Get best of the week

Forensic analysis of HiSuite backups



Retrieving data from Android devices is becoming more complex every day - sometimes even more difficult than from an iPhone. Igor Mikhailov, a specialist in Group-IB Computer Forensics Laboratory, tells what to do if you cannot extract data from an Android smartphone using standard methods.

A few years ago, my colleagues and I discussed trends in the development of security mechanisms in Android devices and came to the conclusion that the time will come when their forensic investigation will become more difficult than for iOS devices. And today we can say with confidence that this time has come.

I recently researched the Huawei Honor 20 Pro. What do you think you managed to extract from its backup copy obtained using the ADB utility? Nothing! The device is full of data: information about calls, phone book, SMS, correspondence in messengers, e-mail, multimedia files, etc. And you cannot extract any of this. Awful feelings!

How to be in such a situation? A good way out is to use proprietary backup utilities (Mi PC Suite - for Xiaomi smartphones, Samsung Smart Switch for - Samsung, HiSuite for - Huawei).

In this article, we will consider the creation and extraction of data from Huawei smartphones using HiSuite and their subsequent analysis using Belkasoft Evidence Center.

What types of data fall into HiSuite backups?


The following data types fall into HiSuite backups:

  • account and password information (or tokens)
  • contacts
  • challenges
  • SMS and MMS
  • Email
  • multimedia files
  • Database
  • documents
  • archives
  • application files (files with the extensions .odex , .so , .apk )
  • Information from applications (such as Facebook, Google Drive, Google Photos, Google Mails, Google Maps, Instagram, WhatsApp, YouTube, etc.)

We will analyze in more detail how such a backup is created and how to analyze it using Belkasoft Evidence Center.

Backing up your Huawei smartphone using HiSuite


To create a backup of a proprietary utility, you need to download it from the Huawei website and install it.

Huawei HiSuite download page:


To pair the device with the computer, the HDB mode (Huawei Debug Bridge) is used. On the Huawei website or in the HiSuite program itself, there is detailed instruction on how to activate HDB mode on a mobile device. After activating the HDB mode, launch the HiSuite application on the mobile device and enter the code displayed in this application into the HiSuite program window running on the computer.

The code entry window in the desktop version of HiSuite:


During the backup process, you will need to enter a password that will be used to protect data retrieved from the device’s memory. The created backup will be located on the path C: / Users /% User profile% / Documents / HiSuite / backup / .

Backup Smartphone Huawei Honor 20 Pro:


HiSuite Backup Analysis with Belkasoft Evidence Center


To analyze the received backup using Belkasoft Evidence Center, create a new case. Then select Mobile Image as the data source . In the menu that opens, specify the path to the directory where the smartphone backup is located, and select the info.xml file .

Specifying the path to the backup:


In the next window, the program will prompt you to select the types of artifacts that you need to find. After starting the scan, go to the Task Manager tab and click the Configure task button , since the program expects to enter a password to decrypt the encrypted backup. Configure task

button :


After decrypting the backup, Belkasoft Evidence Center will ask you to re-specify the types of artifacts that you want to extract. After the analysis is complete, information about the extracted artifacts can be viewed in the Case Explorer and Overview tabs .

Huawei Honor 20 Pro Backup Analysis Results:


Analysis of HiSuite backup using Oxygen Forensic Suite Expert


Another forensic program with which you can extract data from a HiSuite backup is Mobile Forensic Expert .

To process the data stored in the HiSuite backup, click on the Import backups option in the main program window.

Fragment of the main window of the program "Oxygen Forensic Expert":


Or, in the Import section, select the type of data to import. Huawei Backup :


In the window that opens, specify the path to the info.xml file . At the start of the extraction procedure, a window will appear in which you will be prompted to either enter a known password to decrypt the HiSuite backup, or use the Passware tool to try to find this password if it is unknown:


The result of the analysis of the backup will be the window of the Oxygen Forensic Suite Expert program, which shows the types of extracted artifacts: calls, contacts, messages, files, events, application data. Pay attention to the amount of data extracted from various applications by this forensic program. He is just huge!

List of extracted data types from HiSuite backup in Oxygen Forensic Suite Expert program:


Decryption of HiSuite backups


What to do if you do not have these wonderful programs? In this case, you will be helped by a Python script developed and maintained by Francesco Picasso, a Reality Net System Solutions employee. You can find this script on GitHub , and its more detailed description can be found in the article “Huawei backup decryptor”.

Further, the decrypted HiSuite backup can be imported and analyzed using classic forensic utilities (for example, Autopsy ) or manually.

findings


Thus, using the HiSuite backup utility, you can extract an order of magnitude more data from Huawei smartphones than when extracting data from the same devices using the ADB utility. Despite the large number of utilities for working with mobile phones, Belkasoft Evidence Center and Oxygen Forensic Suite Expert are some of the few forensic programs that support the extraction and analysis of HiSuite backups.

Update


After additional tests, the following was established:

1) The data of the Google Chrome application does not get into the HiSuite backup.

2) For some reason, the developers of the proprietary backup utility have banned the transfer of data from a number of applications to backups created by new versions of HiSuite. Therefore, if you want to extract maximum data from your smartphone, use the oldest version of HiSuite, the release date of which should approximately coincide with the release date of the Huawei smartphone.

3) The version of the Huawei Suite mobile application installed on the smartphone must correspond to the version of HiSuite installed on the researcher’s computer.

Sources
  1. Android Phones Hacked Harder than iPhones According to a Detective
  2. Huawei HiSuite
  3. Belkasoft Evidence Center

  5. Kobackupdec
  6. Huawei backup decryptor
  7. Autopsy

More articles:


All Articles