Recovering deleted data – A new option for Mobile Forensic users
By Brad Sipes
Often times, data on a mobile device that has been deleted by the user of the device can still be collected. This is because the data itself still resides in memory and is only marked as deleted but isn’t actually removed. This scenario can occur with different types of data. For example, a data file may be marked as deleted by the operating system, but the data may not actually be written over. The memory space itself is seen as “free” by the system so the memory may be reused and written over at some point in the future, but until that happens the data itself is recoverable if the right tools are available.
Usually in these cases the deleted data can only be obtained through a “Physical” extraction process. However, there are certain types of deleted data that may be collected using a “Logical” extraction process that can recover a smartphone file system. These types of deleted data are typically found in situations whereby a mobile app has marked data rows in the app’s database as “deleted” yet does not write over the data. For many apps this data can be collected by commercial extraction tools.
With Android and iOS operating systems, most apps use SQL databases to store data. In some cases, the data isn’t included in a normal extraction and you may have to use advanced extraction techniques such as “App Downgrade” available as an option for Android backups. With this technique the phone will include databases from apps that normally would not form part of the backup, and by this method you can get access to deleted records from the apps. It should be noted that not all apps behave in this manner, but enough do to make this approach a very useful method.
At MSAB, we are committed to working closely with our customers and to provide a continual and ongoing stream of improvements in our data access methods and overall products. To that end, we have recently extended our XRY Logical extraction license capability to provide deleted data from app databases whenever that is possible.
Previously, deleted data was only accessible if you had the XRY Physical extraction license. This additional capability comes as a direct result of discussing potential improvements in our solutions.
This is a small but important step in our quest to provide the very best tools to the mobile forensic market.
Chief Product Officer for MSAB