Hello I am trying to recover text data on a Samsung Galaxy S4A that has been factory reset.
I've tried the Oxygen Forensics Suite 2013. It took a long time to download the phone, and only found things from post reset. Oxygen could not recover even the 4 current, un-deleted text messages. (I agreed to all of the permissions as asked during the process)
I emailed Oxygen support, and they said that text messages require a rooted phone. ( I have rooted the phone, and their software verified that my phone was already rooted, and stated that it was going to root it as well) . They also emailed me that their Forensics Suite doesn't help with factory reset and they don't have any equipment that does.
This phone has only been in use for 1 month, so I was hoping that the occasional call or text message now incoming would not re-write too much of the previous data.
I've checked with a local PI company, who said they no longer deal with phones. They gave me a phone number to a national company. Their representative assured me that the factory reset is permanent and nothing can be done to restore the information.
From everything I've been reading, it sounds as though the only hope is the Cellebrite UFED? and the cost $6000 or more, maybe?
I'm in the Pittsburgh PA area. There's probably no one that rents services on a UFED? I just need print outs of the actual messages, as I have the AT&T phone logs with the times and phone numbers of the texts / calls.
Thanks in advance for any advice or related information D
I know this may be a long shot but have you tried rooting your phone, imaging the entire partition of your phone and finally analyzing the image with any forensics tool available?
Of course the recovery may depend on whether the phone was being used actively post-reset or not.
The only other method I can think of is the chip-off method.
Cheers.
Thanks Alistair for the reply
Sorry to ask a stupid question, but how do I "image the entire partition of the phone? "
Thanks
Hello,
I'm not really familiar with the Samsung Galaxy S4, but it shouldn't be that different (if someone more knowledgeable than me can chip in that would be great). The general process is to root your phone, then access it via USB (enable ADB), execute the mount command and you should see which partitions correspond to which memory blocks (an example would be /data –> mmcblk0p8 or something like that).
Then just use 'dd' (which should automatically be available, if not, install BusyBox) to copy the partition bit-by-bit onto your sdcard or on to your local machine via netcat or some other tool.
From there you can analyze the partition with a Hex-Editor or some forensics tool that you know of.
See if that works for you -)
I think if you acquire the device in that fashion you may indeed get a copy of the device's memory, however the file system you are mounting will relate to the reset device's state.
You are going to need to carve any deleted data from that image, using a script of one variety or another in order to recover deleted data from it. This will likely involve some research to understand how the messages are stored on the device and then customising whatever script to look for that pattern of data storage.
Think about looking for SMS PDUs as they were delivered to the device and then also how the device manipulates that data to store in the SQL database and look for that also.
It is unlikely that you are going to recover the deleted database file so it's not going to be as simple as firing that up in an SQL browser. (
Indeed, as Colligulus said, analyzing the image will not be so easy. As an initial point I would recommend you use TSK and try to carve out the unallocated space to see what can be recovered.
Flash forensics is still a heavily researched area and results may vary from device to device.
EDIT Also, I've heard from some sources that newer Android devices execute the TRIM command after deleting data. If this is the case, then your chances of recovering any deleted file is effectively reduced to zero as TRIM allows those pages marked stale by the OS to remain in the unused block and erased by the Garbage Collector.
Pitts33 see PM.
@ Igor_Michailov can you send me same information please or could you post it here? thank you.