Recovering Mobile Data as Evidence: Answers to Common Questions from a Digital Forensics Expert

The popularity and wide use of mobile devices has and will continue to grow, making mobile data evidence increasingly common during litigation. Mobile data is complex.  Knowing where data is stored, how to review and retrieve it, and whether it is recoverable often requires the expertise of a digital forensics expert.

Below are a few common questions our clients ask and insights you can use the next time you have mobile data that needs to be reviewed in conjunction with litigation.

What happens to deleted content?

Deleted data recovery is the most requested service related to mobile devices. Deleting data from computers and mobile devices is similar, but one of the key differences is the type of storage each device contains.

Data is deleted by the user or the device’s operating system. Most users know they can delete a variety of data such as text messages, calendar entries, pictures, videos, and much more. However, when users hit ‘delete’ on their devices, the data is not instantly gone, even though the data isn’t visible to the user. Data deleted by the user is flagged as being unneeded, and the data is eventually overwritten through several operating system processes.

Not all content deleted from a mobile device is a deliberate act by the user. Many applications and services keep logs, databases and other system files that are vital to their use. The data within these system files can be overwritten simply by using the application related to the system files.

Mobile devices constantly optimize functionality to maintain a seamless user experience. Devices use several processes to clean up disk space and overwrite data flagged for deletion. Once data has been overwritten, it cannot be recovered. All is not lost, however, as data often resides in more than one location, and there are typically two sides to each communication.  

Where is data stored and who owns it?

New applications in the Google Play Store and Apple App Store are created every day. As users set up accounts and use applications, they begin generating data. It is important to know what data an application collects and retains and for how long. Not all data generated from an application or service is necessarily stored on the device. Many applications feature cloud support, and the information is hosted at a remote location requiring an internet connection to retrieve information and use the service.

One reason data on mobile devices may not be extracted is because the data does not actually reside on the device. Social media applications are a great example. Some data is stored locally on mobile devices related to social media applications, but the entirety of Facebook or Instagram does not exist on any single device. With an internet connection, you can view this information in real time, but data not stored locally on the phone cannot be extracted by mobile device preservation. Fortunately, there are other methods of obtaining information from applications that host data in the cloud.

Security systems can also prevent data extraction. The two primary operating systems, iOS and Android, both have their own security measures, which can ultimately limit what data can be forensically extracted while factory installed operating systems are in place.

What third parties may be holding records relevant to my case?

When tracking down vital information for your case, it is important to know where to look for potential evidence. When a phone or tablet does not contain all information needed, what other locations can be assessed?

Relevant data may be stored by a third party. Call records from service providers are always a great place to check for communication records. These records can often be used in conjunction with a phone extraction for records comparison.  You may see communications from a forensics preservation report that are not present on a call record subpoena request and vice versa. The most common example of this scenario is that iPhone users can communicate with other Apple devices over Wi-Fi through features like iMessage, rather than through a cellular provider’s network. Records from a cellular provider will not contain communications that took place over Apple’s network.

Many communication applications operate over Wi-Fi, through the provider’s servers. The ability for these records to be pulled from the device depend on where the records reside – locally on the phone, or in the cloud – and whether the forensics software is able to pull those records based on the device’s security. The final hurdle is requesting the records. Knowing what to ask and how to ask for data can be the difference that will solve your case and should involve an experienced digital forensics expert.

Who can help me recover critical data for my case?

LOGICFORCE specializes in carefully examining digital assets for relevant data as evidence. Out team of investigators understand both technology and the legal process and will find and preserve data in a defensible manner. For more information on how a digital forensics expert can uncover data pertinent to your case, or to learn about LOGICFORCE’s comprehensive digital forensics offering, contact us.

Donnie Tennant is an expert on LOGICFORCE’s Digital Forensics Team. Donnie has been practicing digital forensics since 2016, with an emphasis on mobile devices and cloud forensics through specialized training from industry leaders in the mobile forensics community.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *