Notifications
Clear all

Back up files

10 Posts
4 Users
0 Likes
2,739 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Can anyone shed any light on these back up files and their evidential soundness?

CallogSetting.ebk
Contacts.spba
ContactSetting.ebk
Email.ebk
Language.ebk
Message.smea
MessageSetting.ebk
NMemo.nmm
SBrowser.ebk
ScheduleSetting.ebk
Schedule.ssca
backupHistoryInfo.xml
Calllog.ebk
Radio.ebk
Wallpaper.ebk
WIFI.ebk

 
Posted : 02/07/2017 5:16 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Context? On a PC, an SD card, android, path perhaps D

 
Posted : 03/07/2017 2:20 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I found a reference to Kies 3 backup files https://forum.xda-developers.com/galaxy-s3/help/convert-backup-sms-file-sme-to-csv-t3312104

SEE #5 BELOW REGARDING ""backupHistoryInfo.xml" FROM XDA

You will need•A working phone (e.g. your phone)
•The SMS-backup-file (*.sme) you want to restore (e.g. from other phone)
•Kies 3 (or Smart Switch - not tested)

Follow these steps1.Only backup your SMS from your phone via Kies
2.Go to your Backup-folder and rename the created "Message.sme" from your actual Kies-backup
3.Put there the sme-file you want to restore
4.Right-click on the sme-file, click properties and read the size in bytes (not on disk!) - e.g. 906.848 Bytes -> 906848
5.Open "backupHistoryInfo.xml" with a text-editor (e.g. notepad++)
6.Find the line <FileSize> near <Type>Message</Type> - in my file line 32
7.Paste the size in bytes - e.g. 906848 - there and save the file
8.Close every program (kies, filebrowser, etc.) and disconnect your phone and restart kies, then reconnect your phone
9.Click restore backup -> messages
10.Done! Now you can read the messages from "every" .sme-file!
11.After getting the information you need, you can copy back you messages and change the size in bytes!

 
Posted : 03/07/2017 8:16 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Firstly thanks to both of you for responding - appreciated.

I will answer both responses together, if that's OK.

Context? On a PC, an SD card, android, path perhaps D

I found a reference to Kies 3 backup files https://forum.xda-developers.com/galaxy-s3/help/convert-backup-sms-file-sme-to-csv-t3312104

SEE #5 BELOW REGARDING ""backupHistoryInfo.xml" FROM XDA

You will need•A working phone (e.g. your phone)
•The SMS-backup-file (*.sme) you want to restore (e.g. from other phone)
•Kies 3 (or Smart Switch - not tested)

Follow these steps1.Only backup your SMS from your phone via Kies
2.Go to your Backup-folder and rename the created "Message.sme" from your actual Kies-backup
3.Put there the sme-file you want to restore
4.Right-click on the sme-file, click properties and read the size in bytes (not on disk!) - e.g. 906.848 Bytes -&gt; 906848
5.Open "backupHistoryInfo.xml" with a text-editor (e.g. notepad++)
6.Find the line &lt;FileSize&gt; near &lt;Type&gt;Message&lt;/Type&gt; - in my file line 32
7.Paste the size in bytes - e.g. 906848 - there and save the file
8.Close every program (kies, filebrowser, etc.) and disconnect your phone and restart kies, then reconnect your phone
9.Click restore backup -&gt; messages
10.Done! Now you can read the messages from "every" .sme-file!
11.After getting the information you need, you can copy back you messages and change the size in bytes!

The files actually come from back ups I produced using Samsung Smart Switch (http//samsungsmartswitch.org/). The purpose was to see whether it could be used for first best evidence.

When installed Smart Switch is stored (Path) with short-cut on desktop.
C\Program Files (x86)\Samsung\Smart Switch PC\SmartSwitchPC.exe

The back up files are located
OS(C) > ProgramData > Samsung > DeviceProfile > Cache > SM-J320FN > J320FNXXXU0APK3 > SmartSwitchPCProfile >SM-J320FN_20170628095026

I will post photo if required.

I checked the tool CFF and SmartSwitchPC.exe has in its properties MD5 hash and SHA1 hash.

