What happens to files I delete from a smartphone? Is there a chance to get them back after full factory reset? And when are you finally writing a data tool for my smartphone? With massive proliferation of smartphones, we are getting more and more of these questions every week. So we decided to write the definite article to (hopefully) answer most of these questions.
Smartphones Are Different
If you are using a smartphone, you may already know there are several major platforms ecosystems. Android and Apple iOS share the biggest piece of the pie, Microsoft Windows Phone competes eagerly for a place under the sun, while BlackBerry tries to survive with its BlackBerry OS.
Saying that these platforms handle deleted data differently is not saying anything. Android and iOS are literally on the opposite poles when it comes to deleting (and recovering) information. In this article, we’ll review how these vastly different platforms delete information, whether or not it can be recovered, and what exactly can be done to recover important data if you need it.
Let’s start with Apple iOS.
iPhone Data Recovery: An Urban Legend
It’s going to be short. I’ll say it outright: recovering information deleted from Apple smartphones and tablets (iPhones and iPads) is not technically possible. Even if you jailbreak it. Even in theory. Law enforcement can’t do this even if they use a $10,000 forensic kit. Apple themselves cannot do this, even if they are given the device and the passcode. If you delete a file from an Apple smartphone, it’s gone forever. If you do a factory reset, there is absolutely no way for anyone, including the FBI, to recover that information. Why is it so?
The answer lies in encryption. Starting with iOS 5, all Apple devices employ secure full-disk encryption. However, there is a trick. Each data block on the disk uses a unique decryption key. Apple implemented full-disk encryption so that it only keeps decryption keys for occupied (allocated) data blocks, and immediately discards keys for unallocated (released) data blocks that belong to deleted files. The actual (encrypted) data may still be there, but there is absolutely no possible way to decrypt it as Apple uses extremely strong encryption.
As a result, if you jailbroke your iPhone and saw that “data recovery” tool in Cydia, just be aware it’s a fake. Deleted files can’t be recovered, and any tool or service offering iPhone data recovery is a scam (we’re only talking about deleted files here; legitimate services exist that can extract the content of an iPhone including all user data except deleted files).
Apple smartphones and tablets never used SD cards, so there is no chance of taking a card out and reading its content.
However, iOS has a wonderful and truly convenient feature called “iCloud backup”. Thanks to this feature, your smartphone can automatically back up its entire content (complete with your apps and all their data, desktops, pictures, music and videos) in the cloud daily, every time you charge your iPhone at home. (Okay, a technically correct way of saying it would be “daily once your iPhone is connected to a charger, locked, and is within a proximity to a known Wi-Fi network”. In other words, every day you charge it at home.) The cloud keeps three last backup copies of all files stored in your iPhone, so you have some time to change your mind to reset your phone and restore it from the last backup. Once you do it, all files you used to have in your iPhone will be automatically restored from the backup.
There are tools on the market that can download such backups to your computer (e.g. Elcomsoft Phone Breaker); however, those are mostly used by the police and as such come with a corresponding price tag. So your best bet is saving everything from your iPhone to your computer with iTunes (you can even make a full offline backup just in case), resetting your device and recovering from iCloud. Just make sure not to “…charge your iPhone in a locked state within a proximity of a known Wi-Fi network”, or it may produce a new iCloud backup, overwriting the old copy.
BlackBerry Data Recovery: A Myth
BlackBerry smartphones were designed with one purpose in mind: to be secure. BlackBerries employed full-disk encryption from the beginning. BlackBerry smartphones generally can’t be jailbroken. Even extracting a decrypted raw image of a BlackBerry device is not technically possible at this time (a chip-off of the phone can read data from the flash chip, but all information will be encrypted securely and can’t be decrypted). However, even if someone managed to extract an image, they wouldn’t be able to decrypt it. BlackBerry security model is arguably even tighter than Apple’s, so there’s no chance of recovering deleted files from a BlackBerry smartphone (unless they were kept on an SD card, which you can take out and recover as usual).
Android Data Recovery: We’re Getting Somewhere!
As we said, Android is pretty much the opposite of iOS in many ways. First and foremost, many Android devices allow using micro SD cards as secondary storage. It’s easy to configure the phone to store pictures and videos onto an SD card instead of the main memory. If you deleted a file from an SD card, just pull that card out, insert it into a USB card reader connected to your computer, and use RS Photo Recovery for recovering pictures or RS Partition Recovery to recover all types of data from that memory card. It’s that easy.
If, however, the files you deleted were stored in the phone’s main memory, recovering them becomes more complicated. With very few exceptions, Android smartphones do not use full-disk encryption by default (you can enable it in the settings, but with the exception of Nexus devices few manufacturers set that option as default).
As a result, when you delete a file from an Android smartphone, its content may remain recoverable – at least for a while. If you manage to image your Android smartphone quickly, or have a rooted device and use a data recovery tool for rooted phones, you may be able to recover the data… or maybe not.
Let’s see what happens to information when you delete a file from an Android device.
All fairly recent Android smartphones and tablets released since Android 2.3 Gingerbread use eMMC flash for their permanent storage. Unlike “plain” flash chips, eMMC are a combination of NAND flash memory and an integrated storage controller. That storage controller is responsible for all the reading and writing, as well as for maintaining the flash chip in good health.
