What data could we expect to recover from old devices?
Mobile devices hold a huge amount of personal data - most mobile phone users have their device on their person for the entirety of their waking day. Not only are devices capable of sending and receiving SMS messages and phone calls, they have evolved to be an integral part of modern life. Some people track health statistics, monitor sleep, use their devices’ GPS function to find locations, as well as interact with a multitude of communication applications such as email, chat apps and social media. Mobile devices are also used for internet browsing, online shopping, contactless payments and streaming media.
I will list below (in my experience) some of the most prevalent data types recovered during mobile forensic examination.
- Bank details
- Health data
- Web browsing history + cookies
- Users accounts and ID’s
- Wi-Fi hotspots and passwords
- Passwords
- Emails
- SMS messages
- Call logs
- Chat messages
- Geolocation information
- Social media posts and activity
- Personal details (such as health data, home address, full name, height, weight, DOB etc.)
- Pictures of personal documents (bills, drivers license, passport etc.)
- File attachments (from emails, chats, MMS messages)
What most users don’t realise is just how much of this data is retained on the device and is potentially recoverable. Commercially available tools exist that can bypass device PIN codes and recover deleted or residual data. It is important to remember that just because data is inaccessible to you, does not mean it is inaccessible to a third party.
If SMS messages aren’t backed up and restored, then only messages sent or received post-wipe will be present on a device. However, in terms of chat platforms, such as Facebook messenger, Snapchat (saved messages only), Twitter (direct messages) and Instagram (direct messages), once the application is installed and chat threads are opened again, the applications will start to download chat contents from online storage and cache them locally, so messages are readable in the event the users network connection drops.
Many online messaging services such as WhatsApp, Telegram and Signal boast end-to-end encryption capabilities, but this only offers security during the transmission of the messages, it offers no protections to the end user in the case their device is obtained by a third party who knows the PIN or has the ability to remove it.
It’s very easy to forget just how much information your mobile device retains about you, and it doesn’t do it for malicious reasons. Emails, chat attachments and GPS location information are all stored locally on the device to enrich the user experience and for ease of use. If your phone knows where you live, it makes it easier to use navigation applications to quickly find your way home. Retaining images you’ve sent or received online makes it possible to review chat contents when there is no signal or a chat service has temporary downtime. The information stored on your device isn’t necessarily there for ‘snooping’ purposes, but in the hands of a bad actor they are a treasure trove.
Due to enforced encryption on newer versions of Android, deleted items tend to be unrecoverable (to an extent). If data is stored in a local database on a device, depending on how the database was set up and in some cases with a little luck, previously existing database entries can be recovered. When it comes to file systems that employ file-based encryption (like recent versions of android and iOS), when a file is deleted its associated encryption key is also lost. This means that if traditional forensic data recovery techniques were employed, only encrypted nonsense would be recovered. In the case of databases, the entire database is a file, so the encryption key is not destroyed in a database when information is removed. This means that in some cases, databases will have deleted content drifting in the ether which can be recovered and analysed.
When you think about which data types are stored in databases (web history, cookies, chat messages) this still means a large amount of personal data is at risk of recovery, even if this data is not accessible to the end user. Another example is residual data, data which gets left behind on the device that the user does not necessarily knows exists on the device. For example, thumbnail files can be recovered once images have been deleted.
Thumbnails are smaller ’cached’ versions of images, usually used by an operating system to store previews of source images without having to render the full-size image. This may seem like a waste of resources, but when you think of photo galleries where every image stored on a device can be flicked through in seconds, rendering the full-sized images would be extremely resource intensive, especially on a mobile device where resources may not be in abundance.
Some thumbnails can still be quite large and contain legible details of pictured documents. Identification cards, passport numbers, addresses and credit card details could all theoretically still be lingering on a device without the user knowing. You would be wrong in assuming that once you hit the ‘delete’ button, a file and its associated details could not be recovered. This can be exploited by both the good guys and the bad guys, and at Secure Impact we offer a range of digital forensics services to protect your data from malicious actors.
You wouldn’t knowingly hand over such data to a random entity. To demonstrate we could draw parallels with the idea of selling a filing cabinet. If you were going to sell a filing cabinet online, or send it to a recycling facility, you would make sure that any important or potentially embarrassing contents were removed. Mobile devices can be compared to filing cabinets, with printouts of every message attachment, web history visit, personal document, family information and saved password.
Later in this blog I’ll explain methods to securely delete your personal data, but first I’ll demonstrate just how much data I was able to extract from two old devices during my test investigation.