Learn how to recover deleted data from an Android device in this article by Oleg Skulkin, a senior digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud.
Data recovery is a powerful concept within digital forensics. It is the process of retrieving deleted data from a device or an SD card when it cannot be accessed normally. Being able to recover data that has been deleted by a user could help solve civil or criminal cases. This is because many accused just delete data from their device hoping that the evidence will be destroyed. Thus, in most criminal cases, deleted data could be crucial because it may contain information the user wanted to erase from their Android device. For example, consider the scenario where a mobile phone has been seized from a terrorist. Wouldn’t it be of the greatest importance to know which items were deleted by them? Access to any deleted SMS messages, pictures, dialed numbers, and so on could be of critical importance as they may reveal a lot of sensitive information.
In this article, you’ll learn about data recovery techniques that enable us to view data that has been deleted from a device.
How can deleted files be recovered?
When a user deletes any data from a device, the data is not actually erased from the device and continues to exist on it. What gets deleted is the pointer to that data. All filesystems contain metadata, which maintains information about the hierarchy of files, filenames, and so on. Deletion will not really erase the data but instead removes the file system metadata. Thus, when text messages or any other files are deleted from a device, they are just made invisible to the user, but the files are still present on the device as long as they are not overwritten by some other data. Hence, there is the possibility of recovering them before new data is added and occupies the space. Deleting the pointer and marking the space as available is an extremely fast operation compared to actually erasing all the data from the device. Hence, to increase performance, operating systems just delete the metadata.
Recovering deleted data on an Android device involves three scenarios:
- Recovering data that is deleted from the SD card such as pictures, videos, and so on
- Recovering data that is deleted from SQLite databases such as SMS, chats, web history, and so on
- Recovering data that is deleted from the device’s internal storage
Recovering deleted data from SD cards
Data present on an SD card can reveal lots of information that is useful during a forensic investigation. The fact that pictures, videos, voice recordings, and application data are stored on the SD card adds weight to this. Android devices often use FAT32 or exFAT file systems on their SD card. The main reason for this is that these file systems are widely supported by most operating systems, including Windows, Linux, and macOS X. The maximum file size on a FAT32 formatted drive is around 4 GB. With increasingly high-resolution formats now available, this limit is commonly reached, that’s why newer devices support exFAT: this file system doesn’t have such limitations. Recovering the data deleted from an external SD is pretty easy if it can be mounted as a drive.
If the SD card is removable, it can be mounted as a drive by connecting it to a computer using a card reader. Any files can be transferred to the SD card while it’s mounted. Some of the older devices that use USB mass storage also mount the device to a drive when connected through a USB cable. In order to make sure that the original evidence is not modified, a physical image of the disk is taken and all further experimentation is done on the image itself. Similarly, in the case of SD card analysis, an image of the SD card needs to be taken. Once the imaging is done, we have a raw image file. In our example, we will use FTK Imager by AccessData, which is an imaging utility. In addition to creating disk images, it can also be used to explore the contents of a disk image.
The following are the steps that can be followed to recover the contents of an SD card using this tool:
- Start FTK Imager and click on File and then Add Evidence Item… in the menu, as shown in the following screenshot:
Adding evidence source to FTK Imager
- Select Image File in the Select Source dialog and click on Next.
- In the Select File dialog, browse to the location where you downloaded the
sdcard.ddfile, select it, and click on Finish, as shown in the following screenshot:
Selecting the image file for analysis in FTK Imager
- FTK Imager’s default display will appear with the contents of the SD card visible in the View pane at the lower right. You can also click on the Properties tab below the lower left pane to view the properties for the disk image.
- Now, on the left pane, the drive has opened. You can open folders by clicking on the + sign. When highlighting the folder, contents are shown on the right pane. When a file is selected, its contents can be seen on the bottom pane.
- As shown in the following screenshot, the deleted files will have a red X over the icon derived from their file extension:
Deleted files shown with red X over the icons
- As shown in the following screenshot, to export the file, right-click on the file that contains the picture and select Export Files…:
Sometimes, only a fragment of the file is recoverable, which cannot be read or viewed directly. In that case, we need to look through free or unallocated space for more data. Carving can be used to recover files from free and unallocated space. PhotoRec is one of the tools that can help you to do that.
Recovering deleted records from SQLite databases
Most of the application data in Android is stored in SQLite databases. Data related to text messages, emails, and most app data is stored in SQLite databases. Such databases can store deleted data within the database itself. Records marked for deletion by the user no longer appear in the active SQLite database files. Therefore, it is possible to recover the deleted data, such as text messages, contacts, and more, by analyzing these SQLite files. There are two areas within an SQLite page that can contain deleted data: unallocated blocks and free blocks. Most of the commercial forensic tools that recover deleted data scan the unallocated blocks and free blocks of the SQLite pages. Parsing the deleted data can be done using, for example, Belkasoft Evidence Center.
