What data could we expect to recover from old devices?

Mobile devices hold a huge amount of personal data - most mobile phone users have their device on their person for the entirety of their waking day. Not only are devices capable of sending and receiving SMS messages and phone calls, they have evolved to be an integral part of modern life. Some people track health statistics, monitor sleep, use their devices’ GPS function to find locations, as well as interact with a multitude of communication applications such as email, chat apps and social media. Mobile devices are also used for internet browsing, online shopping, contactless payments and streaming media.

I will list below (in my experience) some of the most prevalent data types recovered during mobile forensic examination.

• Bank details  
• Health data  
• Web browsing history + cookies  
• Users accounts and ID’s  
• Wi-Fi hotspots and passwords  
• Passwords  
• Emails  
• SMS messages
• Call logs  
• Chat messages  
• Geolocation information  
• Social media posts and activity  
• Personal details (such as health data, home address, full name, height, weight, DOB etc.)  
• Pictures of personal documents (bills, drivers license, passport etc.)  
• File attachments (from emails, chats, MMS messages)  

What most users don’t realise is just how much of this data is retained on the device and is potentially recoverable. Commercially available tools exist that can bypass device PIN codes and recover deleted or residual data. It is important to remember that just because data is inaccessible to you, does not mean it is inaccessible to a third party.

If SMS messages aren’t backed up and restored, then only messages sent or received post-wipe will be present on a device. However, in terms of chat platforms, such as Facebook messenger, Snapchat (saved messages only), Twitter (direct messages) and Instagram (direct messages), once the application is installed and chat threads are opened again, the applications will start to download chat contents from online storage and cache them locally, so messages are readable in the event the users network connection drops.  

Many online messaging services such as WhatsApp, Telegram and Signal boast end-to-end encryption capabilities, but this only offers security during the transmission of the messages, it offers no protections to the end user in the case their device is obtained by a third party who knows the PIN or has the ability to remove it.  

It’s very easy to forget just how much information your mobile device retains about you, and it doesn’t do it for malicious reasons. Emails, chat attachments and GPS location information are all stored locally on the device to enrich the user experience and for ease of use. If your phone knows where you live, it makes it easier to use navigation applications to quickly find your way home. Retaining images you’ve sent or received online makes it possible to review chat contents when there is no signal or a chat service has temporary downtime. The information stored on your device isn’t necessarily there for ‘snooping’ purposes, but in the hands of a bad actor they are a treasure trove.  

Due to enforced encryption on newer versions of Android, deleted items tend to be unrecoverable (to an extent). If data is stored in a local database on a device, depending on how the database was set up and in some cases with a little luck, previously existing database entries can be recovered. When it comes to file systems that employ file-based encryption (like recent versions of android and iOS), when a file is deleted its associated encryption key is also lost. This means that if traditional forensic data recovery techniques were employed, only encrypted nonsense would be recovered. In the case of databases, the entire database is a file, so the encryption key is not destroyed in a database when information is removed. This means that in some cases, databases will have deleted content drifting in the ether which can be recovered and analysed.  

When you think about which data types are stored in databases (web history, cookies, chat messages) this still means a large amount of personal data is at risk of recovery, even if this data is not accessible to the end user. Another example is residual data, data which gets left behind on the device that the user does not necessarily knows exists on the device. For example, thumbnail files can be recovered once images have been deleted.  

Thumbnails are smaller ’cached’ versions of images, usually used by an operating system to store previews of source images without having to render the full-size image. This may seem like a waste of resources, but when you think of photo galleries where every image stored on a device can be flicked through in seconds, rendering the full-sized images would be extremely resource intensive, especially on a mobile device where resources may not be in abundance.  

Some thumbnails can still be quite large and contain legible details of pictured documents. Identification cards, passport numbers, addresses and credit card details could all theoretically still be lingering on a device without the user knowing. You would be wrong in assuming that once you hit the ‘delete’ button, a file and its associated details could not be recovered. This can be exploited by both the good guys and the bad guys, and at Secure Impact we offer a range of digital forensics services to protect your data from malicious actors.  

You wouldn’t knowingly hand over such data to a random entity. To demonstrate we could draw parallels with the idea of selling a filing cabinet. If you were going to sell a filing cabinet online, or send it to a recycling facility, you would make sure that any important or potentially embarrassing contents were removed. Mobile devices can be compared to filing cabinets, with printouts of every message attachment, web history visit, personal document, family information and saved password.

