Recovering deleted data is the most requested mobile device service we receive at Forensic Pursuit. We commonly dig through phones and tablets searching for deleted text messages, call logs, photos and more. Due to our expertise and the tools available to us, our chances of finding deleted data is greater than it is for others, but sometimes, no matter how hard we look, that information simply isn’t there. What happens when what we’re seeking isn’t available on the phone or mobile device? Does that put an end to our search?
The answer is an emphatic NO! Even if the information our clients are requesting isn’t on the phone or mobile device we have been given, we often don’t have to look far to find it elsewhere.
Thanks to syncing and other automatic backup schemes, it is common to find the same data on multiple devices. Just as your email can be accessed from your phone, tablet and computer, messages and photos from your phone can often be found on your other devices like your tablet and computer. The phone uploads, or syncs, your information with your cloud account or computer via Bluetooth, WiFi, or USB tether. Many times users are unaware of the existence of this information, such as text conversations, syncing somewhere other than their mobile phone. In some cases, archives are automatically created when a certain amount of data has been synced. Forensic Pursuit makes use of these archives when hunting for evidence.
Apple products are a treasure trove of information. Apple has created an incredible ecosystem of devices that connect everything assigned to a given Apple ID. This Apple ID is the key to discovering content in a plethora of places. Content created or received on an iPhone will sync to an iPad provided the Apple ID is the same on both devices and syncing options are enabled in a particular way. The vast majority of iOS device users have syncing enabled to some capacity. After all, the whole purpose of Apple’s device ecosystem is to provide seamless user experiences from device to device, and syncing is how that succeeds.
For example, Apple’s iMessage messaging service syncs across devices. The iChat application on Apple’s MacBook line creates archives of iMessages. Using these archives it is possible to retrieve entire conversations that took place on a user’s iPhone even if the messages were deleted from the iPhone itself.
Sometimes we see users who have not enabled syncing or for some other reason, the content just wasn’t there. When this happens we don’t despair. There are even more places to look. When a user backs up their iPhone, iPad, or iPod via iTunes on a Windows or Mac computer, they are creating a snapshot of that device at that point in time. Backups hold photos, videos, notes, contacts messages and more. These backups can be restored and parsed just like the original data on the mobile phone. Deleted messages can be recovered from backups just as they can be recovered from the device. Further, backups can be stored in iCloud as well and retrieved just as easily.
So Apple makes it easier for forensic investigators to find data across a single user’s collection of iOS devices, but what about Android? Android devices, much like Apple, are tied to a user account. For Android devices that account is a Gmail account. Gmail allows a user to sync contacts, navigation history, photos, and Google Hangout messages across multiple Android devices. Therefore that data can be obtained from the device it originated on or by acquiring the entire Google user account. While the backup feature is not common place on Android devices, it does exist. These backups can be parsed as well to reveal data that might not exist on the device or that used to exist and has been since deleted by the user.
Technology makes it easy to keep everything we own connected and sharing. Syncing has made it painless to keep up with data in a more efficient convenient manner and has improved our user experience. And joyfully, it has also given forensic investigators a larger number of places to seek when data tries to hide. When it comes to the pursuit of hidden evidence, syncing helps forensic investigators swim.