Data Recovery

Data Recovery (125)

Chip-off and JTAG knowledge in mobile phone and flash data recovery is essential to ensure the highest success rates!

Chip-off and JTAG data recovery methods...

Mobile phone data recovery and all flash recoveries use two types of techniques. These offer data recovery engineers access to a low-level image of the data, by interrogating the NAND memory chip directly. However, both techniques are very different. Mobile phones, flash storage and solid-state-drives rely on memory chips for storing information in direct contrast to hard disk drives, which still use rotating platters and read/write heads.

Hard disk drives use a common approach to data storage, meaning that data recovery tools can be generic. Flash devices on the other hand vary considerably in their approach. With a wealth of different data formats, file structures, algorithms, memory types and configurations, data extractors are often ‘device specific’. This means that the only way to gain a bit for bit copy of the raw data is to interrogate the memory chips directly, effectively bypassing the operating system. This is where chip-off and JTAG technology features.

Data recovery experts often have to deal with cases where important data has been deleted — by accident or on purpose — by its owner or a third party. Those stories don’t always end the same but more often than not, if the client hasn’t done anything too creative to retrieve it on his own, this data gets recovered. That’s good news for those who had suffered a loss of important data, but bad news for those who need theirs permanently destroyed.

Why is it possible to recover files that have already been deleted? It’s because a file remains on the hard drive until the physical place where it’s stored becomes overwritten with another file. The process of overwriting is beyond the user’s control (although of course the likelihood of deleted files being overwritten is higher the more files you subsequently save onto your hard drive). Both deleting a single file and formatting a partition are processes that involve system modifications within the file allocation tables (some of the most popular file systems – such as FAT and NTFS – are based on a system of file allocation tables). This process doesn’t include the disk space, which is modified only when another process of writing a file begins, after the file has been ‘deleted’ or the partition has been formatted. So if nothing gets written over the physical space that is occupied by the removed file, it will be fairly easy to restore it.

The same goes for all system files that I mentioned previously (such as temporary files, paging files, print and hibernation files), even if a file has been overwritten in one place, it could still be restored from some other place on the hard drive. So as you can see, ‘manual’ deletion is more like playing a game of cat and mouse with your data.

Erasing your data — further complications

This is not the full extent of the problem — some devices, such as smartphones and flash drives, will make it even harder for you to erase data. Restoring your phone to factory settings on Android still doesn’t work on many devices, so when you buy a second-hand phone or tablet, you often also get its previous owner’s data as well.

Upgrading your Android device?

Are you still sporting an HTC Dream (Google G1) or a tablet running Android Honeycomb? Probably not, as technological obsolescence means that as mobile devices have evolved, so has our desire to upgrade to newer models with improved performance and functionality.

So if you do decide to upgrade, what should you do with your old mobile phone or tablet to ensure no-one else will be able to access your personal information? Up until now, users may have chosen to perform a factory reset, with the perception that this will securely erase all data on the device. This is actually not the case; it was recently reported that data may still be recoverable from around 500 million Android smartphones, even after performing a factory reset. It was also found that a recovery is possible even if the device is encrypted, which is concerning for home and business users alike.

Why is the data still recoverable?

In a previous blog post we described how data such as pictures, videos and app information gets stored on Android devices, mostly via the use of internal NAND flash memory. We asked Michal Cieslik, a Mobile Device Recovery Specialist at DataRecoup to explain why data can still be recovered from these types of storage devices when a factory reset has been completed:

“Performing a factory reset on an Android device simply removes the path to the data, making the device appear empty; however the data is actually still there. A recovery is possible by looking at the data structures from a low-level and using specialist tools to recreate the data into a useable format. Also, factory resetting a mobile device only affects the internal memory – any added external storage in the form of micro-SD memory cards would not be touched and the data could be recovered with widely available software recovery tools.”

According to researchers at Cambridge University, around 500 million Android smartphones are vulnerable to a flaw in the factory data reset function that could allow the recovery of a wide range of data.

Following a series of tests, the researchers estimate that 500 million Android devices don't fully wipe data partitions that contain sensitive data, allowing the restoration of contact and message data from first- and third-party apps. In 80 percent of phones tested, the researchers were able to extract the Google master token after a factory reset, giving them access to Gmail and Calendar data.

The team also estimate that 630 million devices don't wipe SD cards and other places where pictures and videos are stored during the factory reset process. This is concerning for people who sell or give away used smartphones, who might think that sensitive data is removed after a factory reset, when in many cases it's still accessible.

It was also discovered that the flaw in Android's factory reset allows you to recover data with full-disk encryption enabled. During the reset process, the decryption key isn't wiped, and recovery of the "crypto footer" along with this key allows an attacker to crack the encryption offline.

Over a third of data recovery enquiries relate to data loss from digital cameras and photos.

Digital photo data loss...

Show a roll of camera film to a child or even a teenager and they will probably struggle to identify the intended use. We live in an age where are images are kept digitally and this means the storage of memories on cameras, phones, laptops and tablets.

From time to time we make a concerted effort to transfer and sort images we want to keep and use portable memory devices, but often the photos sit forever on the devices they were taken on. The problem comes when the smartphone breaks or the laptop hard drive becomes corrupt and we realise in horror that hundreds and possibly thousands of images are now lost. There is a solution for many digital photo loss scenarios so if you find you’re in this situation, it could be that all is not lost.

