your Huawei smartphone using HiSuite

To create a backup of a proprietary utility, you need to download it from the site Huawei and install.

Huawei HiSuite download page:

To pair the device with the computer, the HDB mode (Huawei Debug Bridge) is used. On the Huawei website or in the HiSuite program itself, there is detailed instruction on how to activate HDB mode on a mobile device. After activating the HDB mode, launch the HiSuite application on the mobile device and enter the code displayed in this application into the HiSuite program window running on the computer.

The code entry window in the desktop version of HiSuite:

During the backup process, you will need to enter a password that will be used to protect data retrieved from the device’s memory. The created backup will be located along the path C: / Users /% User profile% / Documents / HiSuite / backup /.

Backup Smartphone Huawei Honor 20 Pro:

HiSuite Backup Analysis with Belkasoft Evidence Center

To analyze the resulting backup using Belkasoft Evidence Center create a new business. Then, as a data source, select Mobile image. In the menu that opens, specify the path to the directory where the backup copy of the smartphone is located, and select the file info.xml.

Specifying the path to the backup:

In the next window, the program will prompt you to select the types of artifacts that you need to find. After starting the scan, go to the tab Task manager and click the button Configure task, since the program is waiting for a password to decrypt an encrypted backup.

Button Configure task:

After decrypting the backup, Belkasoft Evidence Center will ask you to re-specify the types of artifacts that you want to extract. After the analysis is completed, information about the extracted artifacts can be viewed in the tabs. Case explorer and Overview .

Huawei Honor 20 Pro Backup Analysis Results:

Analysis of HiSuite backup using Oxygen Forensic Suite Expert

Another forensic tool that can extract data from a HiSuite backup is Oxygen Forensic Expert.

To process data stored in HiSuite backup, click on the option Import backups in the main program window.

Fragment of the main window of the program “Oxygen Forensic Expert”:

Or in the section Import select the type of data to import Huawei backup:

In the window that opens, specify the path to the file info.xml. At the start of the extraction procedure, a window will appear in which you will be prompted to either enter a known password to decrypt the HiSuite backup, or use the Passware tool to try to find this password if it is unknown:

The result of the analysis of the backup will be the window of the Oxygen Forensic Suite Expert program, which shows the types of extracted artifacts: calls, contacts, messages, files, events, application data. Pay attention to the amount of data extracted from various applications by this forensic program. He is just huge!

List of extracted data types from HiSuite backup in Oxygen Forensic Suite Expert program:

Decryption of HiSuite backups

What to do if you do not have these wonderful programs? In this case, you will be helped by a Python script developed and maintained by Francesco Picasso, an employee of Reality Net System Solutions. You can find this script on Github, and its more detailed description – in article “Huawei backup decryptor.”

Further, the decrypted HiSuite backup can be imported and analyzed using classic forensic tools (for example, Autopsy) or manually.

conclusions

Thus, using the HiSuite backup utility, you can extract an order of magnitude more data from Huawei smartphones than when extracting data from the same devices using ADB mode. Despite the large number of utilities for working with mobile phones, Belkasoft Evidence Center and Oxygen Forensic Suite Expert are some of the few forensic programs that support the extraction and analysis of HiSuite backups.

Similar Posts

Leave a Reply Cancel reply