Mobile phones and tablets have the potential to carry a wealth of information and during investigations we are often asked what can be recovered from them. On many occasions the focus is on recovering deleted text messages.
Copying data from a mobile device is commonly referred to as an 'extraction' and there are different types of extractions available based on the make, model and operating system of the device.
In the days of the iPhone 4, a full physical copy of the device's storage could be extracted which was great for recovering deleted information, but that has now been restricted through Apple’s more robust and secure operating systems. That's not saying deleted information cannot be recovered, just that it isn't as readily recoverable as it was on the older operating systems.
Here are the answers to some commonly asked questions about mobile device extractions:
What can we retrieve from a mobile device? We use the Cellebrite UFED Touch 2 and analyse the extractions using Cellebrite’s Physical Analyser software. This lets us browse through the different categories of data on the device, including all forms of messaging (text, MMS, SMS, WhatsApp, Viber, etc), call logs, internet history and multimedia. The data can be keyword searched and various reports can be generated based on the content relevant to the investigation.
Can we recover deleted text messages? Our ability to recover a deleted message is dependent on the following factors: how long the message was on the device; when it was deleted and how much use the device has had since the deletion took place.
How important is the PIN code? Without the PIN code we cannot access the device without compromising the operating system (‘Jail Breaking’). Even though the FBI had success by-passing the PIN on a locked phone in a recent terrorist investigation (rumours say with Cellebrite's help!) this functionality isn't available to us. It may be an option if you are prepared to use Cellebrite's in-house consulting services.
What happens if the content is encrypted? If an iPhone has had the 'encrypt this backup' option selected when being backed up, the content of the iPhone will be encrypted and requires the password for access. Note that this will require the encryption password – not the Apple ID password. Without the password we can’t access the content.
How long does the extraction take? Most devices can be extracted in 1-2 hours but we have accessed some phones with high volumes of video and image content that have taken much longer.
If you have any questions or need any assistance with any forensic IT issue feel free to call or send an email.