Deleted Data on Mobile Devices
As a Singapore data recovery centre. We have received many inquiries that hope to retrieve deleted data from mobile devices such as devices formatted and accidentally deleted data. Do you know why deleted data recovery in mobile devices is different compared to other types of storage media? In this blog, we would like to discuss further why is it different from other recovery methods.
In these years, much internal research has been done to increase the success rate of recovery by using different approaches, techniques, and tools. For mobile data recovery, a forensic tool is used for the best outcome. There are 2 types of recovery methods that are used to extract the data, which are Logical Extraction and Physical Extraction.
Logical Extraction of Mobile Devices
In this extraction method, it is the basic extraction. It communicates with the operating system and requests data from the system. It allows us to extract all available data, but not deleted data. This recovery method helps to preserve the data at its original stage with forensically-sound integrity admissible in a court of law. Information that could retrieve is a text message, images, videos, audio files, contacts, calendars, and other application data if available.
Physical Extraction of Mobile Devices
Physical extraction is known as data acquisition. This process of computer forensics will create a bit-to-bit extraction or what we call “data dumping” to get full access to the internal memory of the device. It will extract all data within the mobile devices, including hidden and deleted files. Physical extraction was used by many investigators because it assists to extract more data such as images, videos, location information, emails, and more.
If data is accidentally deleted from a mobile device, should it go through the assessment process?
It should not go through an assessment process. During the assessment, there will have a “Write” action which will save into your memory chip. Overwrite of data is happening when the internal memory is used such as receiving messages, online surfing, installation of new apps, and others. To maximize the chances of recovery and minimize the “Write” action, the extraction will start immediately through a proper channel such as forensic tools.
If you ever encountered such a situation, switch off your device or put it in flight mode to prevent new incoming data. It helps to prevent your data from overwriting if there are still available data that are kept in your internal memory.
EHDR, We Leave No Data Behind!