The extraction and acquisition techniques that you have learned so far will help you access various details such as call logs, messages, and so on. However, these techniques do not help us see the data that is deleted from the device. In this chapter, you will learn about data-recovery techniques that will enable you to view the data that is deleted on the device. Deleted data could contain highly sensitive information, and thus, data recovery is a crucial aspect of mobile forensics. In this chapter, we will cover the following topics:
- An overview of data recovery
- Recovering data deleted from an SD card
- Recovering data deleted from a phone's internal storage
Data recovery is a powerful concept within digital forensics. It is the process of retrieving deleted data from a device or SD card when it cannot be accessed normally. Being able to recover data that is deleted by a user could help solve several civil and criminal cases. This is because most of the accused just delete the details on the device, hoping that the evidence will be destroyed. Thus, in most of the criminal cases, deleted data can be crucial, because it may contain information the user wanted to erase from the Android device. For example, consider the scenario where a mobile phone has been seized from a terrorist.
Wouldn't it be of the greatest importance to know which items have been deleted by them? Access to any deleted SMS messages, pictures, dialed numbers, and so on can be of critical importance, as they may reveal a lot of sensitive information. From a normal user's point of view, recovering data that has been deleted would usually refer to the operating system's built-in solutions, such as the Recycle Bin in Windows. While it's true that data can be recovered from these locations, due to an increase in user awareness, these options don't often work. For instance, on a desktop computer, people now use Shift + Delete whenever they want to delete a file completely from their desktop. Similarly, within mobile environments, users are aware of restore operations provided by apps and so on. In spite of this, data recovery techniques allow a forensic investigator to access the data that is deleted from the device.
With respect to Android, it is possible to recover most of the deleted data, including SMS, pictures, application data, and so on. However, it is important to seize the device in a proper manner and follow certain procedures, without which the data might be deleted permanently. To ensure that the deleted data is not lost forever, it is recommended that you keep the following points in mind:
- Do not use the phone for any activity after seizing it. The deleted data exists on the device until the space is needed by some other incoming data. Hence, the phone must not be used for any sort of activity so that the data is not overwritten.
- Even when the phone is not used, without any intervention from our end, data can be overwritten. For instance, an incoming SMS would automatically occupy the space that overwrites the deleted data. Also, remote wipe commands can wipe the content present on the device. To prevent the occurrence of such events, you can consider the option of placing the device in Faraday bags, as explained in Chapter 1, Introducing Android Forensics. Thus, care should be taken to prevent delivery of any new messages or data through any means of communication.
When a user deletes any data from the device, the data is not actually erased and continues to exist on the device. What gets deleted is the pointer to this data. All filesystems contain metadata that maintains information about the hierarchy of files, file names, and so on. Deletion does not actually erase the data, but instead, it removes the filesystem metadata. Just deleting the metadata increases the performance of operating systems; deleting the pointer and marking the space as available is an extremely fast operation compared to actually erasing all the data. Thus, when text messages or any other files are deleted, they are just made invisible to the user. However, the files are still present on the device as long as they are not overwritten by some other data.
Hence, it is possible to recover them before new data comes in and occupies the space.
Recovering deleted data on Android involves two scenarios:
The following sections cover the techniques that can be used to recover deleted data from both the SD card and internal storage of an Android device.