Recovering Critical Evidence from a non-responsive Smartphone

Download English Version PDF

Download Italian Version PDF

The challenge

Since 2018, V. Brig. of Guardia di Finanza, Mr. Salvatore Carannante, digital forensic specialist at the Monza Prosecutor’s Office has been involved in IT and mobile investigations, later assuming responsibility for leading the unit’s forensic activities, including evidence extraction, online investigations, and inter-agency collaboration.

A particularly complex case highlighted the operational challenges faced in digital forensics. Investigators were tasked with examining a smartphone linked to a child abuse investigation. The modern Android device was in critical condition: its battery was completely discharged, it would not power on, and no charging indicators were visible. As a result, accessing the system through conventional methods was impossible.

This created a high risk of permanent data loss. Without specialized forensic tools, accessing the device’s internal memory would have been highly unlikely. At the same time, all procedures had to comply with strict forensic standards, including data integrity, repeatability, traceability, and preservation of the chain of custody.

Solution

To overcome the technical barriers presented by the device, the forensic specialist conducted a physical forensic extraction using MSAB XRY Pro. This method allows investigators to acquire a complete bit-by-bit copy of the device’s internal memory. The extraction produces a full forensic image of the storage system, enabling the recovery and analysis of both visible and hidden data. Cryptographic hash values (MD5 and SHA) are generated during the process to verify the integrity of the forensic image and ensure that the evidence remains unchanged throughout the investigation.

The technique made it possible to recover active data, deleted content, residual fragments of information, and artifacts located in previously unallocated memory areas. These capabilities are particularly important when a device cannot be accessed through its operating system or when conventional extraction methods fail.

V. Brig. of Guardia di Finanza Carannante notes that the platform’s operational efficiency played an important role in the investigation. Extractions can be executed rapidly, including physical acquisitions from devices that other forensic tools are unable to process. The subsequent analysis phase is also accelerated through the XAMN environment, which allows investigators to review large volumes of extracted data significantly.
Equally important is the software’s interface, which is designed to guide users through the extraction process:

“The software is auto-guided with an interface that is intuitive even for people who have never used it. The log explains exactly what it is doing and how—it’s essential for reporting and judicial review.”

Another key element of the workflow is the logging system built into the software:
“Logs are critical. With other software, errors are often unclear, and it’s difficult to understand why an extraction fails. MSAB provides detailed logs, allowing me to troubleshoot, verify, and maintain control of sensitive data without sharing it externally.”
These logs provide investigators with a reliable reference when producing technical reports and presenting findings in judicial proceedings.
The physical extraction ultimately produced decisive evidence for the investigation.

Analysis of the forensic image revealed chat messages, multimedia files, and application artifacts linked to the suspected perpetrator. The metadata associated with these files enabled investigators to reconstruct a timeline of communications between the victim and the individual responsible for the abuse. Importantly, the forensic process also enabled the recovery of deleted data that would otherwise have remained inaccessible. These recovered fragments contributed to a more complete chronological reconstruction of the events and strengthened the evidentiary basis of the investigation.

Customer Value

For V. Brig. of Guardia di Finanza Carannante, the moment the device was successfully accessed represented a turning point in the case:
“When I connected and extracted the device with XRY, I saw the data to hold the offender accountable.”
The investigation demonstrated how advanced mobile forensic tools can enable investigators to access data from devices that initially appear inaccessible. By allowing the acquisition and analysis of the device’s complete memory while maintaining strict forensic standards, the investigative team was able to prevent the loss of critical evidence and significantly advance a sensitive criminal investigation.
“Approximately 40% of mobile forensic analyses in our office now rely on MSAB tools. About 20–25% of seized devices could not have been analyzed without XRY, because other tools failed.”