Android Data Recovery Techniques - Practical Mobile Forensics

Information Technology Reference

In-Depth Information

Recovering the deleted files

All Android file systems have metadata containing information about the hierarchy of files,

filenames, and so on. Deletion will not really erase the data but remove the file system

metadata. When text messages or any other files are deleted from the device, they are just

made invisible to the user but the files are still present on the device. Essentially, the files

are simply marked for deletion, but reside on the file system until being overwritten. Re-

covering deleted data from an Android device involves two scenarios: recovering data that

is deleted from the SD card, such as pictures, videos, application data, and more, and re-

covering data that is deleted from the internal memory of the device. The following sec-

tions cover the techniques that can be used to recover deleted data from both the SD card

and internal memory of the Android device.

Recovering deleted data from an SD card

Data present on SD cards can reveal a lot of information for forensic investigators. SD

cards are capable of storing pictures and videos taken by the phone's camera, voice record-

ings, application data, cached files, and more. Essentially, anything that can be stored on a

computer hard drive can be stored on an SD card as much as the available space allows.

Recovering the deleted data from an external SD card is a straightforward process. SD

cards can be mounted as an external mass storage device and forensically acquired using

standard digital forensic methods as discussed in Chapter 9 , Android Data Extraction Tech-

niques . The device should never be mounted on a computer to copy the files as the unalloc-

ated space will be missed. As mentioned in the previous chapters, SD cards in Android

devices often use the FAT32 file system. The main reason for this is that the FAT32 file

system is widely supported in most operating systems including Windows, Linux, and Mac

OS X. The maximum file size on a FAT32 formatted drive is around 4 GB. With increas-

ingly high resolution formats now available, this limit is commonly reached. Apart from

this, FAT32 can be used on partitions that are less than 32 GB in size. Hence, the exFAT

file system, which overcomes these problems, is now being used in some of the devices.

To recover the deleted files from an SD card, you can use any of the available forensic

tools such as the Remo Recover for Android tool. The following is a step-by-step process

to recover the deleted files from an SD card using Remo Recovery for Android:

1. Download the software from http://www.remosoftware.com/remo-recover-for-an-

droid . Next, install the software and launch it. From the main screen, select the ap-

propriate file recovery mode. The tool tries to recognize the Android device and

displays the following screen, once the device is successfully detected. Note, the

Search WWH ::

Custom Search

Home