Cell phones are becoming an integral part of digital forensic examinations. However, forensically preserving them can sometimes present difficulties. This blog reveals some of issues that can be encountered.
Some of the common questions Vestige gets asked in regards to cell phones is: What type of data can we acquire? Can we recover deleted data? The short answer to both of those question is …it depends. The long answer is that there are multiple different factors that affect the type of data that we can acquire from a device and whether we are able to acquire deleted data. So to narrow it down, we may ask the client the following questions:
- Who is the device manufacturer? (i.e. Samsung, Google, Apple)
- What model of phone is it?
- What operating system version is the phone running?
- If it is an Android what is the security patch?
- Is the phone currently rooted or jailbroken?
All of this information is important because it will tell us what extraction types are supported and what type of data we will be able to acquire with those extractions.
Forensic data preservation on phones running an Android operating system can prove difficult because each device can be running a slightly modified version. Android OS is an open source operating system and device manufacturers take this open source software and customize it to work best with their devices. For example, while both Google Pixel and Samsung Galaxy phones run Android OS, the operating system on each phone can be slightly different. This leads to there being different extraction types for each phone based not only on physical hardware but also operating system versions.
A full-file system or physical extraction allows us to extract the most amount of data from a phone. On most newer phones this is not possible unless the device is rooted. Rooting refers to gaining administrative privileges to the phone’s file system, meaning we can access all the files on the device. The difficulty with rooting is that it is not supported on all devices, it normally depends on the operating system version and security patch installed, and it often requires the phone to be reset to gain the access needed. If resetting the phone is required then rooting the phone is not a viable option as resetting the phone wipes all of the data currently on the phone. Therefore, we have to resort to different extraction options on these phones, extraction options which do not provide us with as much data.
If we are unable to get a physical or full-file system extraction of an Android phone and have to rely on a partial file system or logical extraction we can typically acquire call logs, contacts, text messages, pictures, and videos but we may not able to access 3rd party messaging applications such as WhatsApp or WeChat. Furthermore, internet history is not always collected. There are some other methods we can use to access this data that do not necessarily include using the cell phone.
Data preservation on iPhones is a little more straightforward. A majority of the data we are typically interested in such as text messages, call logs, contacts, etc. are present when the device is backed up using Apple’s iTunes software. Unlike with Android devices 3rd party messaging applications such as WhatsApp and WeChat will be present in the extraction.
There are however some artifacts that cannot be accessed unless we are able to gain administrative privileges to the file system on the phone through a process known as jailbreaking. Jailbreaking is comparable to rooting on an Android. Whether we are able to jailbreak the device comes down to the model of iPhone and the current iOS version. iPhone 5s through iPhone X all have a hardware vulnerability that cannot be fixed that makes the possibility for jailbreaking more likely, but it comes down to iOS version installed on the phone.
Another method used to get data from an iPhone is accessing iCloud. By default, iPhones are set to backup to iCloud when they are locked, connected to WiFi and charging. There are also some data types that you can set to sync to iCloud such as call logs, messages, and pictures. With the iCloud credentials and assistance from the custodian to get through the two-factor authentication Vestige can acquire both the backup and synced data from iCloud. The types of data that can be acquired via iCloud backups or synced data depend on the settings enabled on the phone. For example, if you have message sync turned on then messages will not be included in an iCloud backup. You will have to download the messages through the synced data feature.
On an iPhone acquiring deleted data has become more complicated in the last few years. iPhones store a lot of user data in SQLite databases. Prior to iOS 12 when you deleted an item, such as a message, the record for that message in the database was marked as deleted. However, it was not immediately deleted, so there was a chance you recover those items. Starting in iOS 12 Apple changed the way they handled data deletion. The data is deleted and removed from the database almost immediately after the user deletes it. There is still a small chance that deleted data can be recovered if the device can be jailbroken allowing for a full-file system extraction and access to log files that may still have the data in them.
For Androids deleted data is typically something we are only able to access if we can do a full-file system or physical extraction. A partial file system and logical image only give us access to data that is currently active on the device.
In conclusion, there are difficulties that can occur with cell phone data preservation. Depending on the type of data we are able to access is highly dependent on the type of phone and the operating system running on the phone. However, the good news is if you are interested in accessing deleted data from a phone typically a full-file system or physical extraction can be performed on that phone. Also important to remember, the sooner forensic data preservation is performed on the device after the deletion occurs the better the chances for recovery.
For Expert Mobile Device Digital Forensics, CONTACT VESTIGE today.
By Alyssa Rhodes, BS, AS, DFCA
Senior Forensic Analyst
Vestige Digital Investigations
Follow Vestige on Linkedin