We covered the subject of Mobile forensics and briefly went over the scenario of data extraction from an Android backup. Android backups are sometimes taken using adb backup or Android backup and it will create a compressed and encrypted archive with the extension “.ab” which can be extracted using appropriate forensics tools. We used an open source tool named android backup extractor and extracted the data including the media and apps stored within the given backup file of this scenario. This was part of HackTheBox Cat challenge.
Mobile forensics is a vast and broad subject and one of the subjects discussed is data acquisition and analysis. After data is extracted from the target device, PC or Mobile, an analysis is performed that may require the forensic investigator to extract any compressed archives created during the acquisition process.
We used Android Backup Extractor to extract the Android backup given in this challenge.
An alternative one liner can be used to extract the given Android backup as shown below:
( printf “\x1f\x8b\x08\x00\x00\x00\x00\x00” ; tail -c +25 backup.ab ) | tar xfvz –
Android backups are usually compressed and encrypted and the “.ab” extension is the extension of the backup archive.
The flag of this challenge can be found in the shared directory after the extraction and specifically written on a paper hold by the person shown in the picture.