It’s a surprisingly common occurrence – just a quick installation of a new app on your smartphone or tablet and it ceases up and stops working. The mobile phone or tablet hangs during the installation process and may not even boot up if you try to restart. Nevertheless, in many cases data on the device has simply disappeared. Or perhaps the user was careless and the expensive device simply falls to the ground or even in the water. Now what? Is it possible to recover its sensitive data stored on the device yourself or should you contact a specialist? Because the mobile device, in contrast to laptops or desktops, have their own unique requirements.

Where is data usually stored on the smartphone?

In an iOS-based smartphones and tablets, all data is stored exclusively on the internal memory of the device. Depending on the model, iPhones have different sized NAND flash memory. Alternatively, data can also be stored via iTunes on the computer or stored via iCloud in the cloud.

Android-based smartphones, however, offer the possibility to use three different data storage places: In addition to the internal memory – also mostly a NAND flash – many devices have a (micro-) SD card slot on which the data can be saved. As a last resort, various data can – depending on the available amount of memory – are stored on the SIM card of the telco provider.

What types of data loss can occur on a smartphone?

Basically you have to distinguish among the possible damages between physical and logical errors. A physical error on a smartphone exists, for example, when the flash memory chip or the used controller has failed on the internal circuit board by a drop or other impact and now the device can no longer be used. Or the internal memory chips have worn out, have dropouts and no longer save correctly, or are already partially broken. Logic errors, however, are typically missing or incorrect file structures or linkages, corrupt files and file formats as well as faulty memory allocations. In short, all logical errors that cause either files will not be displayed or recorded by the system, but still exist on the memory.

In all of these cases it is best to speak with an expert. But there are also cases in which smartphone owners can save their data themselves and only if the phone or its data – whether Android or Apple iPhone.

Recently I have received an iPhone 4S which sustained water damage. The unfortunate customer managed to drop the phone in the swimming pool while recording a video. It sank to the bottom of the pool recording the whole way to the bottom. The phone didn’t stop working instantly. Customer dried it out and was using it for another 30 minutes after which the phone turned itself off. It was not possible to switch it back on. It wasn’t showing any sign of life and a recharging attempt was made which only caused the charger to heat up excessively.

The best course of action in this case would be disconnecting phone from its power source which is the battery and external charger, then drying it out. Unfortunately removing the battery in iPhones requires tools and a bit of practice. There are at least 3 special screws which are needed to be removed in order to remove the battery. The situation is also much more complicated when you have older iPhone model as the iPhone 3GS and older have to have the screen and mainboard, a.k.a. the Printed Circuit Board (PCB), removed along with 9 screws in order just to get to the battery. Whereas the majority of Android phones have a removable back panel which clips on to the phone and a removable battery underneath.

In the case of this iPhone recovery, water and moisture inside the phone was causing rapid battery drain due to multiple short circuits created by the presence of liquid. In situations like this, if the phone is not dried out as soon as possible it can causes additional and permanent damage to the mainboard of the phone. In this case, corrosion and damage to the PCB wasn’t severe which could have been due to a number of factors:

As data recovery from voice logging system becomes more widespread, we examine the history of voice logging systems.

Voice logging data recovery...

The necessity for the commercial logging of voice communications from telephone lines dates back to the early 1950's although there is evidence of patents for telephone answering and recording devices as early as 1903. The original commercial voice logging devices utilized analog magnetic tape as the recording media. The spools of 1/4” reel to reel tape were 10 1/2” in diameter and mounted on very large stable tape decks.

It is believed the earliest use for these cumbersome devices was used by both military and commercial logging of voice data for air traffic control. Although Magnasync Corporation were one of the early commercial manufactures of these devices the British company Racal became a market leader in voice logging. Racal Recorders designed and manufactured the voice logging systems and Racal Zonal the magnetic tape. Again these early magnetic tape voice logging systems utilized 1/4” magnetic tape on reel to reel spools. Both 1/2” and 1” tape was also used. These wider tapes allowed up to 64 simultaneous tracks of voice to be logged using analog recording techniques.

Do you simply disconnect USB flash drives without ejecting them first? Well read on and find out why this is a bad idea!

Why should I eject my flash USB memory stick…

Don’t we all simply disconnect our USB flash drives without ejecting them first? That extra two seconds could be better spent doing something else right? Wrong! Unplugging without warning can cause data corruption. Mac and Linux users be especially aware!

The reason this is a bad idea is all down to ‘write caching’. Essentially your operating system will cache all the files to be written and perform the function in one go. The functionality is designed to improve performance. When a user disconnects a USB flash drive without warning, the cache is cleared out. If a write process is in operation, this inevitably will result in data corruption.

With capacities increasing all the time, compact flash media is increasingly popular for data storage and we are seeing more for recovery!

Data recovery from compact flash...

We received a SanDisk 4Gb Compact Flash card where the JPG data had been deleted. This was exasperated by the client attempts to recover the data using free software. When data on SD cards is deleted, the information is still contained within the media, but the signs, which tell the system where they are located, are destroyed so that they do not recognize the fact that the data is still residing within the memory. These signs, called "pointers", are the indicators that data is present within the structure of the computer.

Deleted information can be recovered even when the pointers are erased, but the chances of success are massively eroded as time passes. As the compact flash writes new data, it will use free space and possibly overwrite stored data that has been previously marked for deletion.