Hello,everyone,
Does anyone know the TRIM feature of Android 5.0 devices ) (also 4.3+) which frees up the blocks in the eMMC/NAND ? Cause nothing can be recovered.
Recently I deleted a DCIM folder on a samsung galaxy S5 ,and after i dump the image i find no one pictures and photos can be recoverd from that DCIM folder..
Is this mean that the with implementation of Android TRIM it is now incredibly impossible to recover any files on the phone eMMC/NAND?
Thank you!
Hello!
Can you tell me if this was an actual non-invasive or invasive collection of the device? I am asking because if it was a file-system collection using MTP methods employed by mobile forensic software you will not recover deleted files and folders since this is just a logical file system recovery. If this is an actual partition you will see unallocated space when dumped into XWays, FTKImager etc. In that case I would begin examining the unallocated space, but of course if the files are large enough and pages exhausted garbage collection could be invoked and erased.
I use Oxygen to dump the image,It is truely a partition image.I think.
See the picture,
All the files are 0 Bytes,and all the pics can not be recovered.It's so strange,
The devices is a samsung S5 with Android 5.1.1 .
Is this the TRIM feature?
Any help would be appreciated?
THX!
Sorry for the delay in getting back to this. This is not a physical image but what is available via the collection of the internal storage and external storage along with Android Backup. Since the DCIM that you are referencing is the .thumbnail folder from the internal storage deleted images can be references here (just a thmb of the full file that had been deleted) it is more likely the media database file reference still held the path, but the file was no longer available to remove from the device. I cannot be 100% sure without seeing the device and filesystem, so it is just an educated guess at this point. I can however say that extraction of the internal media storage and external via MTP will not grab unallocated or files that are no longer referenced. A full physical collection must be conducted.
Thank you for u quick reply.CellDet!
It is unallocated space not MTP method I'm sure.Because i dump the whole physical image which is 15,388,672kb in size.
And wnen i dump it into Autopsy and i see the file structure and file system .but I can't see any picture because they are 0 size.
So what's the problem here? Am I wrong?
Curious about what your experience with this is.
Thanks you!
_________________
—————-
LWonder
Have you tried any carving programs on the image file? If you have a physical image and there are JPEG files within the image that are not referenced by the file allocation table, then a file carving program should work.
For an easy carving solution, mount the physical image of the S5 and use PhotoRec to carve. You can mount the bin file with FTK Imager (free).
Short answer is yes, this is probably TRIM at work. I see a lot of phones with tons of free space and 0 bytes for deleted photos/videos. TRIM on Android 4.3+ will simply just zero out those nand blocks over time. Carving will not help, there is nothing to be recovered.
Obviously you have to check other areas of the phone to see if it's been wiped/reset, etc.. or what other types of activity may have taken place.
Thank you guys for all your warmly answer, Especially chad131,you give me a exactly answer,Thank you. )