November 18,
2015
Sometimes, the Data Isn’t There (anymore)
Being a digital forensic services provider in the private
sector, we service a wide array of client’s needs. It is fairly common for our clients to be
involved in litigation and investigations ranging from divorce to employment
disputes and other criminal and civil matters.
Many times, the evidence they’re looking for may have once resided on a
mobile device, but upon performing the data extraction and analysis, we have to
regrettably inform them that we cannot recover the data they are looking
for. Why does this happen, especially
with mobile devices? Let’s talk about it…
The first thing to realize is that deletion of data doesn’t
get rid of the data, at least not completely.
Deletion simply tells the operating system that the data may be
over-written when the operating system needs the space. However, accessing the deleted data can be
the problematic part. Areas of
particular interest to many of our clients are text and picture messages. As I often tell attorneys when they call with
these inquiries, the deleted data may or may not be there. It really just depends on several factors. They include:
1)
The type of device. This goes back to the fight of the geeks:
Apple or Android. Apple is particularly
popular and particularly secure with regard to deleted data. Can we recover deleted text messages off an
Apple iDevice. Probably. But several of these other factors also come
into play. Android devices are generally
a little easier to recover deleted data because industry standard forensic
tools will many times perform a full physical data extraction from the device, which
means we get all deleted and non-deleted data.
Because Apple maintains propriety over the chipsets and algorithms on
all devices newer than an iPhone 4, a full physical extraction is not currently
possible… So whether or not we can get the deleted data on your Apple device is
a big question that we won’t fully know the answer to until we perform an
extraction and start our analysis.
2)
The capacity of the device. The text (SMS) and picture (MMS) databases on
mobile devices are somewhat flexible in size.
They will expand and contract, depending on the usage (see point
3). However, if you buy a 16 GB iPhone
or Android device, the overall memory capacity does become an issue, especially
when taking point #3 into account. We’ve
had clients submit devices with over 44,000 text & picture messages in the
database. That’s a lot of space for text
messages and if the database on your device is growing to a point where the
operating system has to figure out where to store all of it, the likelihood that
deleted messages will be over-written increases greatly.
3)
The level of usage of the device. If you are seeking deleted messages from a
user who doesn’t actually use the phone feature on their device and rather
texts all of their communications, the likelihood that deleted messages will be
over-written in time increases as well.
If the level of text database usage on the device is high, the priority
of those deleted messages goes way down.
4)
The time in between the sending/receiving of the alleged
messages of interest and when the mobile data extraction takes place. If you’re interested in messages that have
been deleted 8 months or a year prior to retaining a digital forensic
consultant and the level of usage has been high on the device, the likelihood that
we’ll recover those messages goes way down.
Again, it’s not impossible, but it does become less likely when combined
with the other factors. This is why we
advise you to engage the services of a digital forensic consultant sooner
rather than later. The staleness of
the data and potential spoliation becomes a greater concern as time goes on.
All Is Not Always Lost
One of the things we routinely have to do is come up with
work-arounds for any number of problems that present themselves in cases. In the case of lost deleted messages, we
utilized one work-around that turned out great for our client.
The client presented us with his iPhone 5s, which he claimed
contained text messages from and ex-girlfriend who was claiming that he
assaulted her. His contention was that
the content of the text messages exonerated him of this claim. But when we went to examine the extraction,
these messages, which were 5-6 months old and had been deleted, were not on the
device. However, in digital forensics,
there’s more than one way to skin the proverbial cat. (don’t worry, we don’t actually
skin cats in our lab)
The client
indicated he backed up his iPhone on his computer at a time period much closer
to the alleged incident. So we
incorporated our computer and mobile
forensic skills to acquire that backup file and import it into the mobile
forensic tools and voila! There were the
text messages that helped get him acquitted in the case. Sometimes, it’s just that simple. Sometimes, we need to try to access cloud
data, synced data on a Mac or PC computer or other backup data to try and
retrieve what we need, but just bear in mind that deleted is often combatted
by archived.
What About Computers?
Computers
are a different animal much of the time.
Most computers have greater memory capacity and more robust operating
systems than mobile devices such as smart phones and tablets, so their
potential data retention is much higher.
Just bear in mind that when something is deleted on a computer, just
like on a mobile device, it is tagged for over-writing whenever the operating
system needs it. True deletion also
removes much of the file-specific information like creation, modification and
access dates & times. Also consider that
on a Mac or Windows computer, your files are still be recoverable if all you
(or someone else) did was put it in the trash or recycle bin. More & more, manufacturers are socially
engineering users to put encryption into place by default, which will also have
a greater impact on our ability to recover the data over time. Even recovered deleted data, if it’s encrypted,
doesn’t do anyone any good.
So at the
risk of being overly repetitive, please call
your digital forensic consultant sooner
rather than later. Once we have the
extraction or forensic image (copy), the data is preserved and we can do all
the analysis you need on it, even if it’s months down the road. But having that proverbial ‘time capsule’ of
your device could mean the difference between getting you what you need and not
being able to access the data at all!
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
(Virginia
DCJS #11-14869)
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation
and various online investigation schools (among others), Siewert continues to
hone his digital forensic expertise in the private sector while growing his
consulting & investigation business marketed toward litigators,
professional investigators and corporations.