Without going too deep into technical details, flash memory has several unique properties. First, you can only write new data into an empty flash memory cell. In other words, flash cells must be erased before they can accept new data. Second, NAND flash memory is much slower to erase cells than to write information, which made flash manufacturers implement smart garbage collection algorithms to erase emptied cells in background while mapping an already empty cells to logical addresses that contain deleted data. Finally, flash cells have a limited number of writes they can sustain; the job of the built-in controller is leveling wear equally among flash cells (which may require moving existing information from one cell to another, erasing and reusing a memory cell that used to contain valid data).
All those smart algorithms make the recovery… tricky. What makes the recovery iffy is the fact that each eMMC module has more physical storage compared to advertised storage capacity. In other words, there are certain cells inside that don’t have logical addresses assigned to them. Those blocks are NOT accessible to any data recovery program or app. They will NOT become part of a raw image if you dump or back up its content. These areas won’t be visible even at the time of JTAG or chip-off acquisition – simply because JTAG and chip-off requests are still passed through the controller!
So once again, what happens when you delete a file? The operating system makes a change to the file system, releasing sectors that are no longer used. At the same time, the operating system will pass a “trim” command to the eMMC controller to indicate that certain logical blocks are no longer used. The eMMC controller receives that command, and assigns those blocks the “do not care” status. Until now, everything looks pretty straightforward.
The interesting part happens next. In order to ensure that the system can write new data back to the just-released physical block, the eMMC controller can remap the logical address to a different (empty) physical block! As a result, if you are the OS, you’ll ‘see’ that the sectors you’ve just released are suddenly empty – even if you know that actually emptying (erasing) in reality them takes a long time.
So where do the blocks go that contain deleted data? They are remapped to other logical addresses or (more likely) pushed out of the addressable space into the so-called overprovisioned area, where they’ll be erased in background when the microcontroller is not busy doing other things such as serving read and write requests.
If all that was a bit too technical, I can simply say that in Android (unlike Apple iOS) deleted files may be recoverable – at least for a while. Many Android phones will trim partitions during shutdown, so if you act fast you may be able to recover that deleted file after all.
What exactly is needed for Android data recovery? First and foremost, you’ll need a rooted device. Without root access, a data recovery tool won’t be able to read the phone’s storage on low enough level to be able to recover files. You’ll also need a data recovery tool for rooted devices (I can’t recommend any specific tool, but I’ve seen a few in Google Play Market). Finally, you’ll need to insert an SD card, an OGS flash drive, or just connect the device to your computer as the data recovery tool should not save files being recovered onto the same storage it’s recovering them from (or it may overwrite data that belongs to other files waiting to be recovered).
Many customers are asking if we’ll be releasing a data recovery tool for Android. We don’t plan to, and we don’t have anything in the works. The reason is simple: the market for this is extremely small. There are VERY few rooted Android devices around. Rooting the latest versions of Android is extremely difficult and rarely possible. Just get used to making regular backups of your device, activate cloud uploads for your Camera Roll, and you’ll never need a data recovery tool in the first place.
Windows Phone 8 and 8.1: Half-and-Half
Windows Phone is a relatively new smartphone OS. It’s a well-balanced system that borrowed a lot from both Android and iOS. It has many things in common with iOS (including private application data space and no residual garbage upon uninstalling an app) while offering access to shared files (e.g. music, videos or e-books that you don’t have to import into a specific app to use – with that app only). Windows Phone does not generally allow installing application from sources other than Windows Store (unless developer-unlocked).
Unlike iOS smartphones, Windows Phone devices can be developer-unlocked free of charge for installing unsigned apps. However, unlike in Android, the apps will not have administrative-level access since Windows Phone devices cannot be rooted or jailbroken.
As a result, you cannot have (or write) an app for recovering deleted files. An app like that would not work due to insufficient privileges and missing API’s to access the disk in low enough level.
Theoretically, a Windows Phone can be extracted via JTAG or chip-off acquisition. You could then run a data recovery tool such as RS Partition Recovery on extracted image. Since Windows Phone is a Windows-based OS, it uses NTFS as its file system, so standard data recovery tools would work on extracted images. Note, however, that many of the same eMMC-specific issues we discussed in the Android sections will equally apply to Windows Phone devices, making the recovery possible but not guaranteed.
Notably, many Windows Phone smartphones (with counted exceptions) support micro SD cards. Windows Phone allows not only storing music and saving photos and videos onto SD cards, but fully supports installing apps on SD cards. As a result, and especially if you are using an entry-level device with limited main storage capacity, you may simply take the SD card out, connect it to your computer via a card reader and recover deleted files from the SD card. You can use RS Photo Recovery for recovering pictures or RS File Recovery to recover all types of data.
I think the admin of this web site is actually working hard in favor of his web page, as here every material is quality based
Hi there I’ve read your post and I’ve done my own research and I have found countless Mobile forensics companies that can recover permanently deleted iPhone photos.
The say that the data there that has not been over written is not encrypted at all and always recover permanently deleted photos from iPhones that data may not show on your phone any more and storage will say there is space there but that old data is still in the allocated space until it is over written.