Decrypting password-based encrypted backup data for Huawei smartphones

Abstract

Digital investigators sometimes obtain key evidence by extracting user data from the smartphones of suspects. However, it is becoming more difficult to extract user data from smartphones, due to continuous updates and the use of data encryption functions, such as Full Disk Encryption (FDE) and File Based Encryption (FBE). Backup data are usually stored in an encrypted form, in order to protect user privacy. Therefore, it is essential for digital investigators to be able to transform encrypted backup data into a form that can be used as evidence. For this purpose, an analysis of the backup method used in a smartphone is needed.In the research reported in this paper, we first analyze the backup process of Huawei smartphones, and then propose a method for decrypting Huawei smartphone backup data encrypted with a user-entered password. This process is performed by analyzing the Huawei application and PC program called KoBackup and HiSuite, respectively. We developed a tool for user-entered password recovery and encrypted backup data decryption. To the best of our knowledge, this is the first result analyzing all of the backup processes available for Huawei smartphones and decrypting their backup data.