Viktor S., Ph.D. (Electrical/Computer Engineering), was hired by DataRecoup, the international data recovery corporation, in 2012. Promoted to Engineering Senior Manager in 2010 and then to his current position, as C.I.O. of DataRecoup, in 2014. Responsible for the management of critical, high-priority RAID data recovery cases and the application of his expert, comprehensive knowledge in database data retrieval. He is also responsible for planning and implementing SEO/SEM and other internet-based marketing strategies. Currently, Viktor S., Ph.D., is focusing on the further development and expansion of DataRecoup’s major internet marketing campaign for their already successful proprietary software application “Data Recovery for Windows” (an application which he developed).
Mobile phone data recovery and all flash recoveries use two types of techniques. These offer data recovery engineers access to a low-level image of the data, by interrogating the NAND memory chip directly. However, both techniques are very different. Mobile phones, flash storage and solid-state-drives rely on memory chips for storing information in direct contrast to hard disk drives, which still use rotating platters and read/write heads.
Hard disk drives use a common approach to data storage, meaning that data recovery tools can be generic. Flash devices on the other hand vary considerably in their approach. With a wealth of different data formats, file structures, algorithms, memory types and configurations, data extractors are often ‘device specific’. This means that the only way to gain a bit for bit copy of the raw data is to interrogate the memory chips directly, effectively bypassing the operating system. This is where chip-off and JTAG technology features.
Data recovery experts often have to deal with cases where important data has been deleted — by accident or on purpose — by its owner or a third party. Those stories don’t always end the same but more often than not, if the client hasn’t done anything too creative to retrieve it on his own, this data gets recovered. That’s good news for those who had suffered a loss of important data, but bad news for those who need theirs permanently destroyed.
Why is it possible to recover files that have already been deleted? It’s because a file remains on the hard drive until the physical place where it’s stored becomes overwritten with another file. The process of overwriting is beyond the user’s control (although of course the likelihood of deleted files being overwritten is higher the more files you subsequently save onto your hard drive). Both deleting a single file and formatting a partition are processes that involve system modifications within the file allocation tables (some of the most popular file systems – such as FAT and NTFS – are based on a system of file allocation tables). This process doesn’t include the disk space, which is modified only when another process of writing a file begins, after the file has been ‘deleted’ or the partition has been formatted. So if nothing gets written over the physical space that is occupied by the removed file, it will be fairly easy to restore it.
The same goes for all system files that I mentioned previously (such as temporary files, paging files, print and hibernation files), even if a file has been overwritten in one place, it could still be restored from some other place on the hard drive. So as you can see, ‘manual’ deletion is more like playing a game of cat and mouse with your data.
This is not the full extent of the problem — some devices, such as smartphones and flash drives, will make it even harder for you to erase data. Restoring your phone to factory settings on Android still doesn’t work on many devices, so when you buy a second-hand phone or tablet, you often also get its previous owner’s data as well.
Are you still sporting an HTC Dream (Google G1) or a tablet running Android Honeycomb? Probably not, as technological obsolescence means that as mobile devices have evolved, so has our desire to upgrade to newer models with improved performance and functionality.
So if you do decide to upgrade, what should you do with your old mobile phone or tablet to ensure no-one else will be able to access your personal information? Up until now, users may have chosen to perform a factory reset, with the perception that this will securely erase all data on the device. This is actually not the case; it was recently reported that data may still be recoverable from around 500 million Android smartphones, even after performing a factory reset. It was also found that a recovery is possible even if the device is encrypted, which is concerning for home and business users alike.
In a previous blog post we described how data such as pictures, videos and app information gets stored on Android devices, mostly via the use of internal NAND flash memory. We asked Michal Cieslik, a Mobile Device Recovery Specialist at DataRecoup to explain why data can still be recovered from these types of storage devices when a factory reset has been completed:
“Performing a factory reset on an Android device simply removes the path to the data, making the device appear empty; however the data is actually still there. A recovery is possible by looking at the data structures from a low-level and using specialist tools to recreate the data into a useable format. Also, factory resetting a mobile device only affects the internal memory – any added external storage in the form of micro-SD memory cards would not be touched and the data could be recovered with widely available software recovery tools.”
According to researchers at Cambridge University, around 500 million Android smartphones are vulnerable to a flaw in the factory data reset function that could allow the recovery of a wide range of data.
Following a series of tests, the researchers estimate that 500 million Android devices don't fully wipe data partitions that contain sensitive data, allowing the restoration of contact and message data from first- and third-party apps. In 80 percent of phones tested, the researchers were able to extract the Google master token after a factory reset, giving them access to Gmail and Calendar data.
The team also estimate that 630 million devices don't wipe SD cards and other places where pictures and videos are stored during the factory reset process. This is concerning for people who sell or give away used smartphones, who might think that sensitive data is removed after a factory reset, when in many cases it's still accessible.
It was also discovered that the flaw in Android's factory reset allows you to recover data with full-disk encryption enabled. During the reset process, the decryption key isn't wiped, and recovery of the "crypto footer" along with this key allows an attacker to crack the encryption offline.
Show a roll of camera film to a child or even a teenager and they will probably struggle to identify the intended use. We live in an age where are images are kept digitally and this means the storage of memories on cameras, phones, laptops and tablets.
From time to time we make a concerted effort to transfer and sort images we want to keep and use portable memory devices, but often the photos sit forever on the devices they were taken on. The problem comes when the smartphone breaks or the laptop hard drive becomes corrupt and we realise in horror that hundreds and possibly thousands of images are now lost. There is a solution for many digital photo loss scenarios so if you find you’re in this situation, it could be that all is not lost.
It’s a surprisingly common occurrence – just a quick installation of a new app on your smartphone or tablet and it ceases up and stops working. The mobile phone or tablet hangs during the installation process and may not even boot up if you try to restart. Nevertheless, in many cases data on the device has simply disappeared. Or perhaps the user was careless and the expensive device simply falls to the ground or even in the water. Now what? Is it possible to recover its sensitive data stored on the device yourself or should you contact a specialist? Because the mobile device, in contrast to laptops or desktops, have their own unique requirements.
In an iOS-based smartphones and tablets, all data is stored exclusively on the internal memory of the device. Depending on the model, iPhones have different sized NAND flash memory. Alternatively, data can also be stored via iTunes on the computer or stored via iCloud in the cloud.
Android-based smartphones, however, offer the possibility to use three different data storage places: In addition to the internal memory – also mostly a NAND flash – many devices have a (micro-) SD card slot on which the data can be saved. As a last resort, various data can – depending on the available amount of memory – are stored on the SIM card of the telco provider.
Basically you have to distinguish among the possible damages between physical and logical errors. A physical error on a smartphone exists, for example, when the flash memory chip or the used controller has failed on the internal circuit board by a drop or other impact and now the device can no longer be used. Or the internal memory chips have worn out, have dropouts and no longer save correctly, or are already partially broken. Logic errors, however, are typically missing or incorrect file structures or linkages, corrupt files and file formats as well as faulty memory allocations. In short, all logical errors that cause either files will not be displayed or recorded by the system, but still exist on the memory.
In all of these cases it is best to speak with an expert. But there are also cases in which smartphone owners can save their data themselves and only if the phone or its data – whether Android or Apple iPhone.
Recently I have received an iPhone 4S which sustained water damage. The unfortunate customer managed to drop the phone in the swimming pool while recording a video. It sank to the bottom of the pool recording the whole way to the bottom. The phone didn’t stop working instantly. Customer dried it out and was using it for another 30 minutes after which the phone turned itself off. It was not possible to switch it back on. It wasn’t showing any sign of life and a recharging attempt was made which only caused the charger to heat up excessively.
The best course of action in this case would be disconnecting phone from its power source which is the battery and external charger, then drying it out. Unfortunately removing the battery in iPhones requires tools and a bit of practice. There are at least 3 special screws which are needed to be removed in order to remove the battery. The situation is also much more complicated when you have older iPhone model as the iPhone 3GS and older have to have the screen and mainboard, a.k.a. the Printed Circuit Board (PCB), removed along with 9 screws in order just to get to the battery. Whereas the majority of Android phones have a removable back panel which clips on to the phone and a removable battery underneath.
In the case of this iPhone recovery, water and moisture inside the phone was causing rapid battery drain due to multiple short circuits created by the presence of liquid. In situations like this, if the phone is not dried out as soon as possible it can causes additional and permanent damage to the mainboard of the phone. In this case, corrosion and damage to the PCB wasn’t severe which could have been due to a number of factors:
The ease with which electronic documents can be created, copied, distributed and stored, and the frequency with which networked computers are backed up, means that the volume of potentially relevant documents can be staggering. It is easy to compromise electronic data if it is not handled in the correct way.
As soon as you suspect that relevant data may exist on a device, do whatever is within your power to assure that it remains untouched. It is human nature to want to “check out” possible evidence, but doing so risks compromising the evidence. If the computer is on and there is any reason to believe it might be “booby trapped” to destroy data - if it is not shut down in a certain way, simply unplug the machine from the electrical source.
In this article we examine typical symptoms of hard drive failure and possible causes. What are the signs to look out for? While there are few sure-fire signs of impending disk failure there are some warning signals that give us the hint. Watch out for: disappearing files, very long wait while accessing files, files/folders whose contents appear to be strangely scrambled; reoccurring error messages while moving/copying/deleting/creating files, and strange but frequent crashes of your OS.
a. Hard drive is recognised, but grinds/scratches/clicks. Almost certainly a mechanical failure. Without opening the drive in a clean room, it is difficult to determine whether it is bearings, motor or heads. Try to keep it cool using a desk fan (DO NOT put in fridge or freezer) and copy your most critical data. You may have minutes before drive completely crashes.
If you bought an Apple iMac product between December 2012 and September 2013, Apple or and Authorised Service Provider may replace your hard disk drive free of charge. All you need to do is visit their website and type in the serial number of your product to see if it’s effected.
Apple relies on quality hard drives to power their products and where there may be data recovery issues, they are always quick to help. Hard disk drive manufacturers do unwittingly release drives with bugs – more often than not relating to firmware codes. Although it is rare, this does happen and sometimes products can be recalled.