Can we recovery fil...
 
Notifications
Clear all

Can we recovery files from factory reset mobile phone?

14 Posts
7 Users
0 Likes
4,174 Views
(@nitiwate)
Posts: 5
Active Member
Topic starter
 

Any ideas? roll

 
Posted : 30/08/2013 1:34 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Surely this is a very open ended question and depends on the phone?

What do you class as a factory reset, factory reset most modern droids and you will loose everything in the user and system partition but it wont touch the internal sd partition. Use a nice tool like whats app decrypter over backups in this space and you can get a lot back about someone.

 
Posted : 30/08/2013 2:14 pm
(@nitiwate)
Posts: 5
Active Member
Topic starter
 

Samsung Galaxy S3
Can we recovery photos?

 
Posted : 30/08/2013 2:56 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Take a memory dump and have a look. It completely depends on how they did it. I wouldn't just assume no. The internal sd partition is hardly touched during a standard s3 format, I ended up having to manually format my internal sd partition using clockwork mod. Factory reset didn't do it

 
Posted : 30/08/2013 3:13 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Any ideas? roll

Phone Image Carver
UFED Physical Analyzer
.XRY

 
Posted : 30/08/2013 3:40 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

None of the listed products would get a complete physical image.

As earlier stated, the results of imaging would very much depend how a "factory reset" was implemented, and by whom.

 
Posted : 30/08/2013 5:54 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Why would Cellebrite not get a complete physical image? I've found the S3 bootloader method pretty comprehensive

 
Posted : 30/08/2013 6:02 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Why would Cellebrite not get a complete physical image? I've found the S3 bootloader method pretty comprehensive

In my opinion the only way to "image" a device for true "physical image", is through a test access point or directly from reading the nonvolatile memory.

Cellebrite UFED PA (and all other "pseudo-physical" collecting tools) must go through a non-write protecting hardware controller, and in some phones non-write protecting device driver firmware and non-write protecting OS.

Furthermore, such "pseudo-physical collection" does not get all the non-volatile memory as the controller to the memory shields much of the internals of the memory structure, spare areas, translation tables, ECC, and so on.

In my experience with some device & bootloader combinations the resulting images do not contain non-allocated areas of the storage. In some cases it would report on "deleted" items, but unable to do so on the "never allocated" area.

 
Posted : 30/08/2013 6:28 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

Not to be a pedantic but the original post asked whether you can get deleted data back from a factory reset phone.

In my opinion the only way to "image" a device for true "physical image", is through a test access point or directly from reading the nonvolatile memory.

I accept you can get more through the chip level access and jtag acquisition but as always, if you have recovered enough data to answer the questions being answered in the case that is enough. If the customer wants deleted pictures of their kids, great. Surely JTAG and chip off cannot be seen as the only way, when you have found what is needed thats enough.

Thank you for the link it is an interesting comparision

 
Posted : 30/08/2013 7:24 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Not to be a pedantic but the original post asked whether you can get deleted data back from a factory reset phone.

In my opinion the only way to "image" a device for true "physical image", is through a test access point or directly from reading the nonvolatile memory.

My second post, which you quote, was to your request for elucidation, not the original post.

I accept you can get more through the chip level access and jtag acquisition but as always, if you have recovered enough data to answer the questions being answered in the case that is enough. If the customer wants deleted pictures of their kids, great. Surely JTAG and chip off cannot be seen as the only way, when you have found what is needed thats enough.

Thank you for the link it is an interesting comparision

Possibly, but not necessarily, lest we forget the "virus/remote control/etc. did it" defense.

 
Posted : 30/08/2013 11:19 pm
Page 1 / 2
Share: