How Do Police & Forensic Analysts Recover Deleted Data From Phones?

If you’ve watched a crime TV show before, you’ve certainly seen analysts extracting data from phones. How practical are these procedures and can the police recover deleted photos, texts and files from the phone?

Consider what a forensic analyst can do with phones.

Why Mobile Forensic Investigations Happen

A mobile forensic investigation takes place when the data on a phone is crucial to a case. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their kidnappers. Many other cases have been disrupted by information taken from the victim or perpetrator’s phone.

Even a simple piece of information, like a text message, can help investigators crack a case. Other times, it’s a more complicated picture painted by deleted call logs, timestamps, geo-location data, and app usage.

Search history can prove accusatory. Many types of information can help police solve crimes — and phones store a lot of that information.

Even if you’re not the prime suspect, the police may want to look at your phone. Crime victims’ phones can provide police with valuable data, especially if those victims are incapacitated or missing.

What can the police find?

Forensic analysts can perform different types of data collection. The simplest is called “manual purchase” and it involves searching through the phone. This doesn’t reveal deleted data, so it doesn’t tell analysts much.

MAKE A VIDEO OF THE DAY

A “reasonable acquisition” provides more detailed data. This involves transferring data from the phone to the PC. This transfer makes it easier for forensic investigators to work with the data, but it still doesn’t have the ability to recover deleted information.

When investigators want to see hidden data, they use “file system capture”. Mobile devices are large databases, and file system capture allows investigators access to all the files in the database. This includes hidden and original files, but still no deleted data.

Finally, there is a “material acquisition.” This is the most difficult type of conversion, as it requires special tools to dump a copy of the memory into a file. However, this leaves everything blank – even deleted files. This allows procedures such as forensic text message recovery to take place.

Can the police recover deleted text messages and media?

You may be wondering how the police can read deleted text messages. In fact, when you delete something from your phone, it doesn’t go away immediately.

Flash storage in mobile devices doesn’t delete files until it needs to open up more space for something new. It merely “deindexes” it, essentially forgetting where it is. It’s still stored, but the phone doesn’t know where or what it is.

If the phone does not overwrite the deleted data, it may be found by another software. Identification and decoding is not always easy, but the forensic community has incredibly powerful tools to help them with the process.


The more recent content you delete, the less likely it is to be overwritten. If you deleted something a few months ago and use your phone a lot, chances are the file system overwritten it. If you just deleted it a few days ago, there’s a good chance it’s still out there somewhere.

Some iOS devices, like newer iPhones, take it an extra step. In addition to indexing the data, they also encrypt it — and no decryption key is known. That will prove to be extremely difficult (if not impossible) to get through.

Many phones automatically back up to the user’s computer or to the cloud. It may be easier to extract data from that backup than from the phone. The effectiveness of this strategy depends on how recently the phone has made a backup and the service used to store the files.


What file types can be recovered?

Recoverable file types may depend on the device the forensic analyst is working on. However, there are some basic types that are likely to be recovered:

  • Text Messages and iMessages
  • Call history
  • Email
  • Note
  • Contact
  • Event calendar
  • Pictures and videos

It’s also possible that investigators could track deleted WhatsApp messages — unless they were encrypted. If you use Android to store files, those files may also remain in memory.

What about encrypting your phone data?

Mobile device encryption poses a major problem for forensic analysis. If the user has used secure encryption and there is no way to get the encryption key, it will be difficult or impossible to get any data from the phone. iTunes even requires users to encrypt the backups they create on their computers.

While this makes the phone less useful to forensic investigators, there are several ways to bypass the encryption. Some phones have a built-in backdoor that gives professionals access to files. Other investigators can guess or crack your password.

However, if they can’t, those encrypted files will cause serious problems. If you’re worried about forensic testing of your phone (for example, you’re a journalist with sensitive sources), you should use the most secure encryption settings possible.

What about WhatsApp?

WhatsApp makes a big case for privacy, with its end-to-end encryption services and good privacy practices. But can a WhatsApp call be tracked? And how does the police recover deleted WhatsApp messages?

At the time of writing, WhatsApp’s Security page has some good news for privacy enthusiasts:

Some of your most personal moments are shared with WhatsApp, that’s why we integrated end-to-end encryption into our app. With end-to-end encryption, your messages, photos, videos, voice messages, documents, and calls are secure from falling into the wrong hands.

This means that cracking WhatsApps defenses will be a tough challenge for someone who wants to get your hands on your information.

Not only that, on the WhatsApp Help Center for Information for Law Enforcement, it states that WhatsApp does not store messages on its servers. The company will comply with police requests, but only “before a user removes such content from our service.”

However, it’s not perfect. For example, Ars Technica reported that, if someone reports content as inappropriate for the platform, the service decrypts some chat logs and sends them to moderators for inspection. And law enforcement has taken an interest in looking at communications metadata to catch criminals.

Is any of your information safe?

Ultimately, there are no guarantees when it comes to mobile forensic investigations. There’s no way to completely secure every piece of data on your phone against a smart and dedicated investigator. Also, there’s no way to access data on every phone.

However, there are many tools that are constantly evolving out there. These take into account the ever-changing landscape of data protection. And, of course, there’s some luck involved.

As always, we recommend the same if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. Finally, don’t do anything that might put you in a predicament of the forensic investigation.

How to recover deleted text messages

If you want to do some forensics on your cell phone yourself, you can recover deleted text messages on your phone. There are some limitations you will have to overcome, but it is entirely possible!

The steps involved are quite long, so be sure to read the full how to recover text messages on Android or iPhone.

Keep your data safe

So, can the police recover deleted photos, texts and files from the phone? The answer is yes — using special tools they can find data that hasn’t been overwritten. However, by using encryption methods, you can ensure your data stays private, even after deletion.


Pixel 7 and Pixel 7 Pro camera bar design

Pixel 7: 6 Important things that Google hasn’t revealed yet

Continue reading


About the author

https://www.makeuseof.com/tag/forensic-analysts-get-deleted-data-phone/ How Do Police & Forensic Analysts Recover Deleted Data From Phones?

Sarah Ridley

USTimesPost.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@ustimespost.com. The content will be deleted within 24 hours.

Related Articles

Back to top button