Friday, 18 June 2021

Android - Tracking Device Migration

 In this multi-part series of blogs on tracking device migration, we're going to take a look at some of the core artifacts one might be able to track on Android devices. Android devices will likely not have local backups restored from computers like iOS, however, device-to-device and Gdrive/Cloud backups will allow users to transition data from one device to another. This doesn't just include Android to Android but can include iOS to Android too!

While multiple Android device manufacturers have created their own switch over applications like Samsung's Smart Switch, Android has its own. Android users can restore information from Google Drive down to their device or by hooking up a cable and backing up the data device-to-device. There are several relevant artifacts that get left behind. Unfortunately, most of these artifacts will require a file system level image. Some of the information will be left in the /media/0 directory which can help provide some context at least, and available in quick style images. 



In the case of a standard Android device migration, users should locate the folder /data/data/com.google.android.setupwizard/shared_prefs/. Within this folder there will be several relevant .xml files. 


The DeviceOrigin.xml file will list out where the original source data came from. In the case of both iOS an Android devices, this information will be here and will reflect the manufacturer and model. 


If the DeviceOrigin.xml file doesn't list out a device, it could be a cloud backup from GDrive in play. Within the same directory, a file SetupWizardCredentialProtectedPrefs.xml, will list out what Google Account was backed up. This file may exist if the device was a device-to-device or a cloud backup, but only if the account was passed over. 

The Phenotype.xml file in this directory can also contain the google account used and passed over. This information may also be available with the accounts_de.db or accounts_ce.db database files responsible for storing the accounts saved to the android device. 




Data gets moved over fairly seamlessly in Android device-to-device or GDrive backups in the case of the /media/0 (emulated SD) area. However, in iOS device-to-device to Android, the data gets stored in a folder called "Restored from iPhone." 


Android devices may also have their own migration packages. Since our target device in this case was a Pixel there is a package that can reveal some additional information. 

Within the data/data/com.google.android.apps.pixelmigrate directory another shared_prefs directory has some interesting files. 

In the case of iOS to Android, users can find a file called ios_preferences.xml which will list out the UDID of the original source iOS device as well as a created date/time which can help show when the migration took place. 

In the case of Android to Android, users won't find a file here unforunately. But in the case of device-to-device (and cloud restores) a xml file called com.google.android.apps.pixelmigrate.xml can help show what was transferred from the source device. 

For the cloud restores from GDrive, a file called cloudrestore.component.CloudRestoreFlowActivity.xml will be in this directory. An Android_ID value within this file can be used as a keyword search against a target device to see if this was the original source device. It also contains a "restore_started" value which will reflect that the cloud backup was started. 

Unlike the iOS counterpart (which can be found at this link), it's not quite as descriptive or readily available. Still the information can be beneficial when tracking the movement of data across devices. 



No comments:

Post a Comment