Systematic Evaluation of Forensic Data Acquisition using Smartphone Local Backup

TL;DR

This paper systematically evaluates the effectiveness of using smartphone local backup mechanisms for forensic data acquisition, revealing that they often provide accurate copies but have notable corner cases affecting data integrity.

Contribution

It provides a thorough, systematic evaluation of iOS and Android local backup mechanisms for forensic purposes, highlighting their reliability and limitations.

Findings

Local backups often accurately reflect original data

Corner cases like database files with pending changes can affect data integrity

Evaluation methodology can guide forensic data acquisition practices

Abstract

Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.