Security Technology Explained

How Do Forensic Analysts Get Deleted Data From Your Phone?

Simon Batt Updated 23-12-2019

If you’ve watched a crime TV show before, you’ve probably seen analysts extracting data from a phone. How realistic are these procedures, and can the police recover deleted photos, texts, and files from a phone?

Advertisement

Let’s look into what a forensic analyst can do with a phone.

Why Mobile Forensic Investigations Happen

A mobile forensic investigation takes place when data on the phone is crucial to a case. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor. Many other cases have been broken open by the information taken from a victim’s or perpetrator’s phone.

Even a simple piece of information, like a single text message, could help investigators solve a case. Other times, it’s a more complicated picture painted by deleted call logs, time stamps, geolocation data, and app usage.

Search history could prove to be incriminating. Many types of information could help the police solve a crime—and phones store a lot of that kind of information

Even if you’re not a prime suspect, the police may want to look into your phone. Phones belonging to victims of crimes can provide police with valuable data, especially if those victims are incapacitated or missing.

Advertisement

The Different Types of Data Acquisition

Forensic analysts can perform different kinds of data acquisitions. The simplest is known as “manual acquisition,” and it involves searching through the phone normally. This doesn’t reveal deleted data, so it doesn’t tell analysts much.

A “logical acquisition” provides more detailed data. This involves transferring data from the phone to a PC. This transfer makes it easy for forensic investigators to work with the data, but is still unlikely to recover deleted information.

When investigators want to see hidden data, they use a “file system acquisition.” Mobile devices are big databases, and a file system acquisition gives an investigator access to all of the files in the database. This includes hidden and root files, but still no deleted data.

Finally, there’s a “physical acquisition.” This is the hardest kind of acquisition, as it needs special tools to dump a copy of the storage into a file. However, this lays everything bare—even deleted files. This allows procedures such as forensic text message recovery to take place.

Advertisement

How Can Deleted Files Be Recovered?

You might be wondering how the police can read text messages that have been deleted. In truth, when you delete something from your phone, it doesn’t vanish instantly.

The flash memory in mobile devices doesn’t delete files until it needs to open up space for something new. It merely “deindexes” it, essentially forgetting where it is. It’s still stored, but the phone doesn’t know where or what it is.

If the phone hasn’t overwritten the deleted data, another piece of software could find it. Identifying and decoding it isn’t always easy, but the forensic community has extremely powerful tools that help them with this process.

The more recently you’ve deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there’s a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it’s still there somewhere.

Advertisement

Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it—and there’s no known decryption key. That’s going to prove extremely difficult (if not impossible) to bypass.

Many phones automatically back up to the user’s computer or to the cloud. It can be easier to extract the data from that backup than from the phone. The efficacy of this strategy depends on how recently the phone had a back up performed, and the service used to store the files.

Which Types of Files Can Be Recovered?

The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basic types that are likely to be recovered:

  • Text messages and iMessages
  • Call history
  • Emails
  • Notes
  • Contacts
  • Calendar events
  • Images and videos

It’s also possible that investigators can trace deleted WhatsApp messages—unless they were encrypted. If you use your Android for file storage, those files might still be hanging around in storage, too.

Advertisement

What About Encryption?

Mobile device encryption poses a big problem for forensic analysis. If the user used secure encryption, and there’s no way to get the encryption key, it’s going to be difficult or impossible to get any data from the phone. iTunes even asks users to encrypt the backups they make on their computers.

While this makes phones less useful to forensic investigators, there are some ways to get past the encryption. Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.

If they can’t, however, those encrypted files are going to cause serious problems. If you’re worried about forensic examination of your phone (e.g., you’re a journalist with sensitive sources), it’s a good idea to use the most secure encryption settings you can.

Is Any of Your Information Safe?

In the end, there are no guarantees when it comes to mobile forensic investigation. There’s no way to completely secure every piece of data on your phone against a committed and intelligent investigator. At the same time, there’s no way to access data on every phone.

However, there’s a wide variety of continually evolving tools out there. These take into account the always-changing landscape of data protection. And, of course, there’s some luck involved as well.

As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords How to Create a Strong Password That You Will Not Forget Do you know how to create and remember a good password? Here are some tips and tricks to maintain strong, separate passwords for all of your online accounts. Read More . Lastly, don’t do anything that will put you in the crosshairs of a forensic investigation.

How to Recover Deleted Text Messages

If you feel like performing some do-it-yourself cell phone forensics, you can recover deleted text messages on your phone. There are some limitations you’ll have to overcome, but it is possible!

The steps involved are quite lengthy, so be sure to read how to recover text messages on Android How to Recover Deleted Text Messages on Android Recovering text messages on Android is tricky business. Here are the limitations, your options, and how to back up for the future. Read More or iPhone How to Recover Deleted Text Messages on Your iPhone Wondering how to recover deleted text messages on iPhone? You might be able to restore from a backup. Here's what you should know. Read More for the whole picture.

Keeping Your Data Secure

So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn’t been overwritten yet. However, by using encryption methods, you can ensure your data is kept private, even after deletion.

If you want to learn how to secure your data, why not try some ways to encrypt your daily life with very little effort 5 Ways to Encrypt Your Daily Life With Very Little Effort Digital encryption is now an integral part of modern life, protecting your personal information and keeping you safe online. Read More ?

Explore more about: Smartphone Privacy, Smartphone Security, Surveillance.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    December 23, 2019 at 4:58 pm

    Are there good Android apps we can use to overwrite all unused space?

  2. KA
    September 26, 2019 at 8:32 pm

    How do they track down things that have been deleted from the internet? Can that be found in a device's storage as well? Like through deleted bookmarks or history