Android Backup
Extracting information from an Android Backup (.ab) file
Reading files in the Backup
To extract and browse files from an Android Backup, use android-backup-extractor (abe.jar
):
When you have the latest release downloaded, simply start it with java to unpack your .ab
file into a .tar
file:
The password is only required if the backup is encrypted, in which case you will want to find a password somewhere to extract it.
If you are having trouble unpacking the .ab file into a .tar file, you can try to manually do it by prepending a few bytes like with the following command:
After this is extracted, you can explore the created folder and see all the files that were stored in the backup.
Cracking Android Password
(source)
When you have access to the files on an Android device, you can find a hash of the password/PIN used to unlock the device. Often you will find such a key in the /data/system/password.key
file. It contains a hex-encoded string which is a combination of the SHA1 hash, as well as the MD5 hash. For example:
If you cannot find this file, you might have multiple users. See this section on how to extract a password for each user.
This key is computed like so:
These can be split by taking the first 40 characters as a SHA1 hash, and the leftover 32 characters as the MD5 hash:
Finding the Salt
Then the final thing required is the salt for the hash. You can find it by looking for the settings SQLite database. Commonly it is found in the following locations:
Android 1.0-4.0
/data/data/com.android.providers.settings/databases/settings.db
Android 4.1+
/data/system/locksettings.db
You can simply connect to it with the sqlite3 command:
Then you can find the password salt by running the following query:
This is simply a number, and to get it into the regular salt string, you need to convert it to lowercase hexadecimal notation (without the 0x
):
Cracking with Hashcat
Finally, now that we have the hashed password and salt, we can get to actually cracking it. We have two hashes, an MD5 hash, and a SHA1 hash. They are both from the same password and salt, so we can just choose one of the two. Since the MD5 hash is a lot faster to compute, we will use that for cracking.
The correct hashcat mode is -m 10
, as this is md5($pass.$salt)
seen in the example hashes. That page also gives us the format hashcat expects from the hash. We will first put the MD5 hash, followed by a :
colon, and finally the salt value in hex.
The locksettings.db
file can also reveal what kind of password is used, which helps with deciding what pattern to crack. Simply run the following query on the database and see what it means:
32768
LowLevelBiometricSecurity
: implies technologies that can recognize the identity of an individual to about a 3-digit PIN (i.e. face)
65536
PatternPassword
: any type of password is assigned on the device (i.e. pattern)
131072
NumericPasswordBasic
: numeric password is assigned to the device
196608
NumericPasswordAdvanced
: numeric password with no repeating (4444) or ordered (1234, 4321, 2468, etc.) sequences
262144
AlphabeticPassword
: alphabetic password
327680
AlphanumericPassword
: alphabetic and numeric password
393216
ComplexPassword
: alphabetic, numeric, and special character password
Then finally, you can start hashcat to crack the password, for example:
For more details on hashcat options, see Hashcat.
WhatsApp Messages
When you have access to the files of a device, you might find that it contains Whatsapp messages stored in a backup. These are often said to be encrypted, but the key to decrypt them is also stored along the same files. You simply have to use a tool to decrypt them, and one such tool is whatsapp-viewer:
To use this tool, you need a couple of files. Firstly, the key for decrypting the databases. This key can be stored in a couple of different locations, but the simplest way is to just search for a path with "whatsapp" and "key" to find a single file named key
:
Now that we have the key, we can get the database with messages and contacts to decrypt. To find the directory containing the databases, simply search for it again:
In this directory, you will find a msgstore.db
file, and optionally a wa.db
file containing contact information. With these files, you can start WhatsApp Viewer, and depending on the .crypt
version of your database, you can go to File -> Decrypt .crypt[N]. From there select your database and key file, decrypt it, and select an output file location.
This output file is now the SQLite database unencrypted which you can view with sqlite3
:
Last updated