If you've watched a crime TV show before, you've probably seen analysts extracting data from a phone. How realistic are these procedures, and can the police recover deleted photos, texts, and files from a phone?

Let's look into what a forensic analyst can do with a phone.

Why Mobile Forensic Investigations Happen

A mobile forensic investigation takes place when the data on a phone is crucial to a case. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor, as reported by Star Tribune. Many other cases have been broken open by the information taken from a victim's or perpetrator's phone.

Even a simple piece of information, like a single text message, could help investigators solve a case. Other times, it's a more complicated picture painted by deleted call logs, time stamps, geolocation data, and app usage.

Search history could prove to be incriminating. Many types of information could help the police solve a crime—and phones store a lot of that kind of information.

Even if you're not a prime suspect, the police may want to look into your phone. Phones belonging to victims of crimes can provide police with valuable data, especially if those victims are incapacitated or missing.

What Can Police Forensics Find?

Forensic analysts can perform different kinds of data acquisitions. The simplest is known as "manual acquisition," and it involves searching through the phone normally. This doesn't reveal deleted data, so it doesn't tell analysts much.

A "logical acquisition" provides more detailed data. This involves transferring data from the phone to a PC. This transfer makes it easy for forensic investigators to work with the data but is still unlikely to recover deleted information.

When investigators want to see hidden data, they use a "file system acquisition." Mobile devices are big databases, and a file system acquisition gives an investigator access to all of the files in the database. This includes hidden and root files, but still no deleted data.

Finally, there's a "physical acquisition." This is the hardest kind of acquisition, as it needs special tools to dump a copy of the storage into a file. However, this lays everything bare—even deleted files. This allows procedures such as forensic text message recovery to take place.

Can the Police Recover Deleted Text Messages and Media?

You might be wondering how the police can read text messages that have been deleted. In truth, when you delete something from your phone, it doesn't vanish instantly.

The flash memory in mobile devices doesn't delete files until it needs to open up space for something new. It merely "deindexes" it, essentially forgetting where it is. It's still stored, but the phone doesn't know where or what it is.

If the phone hasn't overwritten the deleted data, another piece of software could find it. Identifying and decoding it isn't always easy, but the forensic community has extremely powerful tools that help them with this process.

The more recently you've deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there's a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it's still there somewhere.

Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it—and there's no known decryption key. That's going to prove extremely difficult (if not impossible) to bypass.

Many phones automatically back up to the user's computer or to the cloud. It can be easier to extract the data from that backup than from the phone. The efficacy of this strategy depends on how recently the phone had a backup performed and the service used to store the files.

Which File Types Can Be Recovered?

The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basic types that are likely to be recovered:

  • Text messages and iMessages
  • Call history
  • Emails
  • Notes
  • Contacts
  • Calendar events
  • Images and videos

It's also possible that investigators can trace deleted WhatsApp messages—unless they were encrypted. If you use your Android for file storage, those files might still be hanging around in storage, too.

What About Encrypting Your Phone's Data?

Mobile device encryption poses a challenge to forensics teams, but it's by no means an impenetrable fortress. While encryption once laid waste to investigators' plans, the importance of digital forensic evidence in this day and age has given rise to tools that can crack them.

Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.

If they can't do any of those, they may turn to external software. For example, Cellebrite is a company that specializes in getting past defenses, encrypted or not. You can read a case study on the Cellebrite website about how a detective used the company's tools to get 50GB of evidence from an encrypted Mega cloud storage account.

What About WhatsApp?

WhatsApp makes a big case for privacy, with its end-to-end encryption services and good privacy practices. But can a WhatsApp call be traced? And how do the police recover deleted WhatsApp messages?

At the time of writing, WhatsApp's Privacy page has some good news for privacy enthusiasts:

End-to-end encryption. Messages and calls stay between you. No one else can read or listen to them, not even WhatsApp.

This means that cracking WhatsApps' defenses would be a tough challenge for someone wanting to get their hands on your info.

On top of that, the WhatsApp Help Center for Information for Law Enforcement Authorities states that WhatsApp does not store messages on its servers. The company will comply with police requests, but only "before a user has deleted that content from our service."

However, it's not perfect. For instance, Ars Technica reported that, should someone report content as being unsuitable for the platform, the service will decrypt some of the chat logs and send them to moderators for checking. And law enforcement has been interested in looking at the metadata of communications to catch criminals.

Is Any of Your Information Safe?

In the end, there are no guarantees when it comes to mobile forensic investigation. There's no way to completely secure every piece of data on your phone against a committed and intelligent investigator. At the same time, there's no way to access data on every phone.

However, there's a wide variety of continually evolving tools out there. These take into account the always-changing landscape of data protection. And, of course, there's some luck involved as well.

As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. Lastly, don't do anything that will put you in the crosshairs of a forensic investigation.

How to Recover Deleted Text Messages

If you feel like performing some do-it-yourself cell phone forensics, you can recover deleted text messages on your phone. There are some limitations you'll have to overcome, but it is possible!

The steps involved are quite lengthy, so be sure to read how to recover text messages on Android or iPhone for the whole picture.

Keeping Your Data Secure

So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn't been overwritten yet. And these days, encryption isn't quite the silver bullet solution it once was. As such, the best way to keep things safe is to never digitally document them in the first place.