The ADB backup has been a very useful tool for getting data from Android phones, particularly those phones/devices that are otherwise not accessible due to lack of support by forensic software vendors or hardware/software issues with other methods.
There is however one feature which I do not see being used by any of the vendors or FOSS or any other guides out there. I am specifically talking about about ADB's backup feature to backup key-value pairs. According to one source, since Oreo (8.0), the keyvalue backups are now available via adb backup.
To get data with keyvalue pairs returned, you need to add the -keyvalue parameter to the adb backup command like. I like to use :
Keyvalue backups give some very good information otherwise not available in the adb backup.
When viewing the adb tar archive, you will find one or more folders under each app's folder with names like k, sp, db, .. The k folder holds the key value backup, having file(s) which ends in the extension .data.
The *.data files are located in the k folders usually having the same name as the package like com.android.calendar.data.
The value field can be different types depending on the data/database being backed up. It is different for different packages. You can find XML files, entire SQLITE databases in there, and also single byte true/false type settings.
In the screenshot below, you can see the key-value records as parsed out for com.android.vending.data. The 010 template for this is available here.
In the above example, the value types are mostly True/False. But most other databases have other custom structures embedded there, which need further parsing.
In part 2 of this ADB series, we explore the formats of call logs and other databases that are backed up.
There is however one feature which I do not see being used by any of the vendors or FOSS or any other guides out there. I am specifically talking about about ADB's backup feature to backup key-value pairs. According to one source, since Oreo (8.0), the keyvalue backups are now available via adb backup.
To get data with keyvalue pairs returned, you need to add the -keyvalue parameter to the adb backup command like. I like to use :
adb backup -all -shared -system -keyvalue -f file.adb
Keyvalue backups give some very good information otherwise not available in the adb backup.
So, where are the key-value backups located?
When viewing the adb tar archive, you will find one or more folders under each app's folder with names like k, sp, db, .. The k folder holds the key value backup, having file(s) which ends in the extension .data.
 |
| Figure 1 - Folders holding key-value .data files (this isn't all , there are many more) |
Parsing .data files
This consists of a series of records, each starting with 'Data', and having a key (name) and value (data). The format is as follows, all data in this structure is stored as little-endian:
Position
|
Type
|
Description
|
00
|
char[4]
|
‘Data’
|
04
|
uint
|
key_size
|
08
|
uint
|
data_size
|
12
|
char[key_size+1]
|
key_name
|
12 + key_size
|
char[]
|
pad to 4 byte boundary
|
..
|
char[data_size]
|
data
|
..
|
char[]
|
pad to 4 byte boundary
|
The value field can be different types depending on the data/database being backed up. It is different for different packages. You can find XML files, entire SQLITE databases in there, and also single byte true/false type settings.
In the screenshot below, you can see the key-value records as parsed out for com.android.vending.data. The 010 template for this is available here.
 |
| Figure 2 - Hex editor view of com.android.vending.data, showing 'Data' records parsed out using an 010 template |
In the above example, the value types are mostly True/False. But most other databases have other custom structures embedded there, which need further parsing.
In part 2 of this ADB series, we explore the formats of call logs and other databases that are backed up.
Nice!! Thanks for the GitHub link .
ReplyDeleteBeautiful !
ReplyDelete