Wednesday, November 18, 2015
Sometimes, The Data Isn’t There (anymore)
November 18, 2015
Sometimes, the Data Isn’t There (anymore)
Being a digital forensic services provider in the private sector, we service a wide array of client’s needs. It is fairly common for our clients to be involved in litigation and investigations ranging from divorce to employment disputes and other criminal and civil matters. Many times, the evidence they’re looking for may have once resided on a mobile device, but upon performing the data extraction and analysis, we have to regrettably inform them that we cannot recover the data they are looking for. Why does this happen, especially with mobile devices? Let’s talk about it…
The first thing to realize is that deletion of data doesn’t get rid of the data, at least not completely. Deletion simply tells the operating system that the data may be over-written when the operating system needs the space. However, accessing the deleted data can be the problematic part. Areas of particular interest to many of our clients are text and picture messages. As I often tell attorneys when they call with these inquiries, the deleted data may or may not be there. It really just depends on several factors. They include:
1) The type of device. This goes back to the fight of the geeks: Apple or Android. Apple is particularly popular and particularly secure with regard to deleted data. Can we recover deleted text messages off an Apple iDevice. Probably. But several of these other factors also come into play. Android devices are generally a little easier to recover deleted data because industry standard forensic tools will many times perform a full physical data extraction from the device, which means we get all deleted and non-deleted data. Because Apple maintains propriety over the chipsets and algorithms on all devices newer than an iPhone 4, a full physical extraction is not currently possible… So whether or not we can get the deleted data on your Apple device is a big question that we won’t fully know the answer to until we perform an extraction and start our analysis.
2) The capacity of the device. The text (SMS) and picture (MMS) databases on mobile devices are somewhat flexible in size. They will expand and contract, depending on the usage (see point 3). However, if you buy a 16 GB iPhone or Android device, the overall memory capacity does become an issue, especially when taking point #3 into account. We’ve had clients submit devices with over 44,000 text & picture messages in the database. That’s a lot of space for text messages and if the database on your device is growing to a point where the operating system has to figure out where to store all of it, the likelihood that deleted messages will be over-written increases greatly.
3) The level of usage of the device. If you are seeking deleted messages from a user who doesn’t actually use the phone feature on their device and rather texts all of their communications, the likelihood that deleted messages will be over-written in time increases as well. If the level of text database usage on the device is high, the priority of those deleted messages goes way down.
4) The time in between the sending/receiving of the alleged messages of interest and when the mobile data extraction takes place. If you’re interested in messages that have been deleted 8 months or a year prior to retaining a digital forensic consultant and the level of usage has been high on the device, the likelihood that we’ll recover those messages goes way down. Again, it’s not impossible, but it does become less likely when combined with the other factors. This is why we advise you to engage the services of a digital forensic consultant sooner rather than later. The staleness of the data and potential spoliation becomes a greater concern as time goes on.
All Is Not Always Lost
One of the things we routinely have to do is come up with work-arounds for any number of problems that present themselves in cases. In the case of lost deleted messages, we utilized one work-around that turned out great for our client.
The client presented us with his iPhone 5s, which he claimed contained text messages from and ex-girlfriend who was claiming that he assaulted her. His contention was that the content of the text messages exonerated him of this claim. But when we went to examine the extraction, these messages, which were 5-6 months old and had been deleted, were not on the device. However, in digital forensics, there’s more than one way to skin the proverbial cat. (don’t worry, we don’t actually skin cats in our lab)
The client indicated he backed up his iPhone on his computer at a time period much closer to the alleged incident. So we incorporated our computer and mobile forensic skills to acquire that backup file and import it into the mobile forensic tools and voila! There were the text messages that helped get him acquitted in the case. Sometimes, it’s just that simple. Sometimes, we need to try to access cloud data, synced data on a Mac or PC computer or other backup data to try and retrieve what we need, but just bear in mind that deleted is often combatted by archived.
What About Computers?
Computers are a different animal much of the time. Most computers have greater memory capacity and more robust operating systems than mobile devices such as smart phones and tablets, so their potential data retention is much higher. Just bear in mind that when something is deleted on a computer, just like on a mobile device, it is tagged for over-writing whenever the operating system needs it. True deletion also removes much of the file-specific information like creation, modification and access dates & times. Also consider that on a Mac or Windows computer, your files are still be recoverable if all you (or someone else) did was put it in the trash or recycle bin. More & more, manufacturers are socially engineering users to put encryption into place by default, which will also have a greater impact on our ability to recover the data over time. Even recovered deleted data, if it’s encrypted, doesn’t do anyone any good.
So at the risk of being overly repetitive, please call your digital forensic consultant sooner rather than later. Once we have the extraction or forensic image (copy), the data is preserved and we can do all the analysis you need on it, even if it’s months down the road. But having that proverbial ‘time capsule’ of your device could mean the difference between getting you what you need and not being able to access the data at all!
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
(Virginia DCJS #11-14869)
Based in Richmond, Virginia
We Find the Truth for a Living!