If you’ve watched CSI, Law and Order, or any other police procedural, there’s a good chance you’ve seen an on-screen version of a mobile forensic investigation. Usually it involves the click of a few buttons and the users’ text messages and call history instantly appearing on screen.
The truth is a little different. But what, exactly, can a forensic examination recover from your phone? How is it done? Why can deleted data be pulled from storage? There are a lot of questions to answer, so we did some research to find the answers.
Why Mobile Forensic Investigations Happen
Why might a phone or tablet undergo a forensic investigation? In many cases, the information pulled off a phone can help solve a crime. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor. Many other cases have been broken open by information taken from a victim’s or perpetrator’s phone.
Even a simple piece of information, like a single text message, could help investigators solve a case. Other times, it’s a more complicated picture painted by deleted call logs, time stamps, geolocation data, and app usage. Search history could prove to be incriminating. Many types of information could help the police solve a crime — and a lot of that information is stored in our phones.
It’s important to note that your mobile device could be investigated even if you’re not suspected of a crime. Phones belonging to victims of crimes can also provide police with very valuable data, especially if those victims are incapacitated or missing.
Types of Data Acquisition
There are a number of acquisition strategies that forensic investigators can use. The simplest is known as “manual acquisition” and it involves going through the regular interface to examine the contents of the device. This is time-intensive and often not very helpful, because anything that’s been deleted isn’t visible in the standard interface.
A logical acquisition provides more detailed data. This type of acquisition involves transferring as much data as possible through the standard transfer channels, like those that would be used to sync a phone to a computer. This type of transfer makes it easy for forensic investigators to work with the data on the phone, but is unlikely to recover much deleted information.
When investigators would like to view deleted data, a file system acquisition is called for. We’ll go over how this type of acquisition can recover deleted items in a moment. Mobile devices are basically big databases, and a file system acquisition gives an investigator access to all of the files in the database. There are also many forensic tools that are able to analyze this type of data, making the investigator’s job easier.
Finally, there’s a physical acquisition. This is the most complex and difficult acquisition, as it involves reading the physical data on a chip and transferring it to another device where it can be worked on. This often requires sophisticated tools like chip programmers, and sometimes even tools to remove the chip itself from the phone. It’s very difficult, but it also gives investigators the most data to work with.
Why Can Deleted Files Be Recovered?
You might be wondering how a piece of software can find files that you’ve deleted. If you know how computer storage drives work, you’ll be familiar with the basics. The flash memory in mobile devices doesn’t actually delete files until it needs to open up space for something new. It simply “deindexes” it, essentially forgetting where it is. It’s still stored, but the phone doesn’t know where or what it is.
So if that data hasn’t been overwritten, another piece of software could find it. Identifying and decoding it isn’t always easy, but the forensic community has extremely powerful tools that help them with this process.
The more recently you’ve deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there’s a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it’s still there somewhere.
Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it — and there’s no known decryption key. That’s going to prove extremely difficult (if not impossible) to bypass.
One of the ways forensic analysts can get deleted data is actually skipping the phone itself and heading for backups. Many phones automatically back up to the user’s computer or to the cloud. It can be easier to extract the data from that backup than the phone. Obviously, the efficacy of this strategy depends on how recently the phone was backed up and the service used to store the files.
Which Types of Files Can Be Recovered?
The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basics types that are likely to be recovered:
- Text messages and iMessages (find out how to recover deleted text messages on iPhone)
- Call history
- Calendar events
- Images and videos
It’s also possible that messages from alternative messaging services like WhatsApp or Viber could be recovered as well. (If these messages are encrypted, however, investigators won’t be able to read them.) If you use your Android for file storage, those files might still be hanging around in storage, too.
What About Encryption?
Mobile device encryption poses a big problem for forensic analysis. If strong encryption was used, and there’s no way to get the encryption key, it’s going to be difficult or impossible to get any data from the phone. iTunes even asks users to encrypt the backups they make on their computers.
While this makes phones less useful to forensic investigators, there are some ways to get past encryption. Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.
If they can’t, however, those encrypted files are going to cause serious problems. If you’re worried about forensic examination of your phone (e.g. you’re a journalist with sensitive sources), it’s a good idea to use the most secure encryption settings you can.
Is Any of Your Information Really Safe?
In the end, there are no guarantees when it comes to mobile forensic investigation. For either side. There’s no way to completely secure every piece of data on your phone against a committed and intelligent investigator. And there’s no way to access data on every phone.
But there’s a wide variety of constantly evolving tools out there. They’re designed specifically to counter the always-changing landscape of data protection. And, of course, there’s some luck involved as well.
As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. And, if at all possible, don’t do anything that will put you in the crosshairs of a forensic investigation.
Interested in entering this field yourself? Find out more about what a forensic analyst does.