0

I am writing a story that involves a cellphone being recovered at a crime scene. The police go through it and find all the non-deleted files and continue until a they do something to obtain the data that was recently deleted.

I want to know how they would do this and what steps are necessary for it.

I want to be realistic so give as much detail as possible.

Kennichi Nitta
  • 101
  • 1
  • 1
    Generally speaking, when deleting a file it is not actually deleted. The table of content (TOC) points to this specific file. When the entry in the TOC is removed it 'appears' to be deleted but it is not until it is overwritten again (which now is allowed because it is removed from the TOC). This is simply put here, there are a lot of dependencies whether it is possible to retrieve this data. – Jeroen Sep 04 '19 at 06:25
  • @Jeroen-ITNerdbox Do modern mobile devices support TRIM for their internal SSDs? If they do, then even regular deletion (i.e. unlinking a file) can result in it being overwritten by the FTL's garbage collector. – forest Sep 04 '19 at 06:49
  • I was explaining the very basics here, not including things like TRIM. TRIM on Android phones is supported from v4.3 and up. I am not sure about iPhones as I am not really interested in them. – Jeroen Sep 04 '19 at 07:09
  • BTW I was assuming in this specific case that authentication has been performed already. Bypassing the authentication mechanism could be tricky to start with. Sometimes the police pay a lot of money to companies that might have zero day exploits, this happened a few years ago in a shooting (forget where it was exactly) – Jeroen Sep 04 '19 at 07:16
  • @Jeroen-ITNerdbox if there is a method to go through this data, how would it be done? – Kennichi Nitta Sep 04 '19 at 09:17
  • I am unsure what you mean @KennichiNitta – Jeroen Sep 04 '19 at 16:40
  • @what I want to know is--since I want to depict this in the story--what the officer or private company does (does she use a program or tool?) to retrieve this data. the parts of the process would be appreciated. – Kennichi Nitta Sep 04 '19 at 23:03
  • @KennichiNitta They could use a tool like photorec, which recovers deleted files. – forest Sep 05 '19 at 06:12

0 Answers0