Overwritten data refers to data that was previously stored on a device but has since been replaced with new data. When files are deleted on phones, the space they occupied is marked as available to be overwritten. Forensic investigators are often tasked with trying to recover overwritten data from phones during criminal investigations or civil litigation.
Recovering overwritten data is important in digital forensics because it can provide critical evidence. Phone records such as call logs, text messages, photos, videos, and geo-location history can reveal information about crimes, communication patterns, alibis, and more. Even if a user attempts to delete incriminating data, forensic techniques may still be able to recover the overwritten data.
However, recovering overwritten data poses significant challenges. As data gets overwritten over time, it becomes progressively more difficult to recover the original data. Advanced techniques are required to extract remnants of overwritten data on phones. Understanding the limitations around recovering overwritten phone data is also key in managing expectations around what can realistically be recovered.
How Data is Stored on Phones
Phones store user data in internal flash memory and on removable storage cards. The internal memory uses NAND flash technology, which stores data in memory cells made up of floating-gate transistors. When data is written to the flash memory, an electrical charge is applied to the floating gate of the transistor, which changes the cell’s voltage state from 1 to 0 or from 0 to 1 to encode information. This change in charge state allows data to be stored even when power is removed, making it non-volatile storage.
The memory cells are arranged into pages, which are then grouped into blocks. To write new data, the phone’s operating system will look for unused pages to write to. When an existing page contains data, it must be erased before new data can be written over it. Erasing is done at the block level, so a block must be fully erased before any pages inside it can be rewritten. This erase-before-write process is why flash memory performs slower for random writes versus sequential writes.
According to research from Consumer Reports, new data is written to empty pages, while the old data in an erased page is not fully removed and still exists until those cells are reused. This allows for the possibility of data recovery on phones.
Challenges of Recovering Overwritten Data
Recovering overwritten data on smartphones presents several unique challenges that make the process extremely difficult, even for experienced forensic investigators. Two key factors that complicate overwritten data recovery on phones are fragmented storage and wear leveling.
Unlike traditional hard drives, smartphones use flash memory for storage. Flash memory is organized into blocks and pages, with data written across many different blocks in a fragmented way. When a file is deleted or overwritten, its data may still persist scattered in fragments across different locations (Source). This makes reconstructing the original data far more complex.
In addition, flash memory uses wear leveling techniques to distribute writes evenly and maximize lifespan. This results in data being relocated constantly as new writes occur. So overwritten data may be relocated multiple times to different physical locations as part of wear leveling (Source). The constant movement of data means forensic tools have to work much harder to recover overwritten fragments.
Together, fragmentation and wear leveling on flash storage present formidable hurdles for investigators trying to recover overwritten phone data. Advanced techniques and tools are required to locate scattered data remnants and reconstruct original files and artifacts.
File System Analysis
One of the main tasks in mobile forensics is analyzing the file system on a device to uncover deleted data. Forensic tools like Cellebrite UFED and AccessData FTK allow examiners to create a bit-for-bit forensic image of a phone’s storage and then scan it thoroughly for remnants of deleted files.
When a file is deleted on a mobile device, it is often not completely erased from the storage. The file’s entry in the file table is simply marked as deleted rather than removed entirely. This makes the space where the file was stored available to be overwritten with new data. But until that space is reused, all or part of the deleted file may still exist in the physical memory.
Advanced mobile forensic tools can parse a disk image looking for telltale signatures left behind by common file types like photos, messages, documents, and more. They use file carving techniques to reconstruct deleted files by analyzing file headers, footers, metadata, and content patterns. This allows them to recover files even when the original filename or directory structure is no longer known.
However, file system analysis has limits. If a file is small or the space it occupied has been partially or completely overwritten by new data, then recovery becomes challenging or impossible. But skilled examiners use a variety of techniques to maximize the amount of data recovered through file system analysis.
Advanced Techniques
While recovering overwritten data from smartphones is extremely challenging, advances in microscopy and nanotechnology have enabled new techniques for data recovery in specialized labs. Two key methods include:
Magnetic force microscopy (MFM) uses a specialized microscope tip that detects minor variations in magnetic fields coming from the phone’s flash memory chips. It can reconstruct residual magnetic data patterns from partially overwritten cells, though extensive overwriting makes this increasingly difficult.
Scanning tunneling microscopy (STM) uses an extremely fine conductive tip to probe the electronic structure of individual flash memory cells. By sensing tiny electric fields, it can detect charge trapped in cell defects after overwriting, potentially reconstructing fragments of deleted data.
However, these microscopy methods are expensive, time-consuming, and have very low success rates for smartphones with extensive overwriting. They generally recover only scattered fragments rather than complete files.
Software Tools
There are both commercial and open source software tools available to help recover overwritten data from phones.
