Digital investigators sometimes obtain key evidence by extracting user data from the smartphones of suspects. However, it is becoming more difficult to extract user data from smartphones, due to continuous updates and the use of data encryption functions, such as Full Disk Encryption (FDE) and File Based Encryption (FBE). Backup data are usually stored in an encrypted form, in order to protect user privacy. Therefore, it is essential for digital investigators to be able to transform encrypted backup data into a form that can be used as evidence. For this purpose, an analysis of the backup method used in a smartphone is needed.

In the research reported in this paper, we first analyze the backup process of Huawei smartphones, and then propose a method for decrypting Huawei smartphone backup data encrypted with a user-entered password. This process is performed by analyzing the Huawei application and PC program called KoBackup and HiSuite, respectively. We developed a tool for user-entered password recovery and encrypted backup data decryption. To the best of our knowledge, this is the first result analyzing all of the backup processes available for Huawei smartphones and decrypting their backup data.

数字调查员有时会通过从犯罪嫌疑人的智能手机中提取用户数据来获取关键证据。但是，由于不断更新和使用数据加密功能（例如全盘加密（FDE）和基于文件的加密（FBE）），从智能手机提取用户数据变得越来越困难。备份数据通常以加密形式存储，以保护用户隐私。因此，数字调查人员必须能够将加密的备份数据转换为可以用作证据的形式，这一点至关重要。为此，需要分析智能手机中使用的备份方法。

在本文报道的研究中，我们首先分析了华为智能手机的备份过程，然后提出了一种解密使用用户输入密码加密的华为智能手机备份数据的方法。通过分别分析名为KoBackup和HiSuite的Huawei应用程序和PC程序来执行此过程。我们开发了一种用于用户输入的密码恢复和加密备份数据解密的工具。据我们所知，这是分析华为智能手机可用的所有备份过程并解密其备份数据的第一个结果。