INTRODUCTION TO MOBILE FORENSICS

DATA RECOVERY ON ANDROID DEVICES

Alejandro Guerra Manzanares – alejandro.guerra@taltech.ee

DATA RECOVERY

 Data recovery is a powerful concept within digital forensics. It is the process of retrieving deleted data from a
device or SD card when it cannot be accessed normally.
 Deleted data could contain highly sensitive information and thus data recovery is a a very important aspect of
mobile forensics.
 These data could help solve civil or criminal cases as many accused delete data from their device hoping that the
evidence will be destroyed. Thus, in most criminal cases, deleted data could be crucial because it may contain
information the user wanted to erase from their Android device.
 For example, consider the case where a mobile phone has been seized from a terrorist. Access to any deleted SMS
messages, pictures, dialed numbers, etc. could be of critical importance as they may reveal a lot of sensitive information.
DATA RECOVERY

 For normal users, recovering data that has been deleted would usually mean referring to the operating system's built-in
solutions, such as the Recycle Bin in Windows. While it's true that data can be recovered from these locations, due to an
increase in user awareness, these options often don't work.
 For instance, on a desktop computer, people now use Shift + Del whenever they want to delete a file completely from their desktop.
 Similarly, in mobile environments, users are aware of the restore operations provided by apps and so on. In spite of these
situations, data recovery techniques allow a forensic investigator to access the data that has been deleted from the
device.
 In Android, it is possible to recover most of the deleted data, including SMS, pictures, application data, and so on. But it is
important to seize the device in a proper manner and follow certain procedures, otherwise data might be deleted
permanently. To ensure that the deleted data is not lost forever, it is recommended to:
 Do not use the phone for any activity after seizing it. The deleted text message exists on the device until the space is needed by
some other incoming data, so the phone must not be used for any sort of activity to prevent the data from being overwritten.
 Even when the phone is not used, without any intervention from our end, data can be overwritten. For instance, an incoming SMS
would automatically occupy the space, which overwrites the deleted data. Also, remote wipe commands can wipe the content
present on the device. To prevent that, you can consider the option of placing the device in a Faraday bag. Thus, care should be taken
to prevent delivery of any new messages or data through any means of communication.
HOW CAN DELETED FILES BE RECOVERED?

 When a user deletes any data from a device, the data is not actually erased from the device and continues to exist
on it.
 What actually gets deleted is the pointer to that data.
 All file systems contain metadata, which maintains information about the hierarchy of files, filenames, and so on.
 Deletion will not really erase the data but instead removes the file system metadata. Thus, when text messages or
any other files are deleted from a device, they are just made invisible to the user, but the files are still present on
the device as long as they are not overwritten by some other data.
 Therefore, there is the possibility of recovering them before new data is added and occupies the space.
 Deleting the pointer and marking the space as available is an extremely fast operation compared to actually
erasing all the data from the device. So, to increase performance, operating systems just delete the metadata.
DELETED DATA RECOVERY

 Recovering deleted data on an Android device involves three scenarios:

 Recovering data that is deleted from the SD card such as pictures, videos, and so on
 Recovering data that is deleted from SQLite databases such as SMS, chats, web history, and so on
 Recovering data that is deleted from the device's internal storage
RECOVERING DELETED DATA FROM SD CARDS

 Data present on an SD card can reveal lots of information that is useful during a forensic investigation. As usually,
pictures, videos, voice recordings, and application data are stored on the SD cards.
 Android devices often use FAT32 or exFAT file systems on their SD card. As these systems are widely supported
by most operating systems, including Windows, Linux, and macOS X.
 The maximum file size on a FAT32 formatted drive is around 4 GB. In an exFAT file system there are no limitations.
 Recovering the data deleted from an external SD is easy if it can be mounted as a drive. If the SD card is
removable, it can be mounted as a drive by connecting it to a computer using a card reader.
 Any files can be transferred to the SD card while it's mounted. Some of the older devices that use USB mass
storage also mount the device to a drive when connected through a USB cable.
RECOVERING DELETED DATA FROM SD CARDS

 In forensics, to make sure that the original evidence is not modified, a physical image of the disk is taken and all
the investigation is done on the image itself. SD cards are not an exception and have to me imaged.
 Once the imaging is done, we have a raw image file that can be processed using any forensics utility capable of
deal with raw images. Tools like FTK Imager are capable of show the deleted files within the image (with some
indicator that the file was considered to be deleted by the OS).
 Sometimes, only a fragment of the file is recoverable, which cannot be read or viewed directly. In that case, we
need to look through free or unallocated space for more data.
 Carving can be used to recover files from free and unallocated space. PhotoRec is one of the tools that can help
you to do that (next slides).
RECOVERING DELETED RECORDS FROM SQLITE DATABASES

 Most of the application data in Android is stored in SQLite databases.

