Can anyone shed any light on these back up files and their evidential soundness?
CallogSetting.ebk
Contacts.spba
ContactSetting.ebk
Email.ebk
Language.ebk
Message.smea
MessageSetting.ebk
NMemo.nmm
SBrowser.ebk
ScheduleSetting.ebk
Schedule.ssca
backupHistoryInfo.xml
Calllog.ebk
Radio.ebk
Wallpaper.ebk
WIFI.ebk
Context? On a PC, an SD card, android, path perhaps D
I found a reference to Kies 3 backup files https://
SEE #5 BELOW REGARDING ""backupHistoryInfo.xml" FROM XDA
You will need•A working phone (e.g. your phone)
•The SMS-backup-file (*.sme) you want to restore (e.g. from other phone)
•Kies 3 (or Smart Switch - not tested)
Follow these steps1.Only backup your SMS from your phone via Kies
2.Go to your Backup-folder and rename the created "Message.sme" from your actual Kies-backup
3.Put there the sme-file you want to restore
4.Right-click on the sme-file, click properties and read the size in bytes (not on disk!) - e.g. 906.848 Bytes -> 906848
5.Open "backupHistoryInfo.xml" with a text-editor (e.g. notepad++)
6.Find the line <FileSize> near <Type>Message</Type> - in my file line 32
7.Paste the size in bytes - e.g. 906848 - there and save the file
8.Close every program (kies, filebrowser, etc.) and disconnect your phone and restart kies, then reconnect your phone
9.Click restore backup -> messages
10.Done! Now you can read the messages from "every" .sme-file!
11.After getting the information you need, you can copy back you messages and change the size in bytes!
Firstly thanks to both of you for responding - appreciated.
I will answer both responses together, if that's OK.
Context? On a PC, an SD card, android, path perhaps D
I found a reference to Kies 3 backup files https://
forum.xda-developers.com/galaxy-s3/help/convert-backup-sms-file-sme-to-csv-t3312104 SEE #5 BELOW REGARDING ""backupHistoryInfo.xml" FROM XDA
You will need•A working phone (e.g. your phone)
•The SMS-backup-file (*.sme) you want to restore (e.g. from other phone)
•Kies 3 (or Smart Switch - not tested)Follow these steps1.Only backup your SMS from your phone via Kies
2.Go to your Backup-folder and rename the created "Message.sme" from your actual Kies-backup
3.Put there the sme-file you want to restore
4.Right-click on the sme-file, click properties and read the size in bytes (not on disk!) - e.g. 906.848 Bytes -> 906848
5.Open "backupHistoryInfo.xml" with a text-editor (e.g. notepad++)
6.Find the line <FileSize> near <Type>Message</Type> - in my file line 32
7.Paste the size in bytes - e.g. 906848 - there and save the file
8.Close every program (kies, filebrowser, etc.) and disconnect your phone and restart kies, then reconnect your phone
9.Click restore backup -> messages
10.Done! Now you can read the messages from "every" .sme-file!
11.After getting the information you need, you can copy back you messages and change the size in bytes!
The files actually come from back ups I produced using Samsung Smart Switch (http//samsungsmartswitch.org/). The purpose was to see whether it could be used for first best evidence.
When installed Smart Switch is stored (Path) with short-cut on desktop.
C\Program Files (x86)\Samsung\Smart Switch PC\SmartSwitchPC.exe
The back up files are located
OS(C) > ProgramData > Samsung > DeviceProfile > Cache > SM-J320FN > J320FNXXXU0APK3 > SmartSwitchPCProfile >SM-J320FN_20170628095026
I will post photo if required.
I checked the tool CFF and SmartSwitchPC.exe has in its properties MD5 hash and SHA1 hash.
Before diving into the files -I like your feedback BTW UnallocatedClusters thanks - I noted that the folder containing the files has a date and timestamp "_20170628095026".
It is intriguing that these files can be populated into other devices.
What is interesting with Smart Switch is the entire process is seamless and no need for separate ADB operation. Once handset is connected to USB the program auto-detect, starts connecting and downloads. I have just started looking at this but I haven't as yet found a footprint on the handset that Smart Switch was connected or that a download has taken place. My next task is to search for an ID that connects files directly to handset from which they were downloaded.
These are my reasons for asking whether anyone has had any previous experience with these files. It does look at this early stage, although I could be proven wrong, an evidence back up might be possible here subject to establishing no contamination is taking place. Most importantly Smart Switch is free.
If an examiner or LEO wanted to upload a working copy to a test handset to browser content the same way a user would, this could be a useful tool.
I think you are researching something potentially valuable.
I have played with, but not tested, LG's own Android backup tool called "LG Backup"
http//
If you think about it, Apple's iTunes can make an encrypted mobile backup of iPhones, which can be used for "best evidence", so it stands to reason that other phone manufacturers might have similar tools to create mobile backups.
If you have bandwidth to test LG Backup, I would be very curious to see what a mobile backup of an LG phone created using LG Backup would contain.
ebk file extention means encripted packup ?
ebk file extention means encripted packup ?
Yes, I think so.
However, when I first looked at the .ebk file extension I thought it was a reference to eBook and why was Samsung using eBook encryption techniques?
I did some searching on the Internet (but clearly not enough yet) and three posts initially caught my eye
http//www.forensicfocus.com/Forums/viewtopic/t=11273/
https://
https://
From the forum.androidcentral comments
Samsung says that they do not have a way to restore the backup to a Gusto, nor can they read the backup file in a way that I can understand it.
The Smart Switch file formats are proprietary, not human-readable, so you won't be able to read them.
I have also put some screen images from CFF into a .pdf which can be downloaded here
CFF Smart Switch and file.pdf - https://
Clarification is needed on the MD5 and SHA1 signatures
With the "CFF Explorer" tool you can get important information such as the programming language with which the file was created, its size in bytes, its md5/sha1 signatures, the original file name, among other characteristics.
http//
I think you are researching something potentially valuable.
Hope so. There could be benefits to examiners and law enforcement (particularly where funds are tight or non-existent, and for evidence generally.
I have played with, but not tested, LG's own Android backup tool called "LG Backup"
http//www.lg.com/us/support/product-help/CT10000026-1438110404543-preinstall-apps
Downloaded and added to the research task list.
If you think about it, Apple's iTunes can make an encrypted mobile backup of iPhones, which can be used for "best evidence", so it stands to reason that other phone manufacturers might have similar tools to create mobile backups.
This is an objective of the open research to have a free toolkit of manufacturer back-up tools but validated by the examiner community as whole as opposed to leaving the work to a commercial software house to do the job alone.
I do not foresee this toolkit replacing other forensic suites available - this research is not for competition or being competitive.
Updating on Smart Switch and other tests so far
USER INVASION TESTS ON SAMSUNG GALAXY J3-6 J320FN.pdf
https://