Information Technology Reference
In-Depth Information
Data recovery
Data recovery is one of the most significant and powerful aspects of forensic analysis. The
ability to recover deleted data can be crucial to crack many civil and criminal cases. From a
normal user's point of view, recovering data that has been deleted would usually refer to the
operating system's built-in solutions such as the
Recycle Bin
in Windows. While it's true
that data can be recovered from these locations, due to an increase in user awareness, these
options don't often work. For instance, on a desktop computer, people now use
Shift
+
De-
lete
as a way to delete a file completely from their desktop.
Data recovery is the process of retrieving deleted data from a device when it cannot be ac-
cessed normally. Consider the scenario where a mobile phone has been seized from a ter-
rorist. Wouldn't it be of greatest importance to know which items were deleted by the ter-
rorist? Access to any deleted SMS messages, pictures, dialed numbers, application data,
and more can be of critical importance as they often reveal sensitive information. With
Android, it is possible to recover most of the deleted data if the device files are properly ac-
quired. However, if proper care is not taken while handling the device, the deleted data
could be lost forever. To ensure that the deleted data is not overwritten, it is recommended
to keep the following points in mind:
• Do not use the phone for any activity after seizing it. The deleted data exists on the
device until the space is needed by some other incoming data. Hence, the phone
must not be used for any sort of activity so as to prevent the data from being over-
written.
• Even when the phone is not used, without any intervention from our end, data can
be overwritten. For instance, an incoming SMS would automatically occupy the
space, which could overwrite the data marked for deletion. To prevent occurrence
of such events, the examiner should follow the forensic handling methods de-
scribed in the previous chapters. The easiest solution is to place the device in air-
plane mode, disable all connectivity options on the device, or turn the device off.
This prevents the delivery of any new messages.
