The Android ADB backup is one of the methods that is used to acquire evidence from unlocked Android devices. However, with this approach, investigators cannot extract applications of the latest version because their data is not included in the backup by the app provider. As a result, a parsed Android backup contains very few app artifacts.
Fortunately, there is a solution that is widely used in digital forensics – the APK downgrade procedure. It allows the creation of backups that contain app data that was previously inaccessible using the Android ADB backup method. By temporarily downgrading a selection of apps to older versions, investigators have the ability to extract valuable user and app data.
Oxygen Forensic® Detective v.14.0 implements a long-awaited Android app downgrade method allowing investigators to extract a variety of app data from a wide selection of unlocked Android devices. This method is compatible with Android OS versions 5 to 11. However, there are certain exceptions, depending on the Android version:
- For devices running Android OS versions 6 to 9, a device restart will be required during the downgrade process
- For devices running Android OS 7, some applications may be logged out after data extraction.
Currently, Oxygen Forensic® Detective supports APK downgrade for 46 applications, including WhatsApp, Facebook, Instagram, Twitter, Tinder, and many others. We will provide the full list of supported applications at the end of this article. Overall, the APK downgrade procedure includes the following steps:
- Select which apps to downgrade from our list of supported applications
- Make a copy of the original app APK files and downgrade their copy versions
- Extract the app data
- Restore APK files to their original state
Note: This method does not change app user data, so it is safe to use.
APK Downgrade in Oxygen Forensic® Detective
Let’s take a closer look into exactly how to execute an APK downgrade in Oxygen Forensic® Detective.
Getting Started with the APK Downgrade Method
Before starting, ensure the Android device is unlocked, fully charged, and in airplane mode. Once that is complete, select the “APK Downgrade” option in Oxygen Forensic® Extractor.
Data Extraction: Set Up
- Click the
“Extract data from applications” option to start the extraction process.
- The “Restore the device” option can be utilized when issues occur during the APK downgrade procedure.
- Investigators can only restore a device on the same computer the APK downgrade was performed on because the original APK files are stored there.
Connecting the Device
- Enable USB Debugging on the device.
- After successfully detecting the device, Oxygen Forensic® Detective will scan installed apps and display how many apps can be downgraded.
- In our case, 15 of the 57 installed apps can be downgraded.
Selecting Apps to Downgrade
Oxygen Forensic® Detective provides investigators the option to downgrade and extract data from all supported apps or just specific apps. From the list of available apps, investigators may select all the apps from which they would like data to be extracted.
Once the investigator has selected their apps of interest, the downgrading process can begin. The software will save original versions of the APK files and downgrade the selected app versions.
Note: It is strictly prohibited to interact with the device during this time.
Data Extraction: Extracting Downgraded Data
To extract downgraded app data, an Android backup will be created.
- Confirm the backup creation on the device.
- In certain cases, it will be required to set a password to a backup. We recommend using the default 1234 password that will later be used to import the backup into Oxygen Forensic® Detective.
Once the extraction is done, the software will automatically restore the original APK files.
Note: When restored, downgraded applications will not remain in the same location on the device Home Screen as they were before the APK downgrade.
Importing and Parsing in Oxygen Forensic® Detective
After the restoration is complete, investigators will be able to import and parse downgraded app data in Oxygen Forensic® Detective. At import, investigators will be required to enter the default 1234 password to decode the Android backup.
Once the backup is parsed, investigators will see all the decoded app data. If the classic Android backup method were used on the same device, investigators would not have any app data. This is because the latest app versions would not have been included in the Android ADB backup.
The APK downgrade is a safe and easy-to-use method that allows investigators to acquire valuable app evidence that wouldn’t normally be accessible using the classic Android ADB backup method.
The list of supported apps
|Application||The version to which the app is temporarily downgraded||The minimum OS version on the Android device|
|Opera Mini com.opera.android.mini||8.0.1807.91184||5.0|
|Opera Mini com.opera.mini.android||5.1.1||5.0|
|Opera Mini com.opera.mini.native||21.0.2254.111920||5.0|
|Signal Private Messenger||2.28.1||5.0|
|Voxer Walkie Talkie Messenger||188.8.131.5263||5.0|