Subject: Technical assessment of deleted and recovered files within mobile device extractions utilizing industry-standard forensic platforms.
Applicable Tools:
Belkasoft X, Cellebrite Physical Analyzer (PA), Magnet AXIOM, Oxygen Forensic Detective, and MSAB XRY, or any equivalent validated forensic software.
Inquiry 1 – User Deletion Inference
By definition, if a file or photograph has been deleted and subsequently recovered from unallocated space, does the presence of that file in unallocated space conclusively indicate that the file was deleted by the user, as opposed to an automated system process or application-level cleanup?
Inquiry 2 – Transmission from Unallocated Space
If a file or photograph was deleted and now exists only in unallocated space, is it technically possible for a user to transmit, attach, or share that file via SMS, email, chat application, or any other communication platform from within unallocated space?
Inquiry 3 – Restoration Activity and System Logs
If a file or photograph is recovered and restored to allocated space—for example, reintroduced into the device’s Photos directory—would the operating system generate or retain any traceable record of that restoration activity in system logs, databases (e.g., KnowledgeC, Photo Library SQLite), or other system-level artifacts?
Inquiry 4 – Subsequent Deletion and Metadata Alteration
If the same recovered file or photograph is later deleted again after restoration, would this subsequent deletion alter the file’s metadata history, including filesystem-level timestamps (creation, modification, and deletion) or embedded EXIF/XMP data within the file itself?
Purpose and Scope
This inquiry seeks to clarify the technical implications of file deletion, recovery, restoration, and re-deletion within the context of forensic data analysis, ensuring accurate interpretation of recovered artifacts and metadata when forming expert conclusions or evidentiary opinions.
Goodday sir, madam,
Not a forensic expert, but software programmer in the process of getting to know the forensic world. Currently in the process of building a chain-of-custody and audit system.
1. No. It's not proof. In short: a/the system could have done or some sub-system, usually due to a some automatic cleaning or pruning process. From my experience as a coder, correlative artifact analysis is a must. I programmed this myself only days ago.
2. No, not through "normal" means. Deep technical understanding and relevant programming skill would be needed to make it happen. The point is that one has to have direct access to the disk. The next question could be: is it possible to send/share files whilst bypassing the regular filesystem? If so, then it would never be possible to prove a file was sent. The answer is probably not - you have to ask forensic tool users who are known to access disks directly. However, highly advanced custom-built software trickery could accomplish that. In theory, it's possible. Likely? No. Depends on what's going on.
3. Yes.
I had to look it up in:
https://developer.android.com/reference/android/provider/MediaStore
So for Android, a clear "yes".
Goes also for iOS:
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts
4. Yes, with exceptions. Subsequent deletion alters file system timestamps (Creation, Modification) but generally does not alter embedded EXIF/XMP data within the image binary itself. At filesystem/library level data will be altered (assuming "normal" usage again). It's still not the hardest possible proof - which is in my world logic, if you will. So once again correlative analysis is required since the altered filesystem, library, EXIF and application activity logs are independent sources.
Again, this is through the eyes of a programmer.