Due to the increasing security standards of modern smartphones, forensic data acquisition from such devices is a growing challenge. One rather generic way to access data on smartphones in practice is to use the local backup mechanism offered by the mobile operating systems. We study the suitability of such mechanisms for forensic data acquisition by performing a thorough evaluation of iOS's and Android's local backup mechanisms on two mobile devices. Based on a systematic and generic evaluation procedure comparing the contents of local backup to the original storage, we show that in our exemplary practical evaluations, in most cases (but not all) local backup actually yields a correct copy of the original data from storage. Our study also highlights corner cases, such as database files with pending changes, that need to be considered when assessing the integrity and authenticity of evidence acquired through local backup.

翻译：鉴于现代智能手机安全标准的不断提高，从这类设备获取法庭取证数据日益成为挑战。实践中获取智能手机数据的一种较为通用的方法，是利用移动操作系统提供的本地备份机制。我们通过对两款移动设备的iOS与Android本地备份机制进行深入评估，研究了此类机制在法庭取证数据采集中的适用性。基于一套系统且通用的评估流程——将本地备份内容与原始存储数据进行比较——我们发现在示例性实际评估中，大多数情况下（并非全部）本地备份确实能生成与原始存储数据一致的副本。本研究还重点指出了需要评估通过本地备份获取证据的完整性与真实性时需考虑的边界情形，例如存在未提交变更的数据库文件。