A frequently asked question regarding digital forensics concerns data deleted from cell phones. Can Invenius recover deleted text messages and pictures from a smart phone, whether an iPhone or an Android?
That is actually a fairly lengthy discussion. You may have heard “deleted doesn’t mean deleted” when it comes to computers. That is much more true with a Windows computer that contains a hard drive than with cell phones. Deleting data from a cell phone involves processes not necessarily found with a hard drive in a Windows computer. Generally, deleting data from a cell phone results in an inability to recover it much sooner than with a Windows computer containing a spinning hard drive.
However, just because the user has deleted a text, call, or an image from a cell phone does not necessarily mean the data cannot be recovered. Alternatively, data relating to the deleted data may remain. For example, after a user deletes a text or a call log entry, information about the text or call may still reside in a different file on the phone. Additionally, the deleted data may still exist in the database in which it resided but the device simply does not display it to the user. A deleted image may still exist in a screenshot or in another location due to user activity relating to the image. Artifact may remain that sheds light on the deleted information, even if the information is not completely recoverable. Finally, some or all deleted data may be recoverable from a different source, such as a backup account.
A common outcome of efforts to recover deleted text messages is determining that the texts existed at one time. A time frame for the deleted texts and how many text messages existed can often be determined. Artifact may reveal the phone number(s) of the other parties engaged in the text messages. Furthermore, the other devices involved in the exchange may still contain the deleted texts, and the simple fact that the user deleted the texts can have evidentiary value. After all, if an examination of the device yields a large number of text messages (finding hundreds of thousands of text messages is not uncommon), then an inference about these particular text messages being deleted might be possible. In other words, if the user of the device has retained text messages going back months or years, yet these particular text messages were deleted, that may be significant.
One recent matter Invenius handled involved deleted text messages over a period of months. While the content of the messages could not be recovered, analysis of the device revealed significant helpful information. First, Invenius recovered details about the deleted messages, including the dates and times or a window of time when they were sent, the phone numbers they were sent to and received from, and other information. The other phone number in the exchange was not saved in the device’s contacts, despite the numerous and lengthy text exchanges between the two phone numbers. Compare that to the fact that: (1) over 100,000 text messages were on the phone; and (2) no pattern of deleted text messages with any other phone number could be found. The implication that the user attempted to hide communications with this particular phone number was obvious. Not surprisingly, the “other phone number” was that of a person that the phone user was alleged to have had a romantic relationship with. When the allegation is spousal infidelity, a dispute as to whether a relationship was mutual versus one-sided harassment, or communication by an employee with a competitor, a pattern of deleted messages back and forth can still certainly have value in the case.
Of course, the only constant is change. Any of this could change with the next operating system version, the next phone model, or with a different third-party application.
If the potentially deleted data is worth seeking, isn’t it worth a phone call to a forensic analyst? Admittedly, the answer to whether the data is recoverable will probably be “it depends,” and we may not be able to determine whether it’s recoverable until data is extracted from the device and examined. But Invenius can probably arm with you information that allows you to decide whether to look for it.
Kommentare