If you’ve watched a crime TV show before, you’ve probably seen analysts extracting data from a phone. How realistic are these procedures, and can the police recover deleted photos, texts, and files from a phone?
Let’s look into what a forensic analyst can do with a phone.
Why Mobile Forensic Investigations Happen
A mobile forensic investigation takes place when data on the phone is crucial to a case. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor. Many other cases have been broken open by the information taken from a victim’s or perpetrator’s phone.
Even if you’re not a prime suspect, the police may want to look into your phone. Phones belonging to victims of crimes can provide police with valuable data, especially if those victims are incapacitated or missing.
The Different Types of Data Acquisition
Forensic analysts can perform different kinds of data acquisitions. The simplest is known as “manual acquisition,” and it involves searching through the phone normally. This doesn’t reveal deleted data, so it doesn’t tell analysts much.
A “logical acquisition” provides more detailed data. This involves transferring data from the phone to a PC. This transfer makes it easy for forensic investigators to work with the data, but is still unlikely to recover deleted information.
When investigators want to see hidden data, they use a “file system acquisition.” Mobile devices are big databases, and a file system acquisition gives an investigator access to all of the files in the database. This includes hidden and root files, but still no deleted data.
Finally, there’s a “physical acquisition.” This is the hardest kind of acquisition, as it needs special tools to dump a copy of the storage into a file. However, this lays everything bare—even deleted files. This allows procedures such as forensic text message recovery to take place.
How Can Deleted Files Be Recovered?
You might be wondering how the police can read text messages that have been deleted. In truth, when you delete something from your phone, it doesn’t vanish instantly.
The flash memory in mobile devices doesn’t delete files until it needs to open up space for something new. It merely “deindexes” it, essentially forgetting where it is. It’s still stored, but the phone doesn’t know where or what it is.
If the phone hasn’t overwritten the deleted data, another piece of software could find it. Identifying and decoding it isn’t always easy, but the forensic community has extremely powerful tools that help them with this process.
The more recently you’ve deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there’s a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it’s still there somewhere.
Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it—and there’s no known decryption key. That’s going to prove extremely difficult (if not impossible) to bypass.
Many phones automatically back up to the user’s computer or to the cloud. It can be easier to extract the data from that backup than from the phone. The efficacy of this strategy depends on how recently the phone had a back up performed, and the service used to store the files.
Which Types of Files Can Be Recovered?
The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basic types that are likely to be recovered:
- Text messages and iMessages
- Call history
- Calendar events
- Images and videos
It’s also possible that investigators can trace deleted WhatsApp messages—unless they were encrypted. If you use your Android for file storage, those files might still be hanging around in storage, too.
What About Encryption?
Mobile device encryption poses a big problem for forensic analysis. If the user used secure encryption, and there’s no way to get the encryption key, it’s going to be difficult or impossible to get any data from the phone. iTunes even asks users to encrypt the backups they make on their computers.
While this makes phones less useful to forensic investigators, there are some ways to get past the encryption. Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.
If they can’t, however, those encrypted files are going to cause serious problems. If you’re worried about forensic examination of your phone (e.g., you’re a journalist with sensitive sources), it’s a good idea to use the most secure encryption settings you can.
Is Any of Your Information Safe?
In the end, there are no guarantees when it comes to mobile forensic investigation. There’s no way to completely secure every piece of data on your phone against a committed and intelligent investigator. At the same time, there’s no way to access data on every phone.
However, there’s a wide variety of continually evolving tools out there. These take into account the always-changing landscape of data protection. And, of course, there’s some luck involved as well.
As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. Lastly, don’t do anything that will put you in the crosshairs of a forensic investigation.
How to Recover Deleted Text Messages
If you feel like performing some do-it-yourself cell phone forensics, you can recover deleted text messages on your phone. There are some limitations you’ll have to overcome, but it is possible!
Keeping Your Data Secure
So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn’t been overwritten yet. However, by using encryption methods, you can ensure your data is kept private, even after deletion.
If you want to learn how to secure your data, why not try some ways to encrypt your daily life with very little effort?
Source: How Do Forensic Analysts Get Deleted Data From Your Phone?
By Simon Batt
Techylawyer and its authors do not claim to have written this article, we acknowledge the works of the original author