The short answer: Google Drive Android backup contains app data for apps that opted in to Android Backup API, device settings, call plus SMS history, contacts plus Google Photos sync. Samsung Cloud backs up Samsung Notes, Samsung Health, Samsung Internet, Bixby data plus most device settings. Carrier backups vary widely. Encryption posture differs across vendors. For forensic acquisition the authentication path requires either user credential or court order plus vendor cooperation or vendor-supplied investigator portal access.
The Three Cloud Backup Categories
Android cloud backups split into three categories with materially different forensic content. The first is the Google Drive Android backup, the default backup mechanism for any Android device signed in to a Google account. The second is the OEM backup, the vendor-specific backup mechanism that Samsung, Xiaomi, OnePlus, Motorola plus other manufacturers operate alongside Google Drive backup. The third is the carrier backup, the optional backup mechanism that wireless carriers (Bell, Telus, Rogers in Canada, Verizon, AT&T, T-Mobile in the US) offer through carrier-branded apps.
For a typical Canadian Android user the active backup destinations include Google Drive (default for all Android devices signed in to a Google account), Samsung Cloud (default for Samsung devices when the user signs in to a Samsung account), Google Photos (default for photo plus video sync when the user enables it) plus optionally a carrier backup (rare in Canadian deployments compared to US deployments).
What Google Drive Android Backup Actually Contains
Google Drive Android backup is the Android Backup Service implementation, configured per-device through Settings > System > Backup. The backup runs automatically when the device is on Wi-Fi, charging plus has been idle for several hours. The backup contains several categories.
The first category is app data for apps that opted in to the Android Backup API. Apps that opt in declare backup eligibility in their AndroidManifest.xml plus configure which app data files are eligible for backup. The Android Backup Service serializes the declared data, uploads it to Google Drive plus restores it on next install. The catch: most messaging apps, banking apps, healthcare apps plus security-sensitive apps decline to opt in. Apps that do opt in include Spotify (preferences plus playback state), Google Keep (notes), most games (game state) plus a long tail of utility apps. The forensic value of the app-data category depends entirely on which apps opted in for the device.
The second category is device settings. This includes saved Wi-Fi networks plus passwords, display preferences, accessibility settings, language plus locale, notification preferences plus per-app permissions. For investigators reconstructing user behaviour the Wi-Fi network list is forensically valuable: it documents every Wi-Fi network the user joined, with the SSID, the BSSID where available plus the connection priority.
The third category is call history plus SMS plus MMS messages. The call history table includes incoming, outgoing plus missed calls with timestamps, contact identifiers plus call duration. The SMS plus MMS database includes message content, sender plus recipient identifiers plus timestamps. For forensic investigations involving communication pattern analysis this category is the primary data source from Google Drive backup.
The fourth category is contacts (synced through Google Contacts) plus calendar events (synced through Google Calendar). These categories are not strictly part of the Android backup but they sync to the same Google account plus are typically available alongside the device backup.
The fifth category is photos plus videos through Google Photos sync (when the user enables it). The Google Photos sync retains original-quality photos plus videos when the user has paid storage or has used the original-quality upload setting. For investigations the Google Photos data set may extend back years plus capture historical photos that are no longer on the device.
What Samsung Cloud Contains
Samsung Cloud is the OEM backup mechanism for Samsung devices, configured per-device through Settings > Accounts and backup > Samsung Cloud. The Samsung Cloud backup operates in parallel with Google Drive backup plus contains Samsung-specific data categories.
Samsung Notes data is backed up to Samsung Cloud including note content, handwritten content (preserved as drawing data not rasterized images), plus folder organization. Samsung Health data covers fitness activity, sleep tracking plus heart rate data when the user has the Samsung Health app installed. Samsung Internet bookmarks plus browsing data covers the Samsung-branded browser usage which is the default browser on Samsung devices. Samsung Pass credential vault is backed up (encrypted, requires Samsung account authentication to decrypt). Bixby preferences plus dialog history is backed up when the user has Bixby enabled.