Later in this blog I’ll explain methods to securely delete your personal data, but first I’ll demonstrate just how much data I was able to extract from two old devices during my test investigation.

So, what was recovered from the mobile devices?

A lot more than you’d expect…  

The devices I subjected to extraction were:  

• An iPhone 4 (Model A1332) [PIN Unknown]
• A OnePlus 3 (Model A3003) [PIN Unknown]

Due to the improvements in forensic software capabilities, I elected to attempt data extraction from the older device (iPhone 4) first, as I could not remember the PIN code for either device, and I assumed that the same PIN would have been used for both devices. Commercially available forensic tools are capable of cracking older iDevice PIN codes, so I attempted this first and the PIN was recovered in a matter of minutes.  

Amongst the information recovered from the iPhone the following datatypes were recovered:  

• Chat messages  
• SMS messages  
• Call logs  
• PIN code  
• Email address and personal user account passwords (in plaintext)  
• Delivery confirmation emails containing home address  
• Family contact details and addresses  
• Web history  
• Calendar entries for birthdays and appointments  

Upon reviewing the data recovered from the iPhone, I saw that in the past I must have wiped the phone and subsequently reinstalled some messaging apps as there was little in terms of SMS content, but a large number of chat application messages were recovered.  

In terms of the message content stored on the iPhone, only 32 SMS message threads were recovered, with a grand total of 151 SMS messages. However in terms of chat messages, over 100 threads were recovered with a grand total of over 2000 messages.

Once the PIN was recovered from the iPhone, I attempted the same pin on the OnePlus 3 device and just as expected it was a match. The phone was unlocked, security features were disabled, and a full physical extraction of the device was completed.  

Amongst the information recovered from the OnePlus 3 the following datatypes were recovered:  

• Chat messages  
• SMS messages (including deleted messages)  
• Call logs  
• Email address and numerous personal user account passwords (in plaintext)  
• Delivery confirmation emails containing home address  
• Family contact details and addresses  
• Web history (Around 30,000 messages)  
• Calendar entries for birthdays and appointments  
• Pictures of sensitive documents (including personal ID cards, bank cards and bank statements)
• Personal photos with associated metadata (containing GPS locations for places like work and home)  

There was an abundance of data recovered from the OnePlus 3 device which I’d even forgot existed. There were photographed copies of personal identification documents which were found as email attachments, plaintext passwords for services and accounts I still use today, and a plethora of chat logs from numerous online messaging platforms. Over 500 SMS messages were recovered from 85 threads and over 45,000 chat messages were recovered from online messaging platforms, from applications such as Facebook messenger, Instagram, LinkedIn, Snapchat, WhatsApp and Telegram.  

Please do not misinterpret this as an attack on the aforementioned chat platforms security standards or capabilities. This is what you’d expect to see from a forensic extraction of a smartphone with a known PIN. The information recovered would be no different to handing your unlocked mobile in airplane mode to someone and allowing them to flick through the contents of your device. The mobile forensic software just allows you to review the information recovered in an easy to view manner with filters, search tools and hash categorizations. The extraction capabilities also mean that sometimes information can be recovered from devices even where the phone seems completely broken.  

No one would willingly hand over this information to an unknown third party, so let’s explain the ways in which we can remove your data from devices.

How can we securely remove data from old devices?

This is all dependent on the state of the device. Can you access the screen? Do the buttons all still work?  Does the device turn on at all? Is it slow and unresponsive but still able to be connected to a PC?  

Apple Devices  

iTunes/Finder Recovery Mode Method  

If the device can enter recovery or DFU Mode, then the iPhone can be erased using the iTunes application. Recovery mode button combinations vary from iPhone to iPhone, and a quick google search will reveal which button combination you will have to use to get your device into recovery mode.  

iCloud Remote Wipe Method  

If your iDevice is still connected to your iCloud/Find my iPhone application, and can still boot but has a broken screen, you can insert a SIM card into the device or place it within proximity of a previously trusted Wi-Fi access point. Once a connection is made, and the device is located using the iCloud Find my iPhone application, a remote wipe signal can be sent. If the device is to be resold, then if someone repairs the device they will require you to remove the iCloud account from the device once it is repaired, or sold with a caveat that the device is iCloud locked. For some older devices this can be bypassed, so it would not put off all potential buyers.  

Android Devices

Android Settings Method  

If the device is functional to the point that you can navigate to the settings menu and browse to your devices factory reset screen, then this would be sufficient. In cases such as this you would need to also remove the google account associated to the device in order to ensure that Factory Reset Protection (FRP) is no longer enabled. FRP is a function found in Android phones similar to the iCloud lock on iPhones. If a phone is stolen it cannot be simply reset in order for the thief to start using the device as their own, it needs to be connected to a network and the owners google account information needs to be inserted including password.

Android adb Method  

If the android device is bootable and adb is enabled in settings, it may be possible to connect the mobile phone to a computer which has already had adb trusted. If this is not the case, then this method will not work, unless the display still has the touch function and you manage to blindly hit the ‘trust’button. Once/if an adb connection is established then there are a couple of ways you can wipe the device, such as issuing a wipe data command via shell.  

Once an adb connection is made, issuing the following commands will wipe the device:

• adb shell  
• recovery -wipe_data  

You can attempt to wipe data without the underscore if this command fails.  

Android Recovery Mode Method  

If the devices volume, home and power buttons are all still functioning you should be able to enter recovery mode. Most recovery mode screens contain a wipe data function, however these vary greatly from device to device. Most devices usually use a combination of holding down the volume down or up button, as well as the power button, as the phone boots. Once in recovery mode a simple menu should appear. Navigation is usually completed using the devices volume buttons ,and once the desired option is highlighted, pressing the power button to confirm your choice. Find the factory reset option and confirm.  

Android Fastboot Method

On most android devices you should have access to fastboot mode. If the button combo to enter recovery mode is volume down and power, then fastboot should be volume up and power, or vice-versa. Due to the many configurations of android devices on the market, a quick google search for device model and fastboot mode should reveal the button combination for your device.  

Once in fastboot mode send the command:  

• fastboot -w

or  

• fastboot wipe data
• fastboot wipe cache  

This will send a signal to the device to wipe the cache and user data partition. I have provided two options as sometimes permissions aren’t given by the smartphone developers to issue these commands.

In the event neither of these commands work you can issue the command:

• fastboot oem unlock  

or  

• fastboot flashing unlock  

Unlocking the bootloader will allow you to issue the previously commands but there’s not much reason to other than to wipe the cache as unlocking the bootloader tends to wipe the devices user data.  

Physical Destruction  

If none of the above methods are accessible or achievable, there is always the possibility of destroying the device. If this route is taken, the user should take care that it is done correctly, and it is not sufficient to just smash the phone with a hammer. This is also dangerous as there are high capacity lipo batteries in these devices, that if pierced or crushed can explode or ignite violently causing harmful fumes and potentially burns. I would advise deconstruction of the device and searching online for the emmc chip or storage chip on the device, and chiseling or removing the chip. A less destructive disassembly of the device is also beneficial to people planning on reclaiming some value from the device, as you may still be able to sell device components such as the camera, battery and screen once the memory chip has been removed.

What personal data remains on the device following these secure removal steps?  

Almost nothing.  

The OnePlus device was wiped via the recovery menu. Following the device being wiped it was subject to the same forensic recovery method as before and not a single personal data entry mentioned previously was recovered. All personal details, including previously assigned phone numbers, passwords and browser history, was all unrecoverable. The only data recovered from the device was that which you’d expect to see on an unused device. Information such as IMEI was recovered, but this is unique to a handset and not user. The mobile hotspot password was recovered, but this was randomly generated and was different to the custom password set prior to the wipe.  

The iPhone was wiped via iTunes by placing the device into recovery mode and wiping the device using the ‘restore device’ function. Even though the iPhone 4 is a very dated device, its security still stood up to scrutiny as once again there was no personal information recovered from the device. All previous information stored on the device such as user accounts, web history, emails, photographs, were not recovered by the forensic tools employed in the initial extraction.

How can we help?  

Our digital forensics team have experience in law enforcement and the military, and can help you to ensure sensitive data is unrecoverable from your devices prior to disposal.

• If you are considering recycling or selling company devices, we can securely delete data from the devices and subject them to examination to ensure that sensitive company information is not recoverable from the devices.  
• If you have an employee that you suspect could be acting maliciously, we can subject their devices (if policies are in place) to forensic examination. The existing, and in some cases previously existing, data can be examined and reported upon by a team of experts with experience of digital investigations relating to complex and severe crimes.  
• If you require investigation into specific devices as part of litigation, our teams' digital forensics background will ensure that all the relevant details are collected and reported upon in compliance with industry and legal standards.  

If you have any questions about this blog or how we can help you, please do get in touch.