In the course of a digital forensic or an incident response investigation concerning an Android device, a standard ADB backup is like a common denominator: it is a safe and standard method of acquiring device data without risks of making the device non-functional and invalidating obtained evidence due to the use of exploits.
The drawback of using ADB backup is that it contains a limited amount of information compared to a so-called ‘full file system image’ of a device. This becomes even worse as newer versions of applications stop saving their data into the backup. The method described in this article is useful for obtaining data from applications with new versions which do not send their data into the backup, while older ones did.
The Android APK downgrade method allows a user to downgrade applications on an Android device, meaning that an older version of an app is temporarily copied onto the device. This simple trick provides extraction of data from applications that have removed the possibility of backing up their data. Examples of such applications include Facebook Messenger, WhatsApp, Signal, Telegram, and others.
Once the acquisition process completes, it is important to restore the original version of an app on the device.
In this article, we will show this approach on the example of Belkasoft X, a digital forensic and incident investigation tool from Belkasoft. Belkasoft X supports downgrading and obtaining data from a few dozen of the world's most popular Android applications.
How to use APK downgrade method in Belkasoft X
1. Run Belkasoft X and choose to acquire an Android data source
Please see Belkasoft tutorials to learn how to add a data source to your case.
2. Select ‘APK Downgrade’ acquisition method:
Figure 1: Selecting APK Downgrade acquisition type
3. Connect the Android device to the computer via USB:
Figure 2: Connected Android device
Requirements for this method are the same as for starting the standard ADB backup:
- The device must be powered on
- The device must be unlocked
- The developer mode should be enabled
- The USB Debugging mode should be enabled
No rooting is required.
4. Select one or more applications to acquire, using check boxes
Figure 3: Selecting applications to acquire
Only apps installed on a particular device and supported by this method are shown.
Once you start the acquisition process, Belkasoft X will do the following:
- Back up the current versions of the applications
- Install the old versions of the applications. The user data is preserved
- Reboot the device (it is required for Android 6.0 or newer)
- Make an ADB backup
- Restore the original app versions
If anything goes wrong, the next APK downgrade (or Advanced ADB) attempt will fix the problem by recovering original app versions, safely stored in a temporary location. If subsequent attempt does not work either, you can manually recover original versions from /data/local/tmp folder on the device.
5. Review the acquired data in Belkasoft X:
Figure 4: Extracted data is analyzed and shown under Artifacts window of Belkasoft X
Conclusion
Android APK downgrade method is an effective and safe enough way to get data from various applications even if their current versions do not allow data to get included in an ADB backup. Belkasoft X helps an investigator to automate this process without employing manual routine. The product will robustly handle numerous potential problem situations and rollback original versions of apps upon the acquisition is completed.