On the commercial side, tools like Magnet AXIOM and Cellebrite UFED Physical Analyzer are specifically designed for digital forensics professionals to recover deleted and overwritten data from smartphones. These tools can extract raw data from phone memory and analyze file systems to uncover artifacts left behind by overwritten files. They leverage advanced carving and pattern matching techniques to reconstruct damaged and deleted data.
For open source options, tools like The Sleuth Kit and PhotoRec allow investigators to dig into disk images and file systems to uncover overwritten data. While they require more hands-on expertise than commercial tools, these open source options provide powerful data recovery capabilities for free. Projects like regf specifically target smartphone file system forensics as well.
By leveraging both commercial and open source tools, forensics experts can utilize different techniques to maximize their chances of recovering overwritten data from smartphones.
Case Studies
There are some notable real-world examples where forensic experts were able to recover overwritten data from mobile phones:
In a 2010 case in Italy, forensic investigators were able to recover deleted SMS messages from a Samsung phone’s memory chip even after the messages had been overwritten multiple times (1). The experts used advanced chip-off analysis techniques to directly read raw data from the memory chip.
In the high-profile Oscar Pistorius trial in 2014, forensic analysts recovered extensive data from the athlete’s iPhone, including deleted and overwritten instant messages with his girlfriend Reeva Steenkamp prior to her death. The analysts had to rebuild the file system to recover the data (2).
A 2018 Canadian study demonstrated recovering forensic artifacts from Android phones even after factory reset. Using advanced file carving methods and decryption, the researchers could retrieve data including contacts, SMS messages, notes and media files (3).
(1) https://www.forensicsinsider.com/digital-forensics/can-forensics-recover-overwritten-data-on-phones/
(2) https://www.pitsdatarecovery.net/can-overwritten-data-be-recovered/
(3) https://www.makeuseof.com/tag/forensic-analysts-get-deleted-data-phone/
Limitations
While advanced forensic techniques have expanded the possibilities of recovering overwritten data, there are still many cases where overwritten data becomes permanently unrecoverable. As this source notes, any solid state storage that has data overwritten multiple times is not recoverable. Once flash memory cells are rewritten, the previous data is lost. In addition, the more times data is overwritten on a phone’s storage, the less likely forensic tools can recover it. After just a few rewrites, data essentially becomes irretrievable.
According to forensic experts, certain deletion and overwrite techniques can render phone data unrecoverable. Using data wiping software to overwrite all data multiple times makes recovering previous data nearly impossible in most cases. In addition, completely resetting the phone to factory settings and rewriting all data leaves almost no trace of previously stored data. While fragments may exist deep in the phone’s memory chips, extensive overwriting leaves too little to reconstruct files.
In summary, while remarkable advances have been made in recovering overwritten data on phones, extensive rewriting of flash memory ultimately leads to permanent data loss. When data is overwritten enough times, no forensic method can reliably reconstruct the original data.
Best Practices
When attempting to recover overwritten data from smartphones, forensic investigators should follow several best practices to maximize their chances of successful recovery:
Use multiple recovery tools – No single tool can recover all overwritten data. Investigators should use a combination of commercial, open-source, and manual tools to extract the most data possible. Popular tools include Oxygen Forensic Detective, Cellebrite UFED, and Autopsy.
Prioritize recovering data from unallocated space – While fragments of deleted files may remain in free space, the likelihood of overwritten data persisting there is lower compared to unallocated space on the file system.
Recover data as soon as possible – The longer a device remains in use after data is overwritten, the more likely additional overwriting will occur. Immediate data extraction gives the best odds for recovery.
Attempt manual data carving – Automated tools may miss recoverable data. Manually carving raw data and analyzing hexadecimal can sometimes reveal overwritten fragments.
Work with specialists – Overwritten mobile data recovery requires advanced expertise. Partnering with a specialist lab may enable accessing proprietary methods and technology.
Maintain a forensically sound process – Following best practices for evidence handling preserves the device in its original state and ensures legally defensible results.
Set reasonable expectations – While fragments can often be recovered, extensive and deliberate overwriting likely makes full recovery impossible. Manage investigator and client expectations accordingly.
Conclusion
The recovery of overwritten data on phones remains a significant challenge for digital forensics investigators. While advanced techniques may be able to recover traces of deleted data in some cases, completely overwritten files are likely unrecoverable. The continuous improvements in encryption and file deletion also make successful recovery less likely over time.
In summary, while forensic experts have some success recovering remnants of deleted data, the recovery of files that have been completely overwritten with new data continues to pose major difficulties. Investigators may still uncover metadata, directory entries, or fragments that provide clues. But recovering the original overwritten documents, photos, messages, and other files in their entirety remains extremely difficult if not impossible with current methods.
Moving forward, individuals and organizations should utilize encryption and thorough data deletion practices if they wish to prevent forensic analysis. At the same time, investigators are continuing to push the boundaries of what deleted phone data can be recovered. Only time will tell if technological breakthroughs may one day unlock success in recovering overwritten data from mobile devices.