The most forensically valuable Samsung Cloud category for Canadian investigations is typically Samsung Notes because it captures user-handwritten content that may include passwords, account numbers, contact details or other case-relevant information that the user wrote into Samsung Notes rather than into a dedicated app.
Encryption Posture and Authentication Requirements
Android cloud backups carry different encryption postures. Google Drive backup uses end-to-end encryption protected by the user device screen lock starting Android 9 (released 2018). The encryption key is derived from the device PIN, pattern or password plus is never transmitted to Google. For forensic acquisition this means investigators need either the user device authentication credential or a court order paired with vendor cooperation that allows authentication-bypass acquisition.
Samsung Cloud uses server-side encryption with key escrow tied to the Samsung account. The encryption protects the data at rest plus in transit but Samsung holds the key material in escrow form which allows Samsung to provide investigator access through formal court order. The acquisition path requires the Samsung user account credential plus a court order plus Samsung legal cooperation.
Carrier backups vary widely in encryption posture. Some carrier backups use end-to-end encryption similar to Google Drive backup; some use server-side encryption with carrier key escrow; some use minimal encryption. The carrier backup acquisition path is per-carrier specific plus often requires direct engagement with the carrier security team.
Cloud Backup vs Device-Level Acquisition
The forensic acquisition comparison between cloud backup plus device-level acquisition is straightforward in principle but nuanced in practice. Device-level acquisition through the Sherlock Android Acquirer captures the full installed-app data set including apps that did not opt in to cloud backup. The device captures the live state of the apps as of the acquisition moment. The cloud backup captures only the cloud-backup-eligible subset but extends backward through backup version history.
For investigations needing comprehensive coverage the standard methodology applies both acquisition paths. The device-level acquisition produces the current-state evidence; the cloud backup produces the historical-state evidence. The two data sets together reconstruct a richer behavioural picture than either alone.
For investigations where the device is unavailable (the device was lost, destroyed in the relevant incident, in custody of opposing party in litigation, in custody of law enforcement) the cloud backup is the primary acquisition path. The Sherlock Forensics methodology handles cloud backup acquisition through the documented legal-process workflow that satisfies Canadian evidentiary requirements.
The Backup Version History Detail
Google Drive Android backup retains the most recent backup plus the most recent successful backup from the prior period. Samsung Cloud retains multiple backup versions with the retention depth configured per backup type. Google Photos retains photos plus videos indefinitely (subject to user account quota). The backup version history matters forensically because it allows reconstruction of state at multiple points in time.
For investigators reconstructing the timeline of a specific event the historical backup state can confirm or refute claims about device state at specific timestamps. A claim about app installation date can be verified against the backup history. A claim about a specific message thread can be checked against the historical SMS backup contents. The retention windows vary by vendor plus by backup type but the principle is consistent: cloud backups provide point-in-time historical snapshots that device-level acquisition cannot reach.
What Sherlock Customers Should Do
For organizations conducting internal mobile forensic investigations the operational discipline includes both cloud backup plus device-level acquisition paths in the standard methodology. The Sherlock Android Acquirer handles the device-level acquisition path. The cloud backup acquisition path requires the vendor-specific legal process workflow which Sherlock handles through engagement work. For investigations needing comprehensive Android forensic coverage the engagement model produces both data sets plus reconciles them into a unified evidence record.
For Canadian organizations subject to litigation hold obligations (per provincial rules of civil procedure plus the federal Rules of Civil Procedure) the cloud backup acquisition path is the canonical solution when the original device is no longer available. Building the operational discipline to acquire cloud backups at the start of litigation hold preserves the data before any user-side actions can affect it.
Android cloud backups are one of the most underutilized forensic data sources in 2026 mobile investigation work. The data exists. The acquisition path is documented. The forensic yield is high for the relatively modest engagement investment.