Before diving into the files -I like your feedback BTW UnallocatedClusters thanks - I noted that the folder containing the files has a date and timestamp "_20170628095026".

It is intriguing that these files can be populated into other devices.

What is interesting with Smart Switch is the entire process is seamless and no need for separate ADB operation. Once handset is connected to USB the program auto-detect, starts connecting and downloads. I have just started looking at this but I haven't as yet found a footprint on the handset that Smart Switch was connected or that a download has taken place. My next task is to search for an ID that connects files directly to handset from which they were downloaded.

These are my reasons for asking whether anyone has had any previous experience with these files. It does look at this early stage, although I could be proven wrong, an evidence back up might be possible here subject to establishing no contamination is taking place. Most importantly Smart Switch is free.

If an examiner or LEO wanted to upload a working copy to a test handset to browser content the same way a user would, this could be a useful tool.

 
Posted : 03/07/2017 10:10 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I think you are researching something potentially valuable.

I have played with, but not tested, LG's own Android backup tool called "LG Backup"
http//www.lg.com/us/support/product-help/CT10000026-1438110404543-preinstall-apps

If you think about it, Apple's iTunes can make an encrypted mobile backup of iPhones, which can be used for "best evidence", so it stands to reason that other phone manufacturers might have similar tools to create mobile backups.

If you have bandwidth to test LG Backup, I would be very curious to see what a mobile backup of an LG phone created using LG Backup would contain.

 
Posted : 04/07/2017 3:15 am
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

ebk file extention means encripted packup ?

 
Posted : 04/07/2017 12:27 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

ebk file extention means encripted packup ?

Yes, I think so.

However, when I first looked at the .ebk file extension I thought it was a reference to eBook and why was Samsung using eBook encryption techniques?

I did some searching on the Internet (but clearly not enough yet) and three posts initially caught my eye

http//www.forensicfocus.com/Forums/viewtopic/t=11273/
https://forums.androidcentral.com/samsung-galaxy-s5/634153-there-way-pc-read-smart-switch-backup-file.html
https://forum.xda-developers.com/note-4-verizon/general/talk-root-t2908919/page231

From the forum.androidcentral comments

Samsung says that they do not have a way to restore the backup to a Gusto, nor can they read the backup file in a way that I can understand it.

The Smart Switch file formats are proprietary, not human-readable, so you won't be able to read them.

 
Posted : 04/07/2017 1:16 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I have also put some screen images from CFF into a .pdf which can be downloaded here

CFF Smart Switch and file.pdf - https://www.dropbox.com/s/d8p145l5r2qboti/CFF%20Smart%20Switch%20and%20file.pdf

Clarification is needed on the MD5 and SHA1 signatures

With the "CFF Explorer" tool you can get important information such as the programming language with which the file was created, its size in bytes, its md5/sha1 signatures, the original file name, among other characteristics.

http//www.malware.unam.mx/en/content/dynamic-analysis-malicious-dlls

 
Posted : 04/07/2017 1:36 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I think you are researching something potentially valuable.

Hope so. There could be benefits to examiners and law enforcement (particularly where funds are tight or non-existent, and for evidence generally.

I have played with, but not tested, LG's own Android backup tool called "LG Backup"
http//www.lg.com/us/support/product-help/CT10000026-1438110404543-preinstall-apps

Downloaded and added to the research task list.

If you think about it, Apple's iTunes can make an encrypted mobile backup of iPhones, which can be used for "best evidence", so it stands to reason that other phone manufacturers might have similar tools to create mobile backups.

This is an objective of the open research to have a free toolkit of manufacturer back-up tools but validated by the examiner community as whole as opposed to leaving the work to a commercial software house to do the job alone.

I do not foresee this toolkit replacing other forensic suites available - this research is not for competition or being competitive.

 
Posted : 04/07/2017 1:49 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Updating on Smart Switch and other tests so far

USER INVASION TESTS ON SAMSUNG GALAXY J3-6 J320FN.pdf

https://www.dropbox.com/s/d141h90fnf3tlol/USER%20INVASION%20TESTS%20ON%20SAMSUNG%20GALAXY%20J3-6%20J320FN.pdf

 
Posted : 22/07/2017 2:31 pm
Share: