How Do Forensic Analysts Get Deleted Data From Your Phone?
Whatsapp Pinterest

If you’ve watched CSI, Law and Order, or any other police procedural, there’s a good chance you’ve seen an on-screen version of a mobile forensic investigation. Usually it involves the click of a few buttons and the users’ text messages and call history instantly appearing on screen.

The truth is a little different. But what, exactly, can a forensic examination recover from your phone? How is it done? Why can deleted data be pulled from storage? There are a lot of questions to answer, so we did some research to find the answers.

Why Mobile Forensic Investigations Happen

Why might a phone or tablet undergo a forensic investigation? In many cases, the information pulled off a phone can help solve a crime. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor. Many other cases have been broken open by information taken from a victim’s or perpetrator’s phone.

forensic phone investigation
Image Credit: Roman Yanushevsky via Shutterstock

Even a simple piece of information, like a single text message, could help investigators solve a case. Other times, it’s a more complicated picture What Can Government Security Agencies Tell From Your Phone's Metadata? What Can Government Security Agencies Tell From Your Phone's Metadata? Read More painted by deleted call logs, time stamps, geolocation data, and app usage. Search history could prove to be incriminating. Many types of information could help the police solve a crime — and a lot of that information is stored in our phones.

It’s important to note that your mobile device could be investigated even if you’re not suspected of a crime. Phones belonging to victims of crimes can also provide police with very valuable data, especially if those victims are incapacitated or missing.

Types of Data Acquisition

There are a number of acquisition strategies that forensic investigators can use. The simplest is known as “manual acquisition” and it involves going through the regular interface to examine the contents of the device. This is time-intensive and often not very helpful, because anything that’s been deleted isn’t visible in the standard interface.

A logical acquisition provides more detailed data. This type of acquisition involves transferring as much data as possible through the standard transfer channels, like those that would be used to sync a phone to a computer. This type of transfer makes it easy for forensic investigators to work with the data on the phone, but is unlikely to recover much deleted information.

phone plugged in
Image Credit: Montri Thipsorn via Shutterstock

When investigators would like to view deleted data, a file system acquisition is called for. We’ll go over how this type of acquisition can recover deleted items in a moment. Mobile devices are basically big databases, and a file system acquisition gives an investigator access to all of the files in the database. There are also many forensic tools that are able to analyze this type of data, making the investigator’s job easier.

Finally, there’s a physical acquisition. This is the most complex and difficult acquisition, as it involves reading the physical data on a chip and transferring it to another device where it can be worked on. This often requires sophisticated tools like chip programmers, and sometimes even tools to remove the chip itself from the phone. It’s very difficult, but it also gives investigators the most data to work with.

Why Can Deleted Files Be Recovered?

You might be wondering how a piece of software can find files that you’ve deleted. If you know how computer storage drives work, you’ll be familiar with the basics. The flash memory in mobile devices doesn’t actually delete files How to Permanently Delete Data From a Flash Drive How to Permanently Delete Data From a Flash Drive If you want to obliterate your flash drive so that nothing is recoverable, you'll need to take action. Here are a few simple methods you can use that require no technical expertise. Read More until it needs to open up space for something new. It simply “deindexes” it, essentially forgetting where it is. It’s still stored, but the phone doesn’t know where or what it is.

So if that data hasn’t been overwritten, another piece of software could find it. Identifying and decoding it isn’t always easy, but the forensic community has extremely powerful tools that help them with this process.

The more recently you’ve deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there’s a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it’s still there somewhere.

Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it — and there’s no known decryption key. That’s going to prove extremely difficult (if not impossible) to bypass.

One of the ways forensic analysts can get deleted data is actually skipping the phone itself and heading for backups. Many phones automatically back up to the user’s computer or to the cloud. It can be easier to extract the data from that backup than the phone. Obviously, the efficacy of this strategy depends on how recently the phone was backed up and the service used to store the files.

Which Types of Files Can Be Recovered?

The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basics types that are likely to be recovered:

It’s also possible that messages from alternative messaging services like WhatsApp or Viber could be recovered as well. (If these messages are encrypted, How To Enable WhatsApp's Security Encryption How To Enable WhatsApp's Security Encryption The so-called end-to-end encryption protocol promises that "only you and the person you're communicating with can read what is sent." No one, not even WhatsApp, has access to your content. Read More however, investigators won’t be able to read them.) If you use your Android for file storage, those files might still be hanging around in storage, too.

What About Encryption?

Mobile device encryption 7 Reasons Why You Should Encrypt Your Smartphone Data 7 Reasons Why You Should Encrypt Your Smartphone Data Are you encrypting your device? All major smartphone operating systems offer device encryption, but should you use it? Here's why smartphone encryption is worthwhile, and won't affect the way you use your smartphone. Read More poses a big problem for forensic analysis. If strong encryption was used, and there’s no way to get the encryption key, it’s going to be difficult or impossible to get any data from the phone. iTunes even asks users to encrypt the backups they make on their computers.

While this makes phones less useful to forensic investigators, there are some ways to get past encryption. Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.

If they can’t, however, those encrypted files are going to cause serious problems. If you’re worried about forensic examination of your phone (e.g. you’re a journalist with sensitive sources), it’s a good idea to use the most secure encryption settings you can.

Is Any of Your Information Really Safe?

In the end, there are no guarantees when it comes to mobile forensic investigation. For either side. There’s no way to completely secure every piece of data on your phone against a committed and intelligent investigator. And there’s no way to access data on every phone.

But there’s a wide variety of constantly evolving tools out there. They’re designed specifically to counter the always-changing landscape of data protection. And, of course, there’s some luck involved as well.

As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. And, if at all possible, don’t do anything that will put you in the crosshairs of a forensic investigation.

Interested in entering this field yourself? Find out more about what a forensic analyst does What Does a Forensic Analyst Do? Is This Job for You? What Does a Forensic Analyst Do? Is This Job for You? Computer forensics analyst jobs are real, not just a thing from TV. Here's what you need to know to become a forensics analyst. Read More .

Explore more about: Smartphone Security, Surveillance.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. KA
    September 26, 2019 at 8:32 pm

    How do they track down things that have been deleted from the internet? Can that be found in a device's storage as well? Like through deleted bookmarks or history