Extracting data from SmartSwitch backups
Recently we faced a big problem – logical extractions didn’t allow us to get contacts and SMS-messages from new Samsung mobile devices, for example, Galaxy S4. We all know that there is a proprietary Samsung tool capable of successful backing up of such information from newer mobile devices – SmartSwitch. But here is the problem: after backing up we have files in proprietary format – modern mobile forensic software isn’t able to extract data from it.
For example, SMS-messages are stored in Message.sme file, contacts – in Contacts.spb. If top mobile forensic software can’t parse these files, what can an examiner do? Don’t worry, we have found the solution.
We have found a piece of software capable of restoring SmartSwitch backups – Wondershare Mobile Trans:
Figure 1. Wondershare Mobile Trans
Just open it and show it your SmartSwitch backup location (choose Kies, because it doesn’t have SmartSwitch option). We backed up only SMS-messages and Contacts via SmartSwitch, so we have only these two options to restore as you can see on Figure 1.
Now you can close it. Why? Because all magic is already done. Look at your backup folder – now you have DecryptData subfolder in it. And it has two more subfolders – Contact and Message:
Figure 2. DecryptData subfolders
Inside these two folders there are two XML-files – Contact.xml and Message.xml. Now you can easily convert these files in your favorite format and add them to your report.
It’s important to note that SMS-messages are encrypted with BASE64, so don’t forget to use your favorite tool to decrypt them.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics