Deleted data is random at best when working with mobile data. Data is stored in memory blocks (ROM & RAM), which is nothing more than flash memory. These memory blocks may contain some available space (meaning not completely full). If deleted data resides within the block and new data comes into the device and is placed in that “free” space, the deleted data that occupied the space can be overwritten in as quickly as four milliseconds. In addition, the operating system will start deleting the “deleted data” after 30 days, which adds to the challenges presented in recovering deleted data.

We as end users cannot access a mobile device’s memory to calculate the size of memory for deleted data, unlike hard drive data where you have unallocated block space (end users can make this larger or smaller). This unallocated data (on a hard drive) is written at the beginning of this space and goes all the way to the end of the space, then comes back the beginning of the unallocated block space to start rewriting data, making the possibility of data collection greater on a hard drive versus a mobile device. Regarding mobile phone extractions, this is why we see some devices with a large amount of deleted data and some devices with very little, or no, deleted data.

When a software tool finds fragments of a deleted file, it will attempt to reconstruct the data as close to its original form as possible. This is the same in both hard drive and mobile device forensics. It is also the main reason an examiner will often find recovered data, such as text messages, with partial message content and incorrect dates.

Challenges in Recovering Deleted Data on Mobile Devices
Tagged on: