How to Recover Deleted Phone Text and Photos

Forensics

In a legal dispute, text, photos and other data on a smart phone or tablet can be relevant.  Can they be recovered if they have been deleted?

Cellular service carriers (Verizon, AT&T, Sprint, TMobile) keep records of text, photos and transmitted data for periods of time that vary from one provider to the next.  However, legally forcing them to turn over user data in a non-criminal case is difficult.  The carriers tend to resist subpoenas from civil lawsuits such as divorces, on the grounds that the content of user data is protected by the Electronic Communications Privacy Act.

Customer Cooperation

To a limited degree, recovery from a service provider may be possible if the customer is cooperative.  For example, Sprint records transmitted photographs on a web page protected by a customer password.  Mobile App providers may similarly keep records of messages, photos or videos on a web page protected by a customer password.  In a lawsuit, the customer may be required to cooperate in the recovery of those records under a subpoena or ediscovery demand.

(Cellular carriers have a reputation for not helping customers recover messages unless the customer has a web page for storing those messages as Sprint does for photos.)

Data Forensics

An alternative approach to recovering data is forensics.  An adversary in a civil law proceeding (divorce, child custody, bankruptcy or other lawsuit) may be able to demand through the rules of court procedure that the owner of a mobile device take two steps:

Text, Photos, Video
Step 1: Protect data on the device from erasure or further damage.  This demand for protection might come in the form of a data preservation letter sent by the adversary’s lawyer.

Step 2: Deliver the device to a forensics expert so he can recover data.

Forensic recovery of data from a mobile device is tricky.  Sometimes deleted data can be recovered and sometimes it can’t.  Sometimes fragments of a message can be recovered.  Recovery capabilities vary from one device to the next.  A new tool for recovering data deleted from a mobile device is MobiSec.

The records that can be recovered from a mobile device -- including erased records -- can boggle the mind!  See Lifestream Records from Smartphone.

Forensics experts can even recover encrypted data from an Android device.

Documented Authority

When a forensics expert is engaged to recover data from a device, he needs to ensure he has authority from the proper person.  He is wise to get the authority in writing.

If someone who is not the owner of the device asks him to recover data, he might be violating an anti-hacking law like the Digital Millennium Copyright Act.  When a nonowner asks for data recovery, the expert is wise to ask for a court order.



Attorney Wright teaches the law of data security and investigations at the SANS Institute.

Update:  The Internet of Things is spawning a hurricane of forensic evidence