Android devices must have root access, without root access app data can be backed up but will be encrypted.
For iOS devices, the iTunes backup password must be known if it has been set, if not, MOBILedit Forensic will set the password to "123". If the application data cannot be retrieved from the iTunes backup, the device must be jailbroken.

  1. Open MOBILedit Forensic and click "Start".

2.  Connect the device to the MOBILedit Forensic. And hit “Next”.

3. Select “Logical extraction” and hit “Next”

4. If “Forensic Connecto” will show up “Connector installation” window, hit “Install”. This is only for Android devices without a “Forensic Connector”.

5. Select “Application analysis” and hit “Next”.

6. In the search bar or by scrolling search for applications you want to backup, mark them, and hit “Next”.

7. On this page you can specify the report details make some notes etc. After that hit “Next”.

8. Now need to be selected “MOBILedit backup” as an export. Please make sure that after selecting that on the left side of the screen there is marked “Same as report” under “Content”. Hit “Next”.

9. Now select the export destination and name, and hit “Export”.

By default, the “Export name” is the name of the phone together with timestamp when the backup was done and the “Destination” is a path you can freely set.

10. MOBILedit has started performing the backup.

11. In a time it will ask you to start an ADB backup please hit “Ok”. In the case of iOS devices it will ask you to enter iTunes password, please enter the password or use the password breaker and hit “Ok”.

12. After extraction, press the "Result folder" button at the bottom to view the result.

13. You should have a folder on the path you specified in step 9. The folder contains the mobiledit_backup.xml and copied extracted files from the device.

In case you need to our help with analyzing some of the application make a zip of the whole folder and send it to us via email.


14. If you dig deeper into the backup_files folder, you will see it contains other subfolders called phone and file called fileHases.csv. In the phone folder, there are 4 subfolders with possible other sub/subfolders and files.

Which exact folders and files it contains and where they are is application-dependent.

In aplication0 there is a folder with the same name as is the name of the application package we just analyzed (in our case it is com.olacabs.customer), and inside there is a folder called live_data containing all the data from the backed-up application,

It is generally hard to say which data are important for further processing, and in which folders they are because it is different for each and every application. Some applications hold all of their data here and are quite simple for further processing and analyzing, other applications contain all of the data, but are quite difficult for further processing (they might be encrypted, etc..) and other applications don’t hold much data in the folder, but hold their data somewhere on the cloud in online databases or somewhere else. Thus, it is always from case to case how to do further processing.

But from the first sight, for example, we might see that there is a folder database, and it should contain some valuable data in SQL (in SQLite files). So this is the way to go to try it first. But here is an important note:

Never open the original database folder, because it can corrupt some data and you would have to make the backup once again.

Make a copy of the databases first, and if you want to look inside, open the copied file, NOT THE ORIGINAL ONE. What I would recommend is to copy the whole folder (to Desktop for example) and when you want to open a particular file, open it from that copy.

In order for us to further process and analyze an application from the backup, we need the whole original folder. In our case, the folder has a name "Samsung  Galaxy J3 2016 (2020-01-23 13h41m05s)".