In HackTheBox Cat Challenge, we covered the subject of Mobile forensics and briefly went over the scenario of data extraction from an Android backup. Android backups are sometimes taken using adb backup or Android backup and it will create a compressed and encrypted archive with the extension “.ab” which can be extracted using appropriate forensics tools. We used an open source tool named android backup extractor and extracted the data including the media and apps stored within the given backup file of this scenario. This was part of HackTheBox Cat challenge.

Get Computer Forensics Field Notes

The Complete Penetration Testing with BackBox Course

HackTheBox Cat Challenge Description

Easy leaks

Walkthrough

Understanding Android Backup Files

Android devices often allow users to create backup files (.ab files) to safeguard their data. These backups can contain a wealth of information, including application data, user settings, and more. In forensic investigations, analyzing these backups can reveal critical insights. The “Cat” challenge provides an unprotected Android backup file, serving as an excellent opportunity to practice extraction techniques.

Extracting Data from Android Backup Files

Mobile forensics is a vast and broad subject and one of the subjects discussed is data acquisition and analysis. After data is extracted from the target device, PC or Mobile, an analysis is performed that may require the forensic investigator to extract any compressed archives created during the acquisition process.

We used Android Backup Extractor to extract the Android backup given in this challenge.

An alternative one liner can be used to extract the given Android backup as shown below:

( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -

This command reconstructs the backup into a gzip-compressed tar archive, which can then be extracted to reveal its contents. Upon extraction, investigators may find directories such as apps and shared, containing application-specific data and shared files, respectively. Analyzing these directories can uncover valuable information pertinent to the investigation.

Data Acquisition Methods in Android Forensics

In the realm of Android forensics, several data acquisition methods are employed to extract information from devices:

  1. Manual Acquisition: Investigators navigate through the device’s user interface to manually access and document data. This method is time-consuming and limited to data visible to the user.
  2. Logical Acquisition: Utilizes software tools to extract data through the device’s operating system interfaces, capturing active files and directories without accessing unallocated space.
  3. Physical Acquisition: Involves creating a bit-by-bit copy of the device’s entire storage, including deleted files and unallocated space. This method provides the most comprehensive data set but often requires specialized equipment and may not be feasible for all devices.

Video Walkthrough

Conclusion

HackTheBox Cat challenge simulates a real-world scenario where an investigator must extract and analyze data from an Android backup to uncover hidden information. By applying the extraction techniques discussed, participants can retrieve the backup’s contents and analyze them to find the embedded flag, thereby honing their skills in Android forensics.

, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles