Microsoft Subnet An independent Microsoft community View more

Busted! Forensic expert who recovered lurid SMS warns: Phone texts don't die, they hide

Whether you are guarding your privacy, or have other reasons to want deleted messages on mobile devices to truly be gone, then take heed from the forensic expert who nailed parliamentary Speaker Peter Slipper by recovering lurid text messages that had been deleted: the delete button is more like a hide button and the SMS data is still there. Even a factory reset or wiping a device doesn't mean the data can't be recovered.

We've all deleted texts, but those of you who might really not want anyone else to ever see them might be interested in knowing that forensics experts say, "Phone texts don't die; they hide." And that "factory reset feature" won't delete SMS well enough to stop them from being recovered either. The root of the problem comes from depending upon operating system controls to delete files.

After losing a mobile device, people may opt to remotely wipe it, but that won't really erase all your data either, according to forensic experts. That might seem like a bit of irony for anyone who suffered from attackers using flaws to remotely wipe phones, and then couldn't recover their important data. Yet neither Eve nor Mallory can apparently keep data hidden from some patient mobile device forensic experts.

Rod McKemmish was the computer expert who brought down parliamentary Speaker Peter Slipper by recovering lurid text messages that had been deleted. McKemmish, according to Financial Review, said any texts or other messages that you think you deleted from your smartphone can still be found if someone really wants to find them. "The delete button on the phone should really be called the 'hide' button, because the data is still there, you just can't see it. In the forensic process we can bring it all back."

That article does not state how many of Slipper's alleged sexting messages McKemmish was able to recover, but another Australian article discussing the case mentions, "The number of SMS text messages that was on that CD-rom was 15,400 text messages."

Bradley Schatz, a computer forensics expert and professor at Queensland University of Technology, said a phone's flash memory "is set up to avoid indiscriminately overwriting data, so if you have a lot of spare space on the drive inside your phone, which you will do on a large iPhone, then the device will use that before it writes over or erases previously used space and deleted messages."

The informative article on Australian Financial Review seems to completely contradict other forensic experts who talk about how hard it is to recover data off smartphones and tablets. While these experts did not say it was "easy" or "fast," they did make it sound more than "hit-and-miss" chances of recovering everything you think you might have deleted.

For example, Schatz did say it would take him "a lot of time and effort," but "once a message is stored in the various sub-folders of a phone, locating and deleting it is a task beyond most users." He added that even the "nuclear option" of wiping everything numerous times can be attempted, but "even then data may still be retrievable."

Forensics Wiki has a short entry on SMS recovery, pointing to another on dekart which claims, "By now it should be clear that in order to recover a deleted SMS, all you have to do is change the state of the SMS to 'in use', and the phone will happily display that message."

There are all kinds of mobile-device forensic tools these days, such as UFED from Cellebrite, made infamous after the Michigan State Police were accused of sucking the data out of phones in under two minutes. Ellen Messmer reported on others including "the Katana Forensics tool Lantern, Blacklight Forensics Software, Paraben's Device Seizure, and Micro Sytemation's XRY. But they aren't comprehensive in the exact make and model of Google Android, Apple iOS device or other mobile device models they can tackle."

Yet Chris Gatford, Director of HackLabs, warned, that "relying on the inbuilt operating system controls to delete files on a device was insufficient. Even where you can adequately remove items from a phone, you do have to be conscious of the other locations that the data may sit, such as in the back-up files on the machine that the device was last synced to, or they might even in some cases be in proxy servers between the phone and the internet."

Deleting is only hiding them, probably from yourself, but those are a few thoughts to keep in mind the next time you think you deleted something from your mobile device. All the more reason to embrace encryption, privacy, and be anti-forensic friendly.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies