Forensics
In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant. Can they be recovered if they have been deleted?
Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next. However, legally forcing them to turn over user data in a non-criminal case is difficult. The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.
Customer Cooperation
To a limited degree, recovery from a service provider may be possible if the customer is cooperative. For example, Sprint records transmitted photographs on a web page protected by a customer password. Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password. In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.
(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)
Data Forensics
An alternative approach to recovering data is forensics. An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:
Step 1: Protect data on the device from erasure or further damage. This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.
Step 2: Deliver the device to a forensics expert so he can recover data.
Forensic recovery of data from a mobile device is tricky. Sometimes deleted data can be recovered and sometimes it can’t. Sometimes fragments of a message can be recovered. Recovery capabilities vary from one device to the next. A new tool for recovering data deleted from a mobile device is MobiSec.
The records that can be recovered from a mobile device -- including erased records -- can boggle the mind! See Lifestream Records from Smartphone.
As the applications on mobile devices grow richer, the old or deleted data that might be recovered could include:
Forensics experts can even recover encrypted data from an Android device.
Documented Authority
When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person. He is wise to get the authority in writing.
If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act. When a nonowner asks for data recovery, the expert is wise to ask for a court order.
–Benjamin Wright
Attorney Wright teaches the law of data security and investigations at the SANS Institute.
Update 2014: Increasingly modern phones like the HTC One allow the user to back text messages up to a cloud service or to an email account. They also allow the user to backup photos and other data on the user's PC. Furthermore, the phone may automatically back up much data to the cloud so that the phone can be "reset." Therefore, when data has been deleted from a phone (or the phone is lost or destroyed), texts, photos and videos may still be recoverable from other places.
Update: The Internet of Things is spawning a hurricane of forensic evidence.
In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant. Can they be recovered if they have been deleted?
Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next. However, legally forcing them to turn over user data in a non-criminal case is difficult. The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.
Customer Cooperation
To a limited degree, recovery from a service provider may be possible if the customer is cooperative. For example, Sprint records transmitted photographs on a web page protected by a customer password. Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password. In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.
(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)
Data Forensics
An alternative approach to recovering data is forensics. An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:
Step 1: Protect data on the device from erasure or further damage. This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.
Step 2: Deliver the device to a forensics expert so he can recover data.
Forensic recovery of data from a mobile device is tricky. Sometimes deleted data can be recovered and sometimes it can’t. Sometimes fragments of a message can be recovered. Recovery capabilities vary from one device to the next. A new tool for recovering data deleted from a mobile device is MobiSec.
The records that can be recovered from a mobile device -- including erased records -- can boggle the mind! See Lifestream Records from Smartphone.
As the applications on mobile devices grow richer, the old or deleted data that might be recovered could include:
- Mixed reality images or sound
- Virtual reality experiences
- Video game progression
- Interaction with artificial intelligence programs like Alexa or Siri
- Geolocation data
Forensics experts can even recover encrypted data from an Android device.
Documented Authority
When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person. He is wise to get the authority in writing.
If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act. When a nonowner asks for data recovery, the expert is wise to ask for a court order.
–Benjamin Wright
Attorney Wright teaches the law of data security and investigations at the SANS Institute.
Update 2014: Increasingly modern phones like the HTC One allow the user to back text messages up to a cloud service or to an email account. They also allow the user to backup photos and other data on the user's PC. Furthermore, the phone may automatically back up much data to the cloud so that the phone can be "reset." Therefore, when data has been deleted from a phone (or the phone is lost or destroyed), texts, photos and videos may still be recoverable from other places.
Update: The Internet of Things is spawning a hurricane of forensic evidence.
Why won't AT&T and other carriers tell the public how long text message content is stored on their servers? Does anyone know? If a court order is submitted for AT&T to release text message content how far back can hey go? Does anyone really know the answer to this question?
ReplyDeleteFor some information on your questions, please see my post SMS Text Messages | Recovery from Carriers.
ReplyDeleteCan photos sent through text or photos taken by a phone be retrieved once deleted?
ReplyDelete@Anonymous: The topic you raise is complex. There may be any number of ways to recover so-called deleted photos. For example, this company sells sophisticated equipment for recovering hard-to-get data from mobile devices: http://www.cellebrite.com/mobile-forensic-products
Delete