The Android ADB backup is one of the methods that is used to acquire evidence from unlocked Android devices. However, with this approach, investigators cannot extract applications of the latest version because their data is not included in the backup by the app provider. As a result, a parsed Android backup will contain very few app artifacts.
Fortunately, there is a solution that is widely used in digital forensics – the APK Downgrade method. It allows the creation of backups that contain app data that was previously inaccessible using the Android ADB backup method. By temporarily downgrading a selection of apps to older versions, investigators have the ability to extract valuable user and app data.
Our APK Downgrade method is compatible with Android OS versions 5 -to 13, and works on all of the supported device models, except Samsung devices with Android OS 12 and 13.
Currently, Oxygen Forensic® Detective supports APK downgrade for 46 applications, including WhatsApp, Facebook, Instagram, Twitter, Tinder, and many others.
Overall, the APK downgrade procedure includes four main steps:
- Select which apps to downgrade from our list of supported applications
- Make a copy of the original app APK files and downgrade their copy versions
- Extract the app data
- Restore APK files to their original state
Note: This method does not change app user data, so it is safe to use.
How to downgrade APK in Oxygen Forensic® Detective
Let’s take a closer look into exactly how to execute an APK downgrade in Oxygen Forensic® Detective.
Before starting, ensure the Android device is unlocked, fully charged, and in airplane mode. Once that is complete, select the “APK Downgrade” option in the Oxygen Forensic® Device Extractor.
Click “Extract data from applications” and connect a device. Once the device is detected, the software will scan it for installed apps and check which of them are supported by APK Downgrade:
Oxygen Forensic® Detective provides investigators the option to downgrade and extract data from all supported apps or just specific apps. From the list of available apps, investigators may select all the apps from which they would like data to be extracted.
Once the investigator has selected their apps of interest, the downgrading process begins. The software will save the original versions of the APK files and downgrade the selected app versions.
Note: Do not interact with the device during this time.
To extract downgraded app data, an Android backup will be created.
Once the extraction is done, the software will automatically restore the original APK files.
Note: When restored, downgraded applications will not remain in the same location on the device Home Screen as they were before the APK downgrade.
After the restoration is complete, investigators will be able to import and parse downgraded app data into Oxygen Forensic® Detective. At import, investigators will be required to enter the default 1234 password to decode the Android backup.
Once the backup is parsed, investigators will see all the decoded app data.
The APK downgrade is a safe and easy-to-use method that allows investigators to acquire valuable app evidence that wouldn’t normally be accessible using the classic Android ADB backup method.