 SQLite databases can store deleted data within the database itself. Records marked for deletion by the user no
longer appear in the active SQLite database files. Therefore, it is possible to recover the deleted data, such as text
messages, contacts, and more, by analyzing these SQLite files.
 There are two areas within an SQLite page that can contain deleted data:
 Unallocated blocks
 Free blocks.
 Most of the commercial forensic tools that recover deleted data scan the unallocated blocks and free blocks of
the SQLite pages.
RECOVERING DELETED RECORDS FROM SQLITE DATABASES

 The easiest way to find deleted records is to use commercial mobile forensic tools, such as Belkasoft Evidence
Center, Cellebrite UFED Physical Analyzer, Oxygen Forensic Detective, and so on, but there are also some open
source tools capable of recovering data from unallocated space and free lists.
 One open source tool is the SQLite Deleted Records Parser.
 Link: https://github.com/mdegrazia/ SQLite-Deleted-Records-Parser.
 There are three variants of the tool: a Python script, command-line version, and GUI version.
 Using the tool is extremely easy, all you need is to choose the source database and the destination file, and click Process.
The result is a TSV file (if you've chosen Formatted Output) with recovered records, including their source (unallocated
space or free block), offset, and length.
 Thus, depending on the tool you are using you should get the interesting database before using logical acquisition
methods or extract it from the raw image (depending on the location, root privilege may be needed). If you use
commercial tools most of them will handle this issue for you when performing the acquisition.
RECOVERING DELETED RECORDS FROM SQLITE DATABASES

 You can also do it manually by analyzing the structure and low level analysis of an SQLite database.
 Information about the structure of an SQLite database and how data is stored can be found in the official
documentation.
 https://www.sqlite.org/docs.html
 This method is more time-consuming, requires more skills and experience but can provide full recovery of
deleted rows on an SQLite database.
 More info: Read article  A_recovery_method_of_deleted_record_for_SQLite_database.pdf (in Moodle)
RECOVERING DELETED DATA FROM INTERNAL MEMORY

 Recovering files deleted from Android's internal memory, such as app data and so on, is not as easy as recovering
such data from SD cards and SQLite databases, but it's not impossible.
 Many commercial forensic tools are capable of recovering deleted data from Android devices, of course, if physical
acquisition is possible and the userdata partition isn't encrypted. But this is not very common for modern devices,
especially those running most recent versions of the operating system, such as Oreo and Pie.
 Most Android devices, especially modern smartphones and tablets, use the EXT4 file system to organize data in
their internal storage. This file system is very common for Linux-based devices.
 So, if we want to recover deleted data from the device's internal storage, we need a tool capable of recovering
deleted files from the EXT4 file system. Extundelete is a tool that can do that.
 http://extundelete. sourceforge.net/.
RECOVERING DELETED DATA FROM INTERNAL MEMORY

 Technically speaking, to recover the contents of an inode, extundelete searches a file system's journal for an old
copy of that inode. Information contained in the inode helps the tool to locate the file within the file system. To
recover not only the file's contents, but also its name, extundelete is able to search the deleted entries in a
directory to match the inode number of a file to a file name.
 To use this tool, you will need a Linux workstation. Most forensic Linux distributions have it already (check for
instance SIFT Workstation, https://digital-forensics.sans.org/community/downloads).
 It can be done following these steps:
 Determine the location of the userdata partition within the image. To do this, we can use mmls from the Sleuth Kit tool.
 Be sure the userdata partition is EXT4 formatted. You can use fsstat to do so.
 Then mount the userdata partition and run extundelete using the following command:
extundelete /userdata/partition/mount/point --restore-all

 All recovered files will be saved to a subdirectory of the current directory named RECOVERED_FILES.
RECOVERING DELETED DATA FROM INTERNAL MEMORY

 Autopsy can also be used for recovering data from the internal memory. As an example, you can use a built-in
file extension filter to find all the images on the Android device, and it will also find the deleted artifacts:

 It's not always possible to recover deleted files using the file system journal. So this is where file carving helps.
RECOVERING DELETED DATA USING FILE CARVING

 File carving is an extremely useful method in forensics because it allows for data that has been deleted or hidden
to be recovered for analysis.
 File carving is the process of reassembling files from fragments in the absence of file system metadata.
 In file carving, specified file types are searched for and extracted across the binary data to create a forensic image
of a partition or an entire disk.
 File carving recovers files from the unallocated space in a drive based merely on file structure and content,
without any matching file system metadata.
 Unallocated space refers to the part of the drive that no longer holds any file information, as pointed by file system
structures such as file tables.
RECOVERING DELETED DATA USING FILE CARVING

 Files can be recovered or reconstructed by scanning the raw bytes of the disk and reassembling them.
 It can be done by examining the header (the first few bytes) and footer (the last few bytes) of a file.
 File-carving methods are categorized based on the underlying technique in use.
 The header-footer carving method relies on recovering the files based on the header and footer information.
 For instance, the JPEG files start with 0xffd8 and end with 0xffd9. The locations of the header and footer are identified and
everything between those two endpoints is carved (extracted).
 How to do it manually: https://resources.infosecinstitute.com/file-carving/
 More info: Read article  Forensic_Data_Carving.pdf (in Moodle)

 The file structure carving method is based on the internal layout of a file to reconstruct the file.
 But these traditional file carving techniques, may not work if the data is fragmented. To overcome this, new
techniques such as smart carving use the fragmentation characteristics of several popular file systems to recover
the data.
RECOVERING DELETED DATA USING FILE CARVING

 Apart from manually carving a raw image, which might be time consuming. An Android image can be analyzed
using carving tools. These tools are specially designed to find deleted data and carve them.
 PhotoRec is a powerful free utility to carve files. The tool analyzes the block database storage, identifies the
deleted files, and recovers them.
 Link: https://www.cgsecurity.org/wiki/TestDisk_Download

 Scalpel (a Sleuth Kit tool) is also another useful tool. It is file system-independent and is known to work on
various file systems including EXT4, exFAT, FAT32, and more.
THANK YOU
ALEJANDRO.GUERRA@TALTECH.EE