Understanding techniques to recover deleted files from the SD card and the internal memory

Data recovery is one of the most significant and powerful aspects of forensic analysis. The ability to recover deleted data can be crucial to crack many civil and criminal cases. From a normal user's point of view, recovering data that has been deleted would usually refer to the operating system's built-in solutions, such as the Recycle Bin in Windows. While it's true that data can be recovered from these locations, due to an increase in user awareness, these options don't often work. For instance, on a desktop computer, people now use Shift + Delete as a way to delete a file completely from their desktop.

Data recovery is the process of retrieving deleted data from a device when it cannot be accessed normally. Consider the scenario where a mobile phone has been seized from a terrorist. Wouldn't it be of the greatest importance to know which items were deleted by the terrorist? Access to any deleted SMS messages, pictures, dialed numbers, application data, and more can be of critical importance, as they often reveal sensitive information. With Android, it is possible to recover most of the deleted data if the device files are properly acquired. However, if proper care is not taken while handling the device, the deleted data could be lost forever. To ensure that the deleted data is not overwritten, it is recommended to keep the following points in mind:

  • Do not use the phone for any activity after seizing it. The deleted data exists on the device until space is needed by some other incoming data. Hence, the phone must not be used for any sort of activity to prevent the data from being overwritten.
  • Even when the phone is not used, without any intervention from our end, data can be overwritten. For instance, an incoming SMS would automatically occupy space, which could overwrite the data marked for deletion. To prevent the occurrence of such events, you should follow the forensic handling methods described in the previous chapters. The easiest solution is to place the device in airplane mode or disable all connectivity options on the device. This prevents the delivery of any new messages.

All Android filesystems have metadata that contains information about the hierarchy of files, filenames, and so on. Deletion will not really erase this data but remove the filesystem metadata. When text messages or any other files are deleted from the device, they are just made invisible to the user, but the files are still present on the device. Essentially, the files are simply marked for deletion, but they reside on the filesystem until being overwritten. Recovering deleted data from an Android device involves two scenarios: recovering data that is deleted from the SD card, such as pictures, videos, application data, and more, and recovering data that is deleted from the internal memory of the device. The following sections cover the techniques that can be used to recover deleted data from both the SD card and the internal memory of the Android device.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.178.207