While the Downgrade Method has been known to the digital forensics community for a long time, it wasn’t until last year that it was added to Oxygen Forensic® Detective. Why did we wait?
It was not because of the difficulty of implementation. The Downgrade Method, while consisting of multiple steps, is relatively simple. It does not require the use of any exploits or hacks, and thus can be implemented by any attentive mid-level developer.
The main reason we waited to implement the Downgrade Method was due to its instability. This is why some companies treat it as a last resort. For starters, the method consists of several steps, and the incorrect execution or tampering with the process can lead to the loss of application data. Secondly, and most importantly, the details of the process depend significantly on many factors, such as the manufacturer of the phone, the OS version, the specific application or its version, as well as the settings of the phone. All of these things must be taken into account.
We have tested the method on dozens of different configurations to minimize the probability of lost application data. Many companies often neglect to perform proper testing before supporting this method, indicated by the continuous improvements they make to their tool after it has been released. This lack of testing comes at the cost of lost data for the user.
Many forensic experts these days are already familiar with this approach and aware of the risks. In this article, we will outline some challenging options and caution users against typical actions that lead to data loss or application termination with data intact.
During the development process, we have spent several months testing and identifying atypical situations to detect potential problems in advance. For example, we have learned that it is impossible to extract the original versions of applications from Sony Xperia L1. This means that once the data has been extracted, an investigator cannot get the phone back in working mode.
Some cases are worse. Sometimes it is impossible to open an application after its original version has been restored. This issue arises due to the implementation of authorization data processing in Google Account Manager in the accounts.db. For example, whereas both Twitter and ICQ apps utilize Google Account Manager for authorization, investigators cannot authorize in Twitter after the app is restored but can authorize in the restored version of ICQ, provided that the device operates on Android 7. This is a good example of a problem that is specific to a combination of a particular application and a particular OS version.
Problems caused by the older versions of Android can also be quite common. For example, sometimes the Downgrade Method does not work correctly on Xiaomi devices with Android 6. A “not enough memory” error may cause the loss of data from restored applications.
Another problem may arise when dealing with devices that can create only encrypted backups, such as Samsung devices with Android OS 11 for instance. In this case, an additional check is required. Users will be asked to create a password with which the backup will first be encrypted and then decrypted.
Each new version of the Android OS introduces its own innovations, and thus, different combinations must be rechecked and taken into account. For example, with Android 12, the scheme works on Android Pixel but fails on Samsung models, as Samsung is one of the vendors with the most customized devices. Moreover, after the downgrade/restoration procedure the processed apps lose the data, so the correct algorithm is yet to be found. We advise not to use the approach with Samsung devices on Android 12 and be extremely cautious with other smartphones at the moment.
Some minor issues can arise in the following cases:
- The package name of an application has been changed in newer versions;
- The earlier version of the application cannot be installed and the preliminary removal of the existing application while saving its data is required;
- During a version upgrade the connection with the phone gets lost and the device has to be rebooted.
All devices operating on Android OS 6 to 9 have to be rebooted in order to downgrade the app versions. There are also cases when the app version that is used as a reference is higher than the one installed on the phone or is not supported by the Android OS version on the device.
The main limitation of this method is that it cannot be applied if the application data is stored in an encrypted space, such as Secure Folder from Samsung or Second Space or Dual Apps from Xiaomi. Any attempt to downgrade such an application leads to data loss. However, Oxygen Forensic® Detective can detect whether the application is copied to an encrypted space and then stop the downgrading process before it is too late. The remaining applications can be downgraded and data from them will be extracted. Huawei Private Space is designed differently, allowing investigators to work with apps having copies in the protected area.
During the downgrade process, investigators must not interfere by performing actions on the phone. Opening a downgraded application on the phone during the downgrade process will inevitably lead to data loss. Investigators can try to fix this issue by temporarily disabling the application, but this will result in application data not getting into the backup.
The downgrade method may not bring the desired results if multiple user profiles are set on the phone, including the cases when the device owner shares it with other people. An .adb backup that is used by all vendors for data extraction from downgraded applications does not include the data of non-main users. However, in this case, their data will not be damaged.