There are several methods for creating an Android backup file. Most commercial tools offer this capability, and you can even find methods for doing this for free, which we find works really well. Before adopting a method, you must realize what to expect from a backup file. Devices with Full Disk Encryption may require additional security in order to extract the backup. We will see this in an upcoming slide.

Some examiners are surprised when they select a File System acquisition and simply get a backup file. Again, File System acquisitions are Logical acquisitions or backups that provide access to raw files on the device for analysis. When you conduct an Advanced Logical, while technically not a backup, multiple extractions occur to pull the most data from the device.  This section will show you some differences and what to expect when examining an Android backup that you created for forensic analysis.

During the backup, the examiner must interact with the phone to enable a full backup, or the acquisition will fail. The phone may also reboot, so make sure you are watching the device just in case it reconnects to the network.

Android Backup APK Downgrade should only be used as a last-ditch measure and only after another acquisition was obtained. This method works well, and several rely upon it. Just make sure you understand how it works before you use it.