For our example, we will recover deleted SMS messages from an Android device. Recovering deleted SMS messages from an Android phone is quite often requested as part of the forensic analysis on a device, mainly because it’s the most popular form of communication. There are different ways to recover deleted text messages on an Android device. But, with respect to recovery through parsing SQLite files, we need to understand where the messages are being stored on the device.
bugle_db, an SQLite database that contains SMS messages sent or received using the Android Messages application. This database is located under
/data/data/com.android.messaging/databases. If you have a physical image of the device, you can extract the database using FTK Imager, just like you did with deleted files. If you want to extract it from the device itself, you can use the
adb pull command, for example (the device must be rooted).
The easiest way to find deleted records is to use commercial mobile forensic tools, such as Belkasoft Evidence Center, Cellebrite UFED Physical Analyzer, Oxygen Forensic Detective, and so on, but there are also some open source tools capable of recovering data from unallocated space and free lists. One such tool is the SQLite Deleted Records Parser by Mari DeGrazia. You can download this tool at her GitHub: https://github.com/mdegrazia/SQLite-Deleted-Records-Parser.
There are three variants of the tool: a Python script, command-line version, and GUI version. For demonstration purposes, we will use the GUI version, as shown in the following example:
Using the tool is extremely easy, all you need is to choose the source database and the destination file, and click Process. As a result, you’ll get a TSV file (if you’ve chosen Formatted Output) with recovered records, including their source (unallocated space or free block), offset, and length.
Recovering deleted data from internal memory
Recovering files deleted from Android’s internal memory, such as app data and so on is not as easy as recovering such data from SD cards and SQLite databases, but, of course, it’s not impossible. Many commercial forensic tools are capable of recovering deleted data from Android devices, of course, if the physical acquisition is possible and the user data partition isn’t encrypted. But this is not very common for modern devices, especially those running most recent versions of the operating system, such as Oreo and Pie.
Most Android devices, especially modern smartphones, and tablets use the EXT4 file system to organize data in their internal storage. This file system is very common for Linux-based devices. So, if we want to recover deleted data from the device’s internal storage, we need a tool capable of recovering deleted files from the EXT4 file system. One such tool is extundelete. The tool is available for download here: http://extundelete.sourceforge.net/.
To recover the contents of an inode, extundelete searches a file system’s journal for an old copy of that inode. The information contained in the inode helps the tool to locate the file within the file system. To recover not only the file’s contents, but also its name, extundelete is able to search the deleted entries in a directory to match the inode number of a file to a file name.
To use this tool, you will need a Linux workstation. Most forensic Linux distributions have it already on board. For example, the following is a screenshot from SIFT Workstation—a popular digital forensics and incident response Linux distribution created by Rob Lee and his team from the SANS Institute (https://digital-forensics.sans.org/community/downloads):
extundelete command-line options
Before you can start the recovery process, you will need to mount a previously imaged user data partition. In this example, we are going to use an Android device imaged via the chip-off technique. First of all, we need to determine the location of the user data partition within the image. To do this, we can use mmls from the Sleuth Kit, as shown in the following screenshot:
Android device partitions
As you can see in the screenshot, the user data partition is the last one and starts in sector 9199616. To make sure the user data partition is EXT4 formatted, let’s use
fsstat, as shown in the following example:
A part of fsstat output
All you need now is to mount the user data partition and run extundelete against it, as shown in the following example:
extundelete /userdata/partition/mount/point --restore-all
All recovered files will be saved to a subdirectory of the current directory named RECOVERED_FILES. If you are interested in recovering files before or after the specified date, you can use the –before date and –after-date options. It’s important to note that these dates must be in UNIX Epoch format. There are quite a lot of both online and offline tools capable of converting timestamps, for example, you can use https://www.epochconverter.com/.
As you can see, this method isn’t very easy and fast, but there is a better way: using Autopsy, an open source digital forensic tool. In the following example, we used a built-in file extension filter to find all the images on the Android device, and found a lot of deleted artifacts:
Recovering deleted files from an EXT4 partition with Autopsy
To sum up, deleted data could contain highly sensitive information and thus data recovery is a crucial aspect of mobile forensics. In this article, we have seen various techniques to recover deleted data from both the SD card and internal memory. While recovering the data from a removable SD card is easy, recovering data from internal memory involves a few complications. SQLite file parsing and file carving techniques aid a forensic analyst in recovering the deleted items present in the internal memory of an Android device.
If you found this article interesting, you can explore Learning Android Forensics – Second Edition as a comprehensive guide to Android forensics, from setting up the workstation to analyzing key artifacts. Learning Android Forensics – Second Edition will introduce you to the most up-to-date Android platform and its architecture, and provide a high-level overview of what Android forensics entails.