Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.
If you've watched a crime TV show before, you've probably seen analysts extracting data from a phone. How realistic are these procedures, and can the police recover deleted photos, texts, and files from a phone?
Let's look into what a forensic analyst can do with a phone.
Why Mobile Forensic Investigations Happen
A mobile forensic investigation takes place when data on the phone is crucial to a case. Back in 2014, when two Minnesotan girls went missing, digital forensics helped police find their abductor. Many other cases have been broken open by the information taken from a victim's or perpetrator's phone.
MAKEUSEOF VIDEO OF THE DAY
SCROLL TO CONTINUE WITH CONTENT
Even a simple piece of information, like a single text message, could help investigators solve a case. Other times, it's a more complicated picture painted by deleted call logs, time stamps, geolocation data, and app usage.
Search history could prove to be incriminating. Many types of information could help the police solve a crime—and phones store a lot of that kind of information.
Even if you're not a prime suspect, the police may want to look into your phone. Phones belonging to victims of crimes can provide police with valuable data, especially if those victims are incapacitated or missing.
What Can Police Forensics Find?
Forensic analysts can perform different kinds of data acquisitions. The simplest is known as "manual acquisition," and it involves searching through the phone normally. This doesn't reveal deleted data, so it doesn't tell analysts much.
A "logical acquisition" provides more detailed data. This involves transferring data from the phone to a PC. This transfer makes it easy for forensic investigators to work with the data but is still unlikely to recover deleted information.
When investigators want to see hidden data, they use a "file system acquisition." Mobile devices are big databases, and a file system acquisition gives an investigator access to all of the files in the database. This includes hidden and root files, but still no deleted data.
Finally, there's a "physical acquisition." This is the hardest kind of acquisition, as it needs special tools to dump a copy of the storage into a file. However, this lays everything bare—even deleted files. This allows procedures such as forensic text message recovery to take place.
Can the Police Recover Deleted Text Messages and Media?
You might be wondering how the police can read text messages that have been deleted. In truth, when you delete something from your phone, it doesn't vanish instantly.
The flash memory in mobile devices doesn't delete files until it needs to open up space for something new. It merely "deindexes" it, essentially forgetting where it is. It's still stored, but the phone doesn't know where or what it is.
If the phone hasn't overwritten the deleted data, another piece of software could find it. Identifying and decoding it isn't always easy, but the forensic community has extremely powerful tools that help them with this process.
The more recently you've deleted something, the less likely it will have been overwritten. If you deleted something months ago, and you use your phone a lot, there's a good chance that the file system will have overwritten it already. If you only deleted it a few days ago, the chances are higher that it's still there somewhere.
Some iOS devices, like newer iPhones, take an additional step. As well as deindexing the data, they also encrypt it—and there's no known decryption key. That's going to prove extremely difficult (if not impossible) to bypass.
Many phones automatically back up to the user's computer or to the cloud. It can be easier to extract the data from that backup than from the phone. The efficacy of this strategy depends on how recently the phone had a backup performed and the service used to store the files.
Which File Types Can Be Recovered?
The types of recoverable files may depend on the device a forensic analyst is working on. However, there are a few basic types that are likely to be recovered:
- Text messages and iMessages
- Call history
- Emails
- Notes
- Contacts
- Calendar events
- Images and videos
It's also possible that investigators can trace deleted WhatsApp messages—unless they were encrypted. If you use your Android for file storage, those files might still be hanging around in storage, too.
What About Encrypting Your Phone's Data?
Mobile device encryption poses a big problem for forensic analysis. If the user used secure encryption, and there's no way to get the encryption key, it's going to be difficult or impossible to get any data from the phone. iTunes even asks users to encrypt the backups they make on their computers.
While this makes phones less useful to forensic investigators, there are some ways to get past the encryption. Some phones have backdoors built in that allow professionals access to the files. Other investigators might be able to guess or crack your password.
If they can't, however, those encrypted files are going to cause serious problems. If you're worried about forensic examination of your phone (e.g., you're a journalist with sensitive sources), it's a good idea to use the most secure encryption settings you can.
What About WhatsApp?
WhatsApp makes a big case for privacy, with its end-to-end encryption services and good privacy practices. But can a WhatsApp call be traced? And how do the police recover deleted WhatsApp messages?
At the time of writing, WhatsApp's Security page has some good news for privacy enthusiasts:
Some of your most personal moments are shared with WhatsApp, which is why we built end-to-end encryption into our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.
This means that cracking WhatsApps' defenses would be a tough challenge for someone wanting to get their hands on your info.
Not only that, but on the WhatsApp Help Center for Information for Law Enforcement Authorities, it states that WhatsApp does not store messages on its servers. The company will comply with police requests, but only "before a user has deleted that content from our service."
However, it's not perfect. For instance, Ars Technica reported that, should someone report content as being unsuitable for the platform, the service will decrypt some of the chat logs and send them to moderators for checking. And law enforcement has been interested in looking at the metadata of communications to catch criminals.
Is Any of Your Information Safe?
In the end, there are no guarantees when it comes to mobile forensic investigation. There's no way to completely secure every piece of data on your phone against a committed and intelligent investigator. At the same time, there's no way to access data on every phone.
However, there's a wide variety of continually evolving tools out there. These take into account the always-changing landscape of data protection. And, of course, there's some luck involved as well.
As always, we recommend the same things if you want to keep your data safe. Encrypt everything. Be smart about where and how you back up. Use strong passwords. Lastly, don't do anything that will put you in the crosshairs of a forensic investigation.
How to Recover Deleted Text Messages
If you feel like performing some do-it-yourself cell phone forensics, you can recover deleted text messages on your phone. There are some limitations you'll have to overcome, but it is possible!
The steps involved are quite lengthy, so be sure to read how to recover text messages on Android or iPhone for the whole picture.
Keeping Your Data Secure
So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn't been overwritten yet. However, by using encryption methods, you can ensure your data is kept private, even after deletion.
FAQs
Keeping Your Data Secure
So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn't been overwritten yet. However, by using encryption methods, you can ensure your data is kept private, even after deletion.
Can forensics recover deleted data on phones? ›
Yes, police can recover permanently deleted photos from a phone using special tools and software for mobile forensic investigations. However, the success of data recovery depends on several factors such as the type of disk, encryption, and file system used.
How do forensics recover deleted data? ›
Forensic data recovery is an exclusive process of restoring data and files which will be utilized for legal purposes. Unlike common data recovery tools out there, forensic data recovery is more complicated. It is used to recover data and files from storage devices taken as proof or found at crime scenes.
What software do police use to recover data from phones? ›
UFEDs allow the government to access the vast troves of data contained in cell phones. These devices connect to your phone and download all of its contents – from your contacts list to your location data – within seconds. Their software breaks or bypasses passwords, “unlock” codes, and other security features.
Can cops see deleted search history? ›
Can police recover deleted internet history? Yes, simply by contacting your internet service provider. They are obligated by law to store records of your online activity. The only exception is that your provider could have already deleted the data if the history is older than the data retention period.
Can forensics find deleted files? ›
Data recovery and forensics software can recover deleted files (on Windows/NTFS) by looking for entries in the file table that have not been overwritten. If the entries are still in place, they will show the locations where the file was stored.
How much does forensic phone recovery cost? ›
In the majority of legal cases, the cell phone investigator can recover and analyze the cell phone's evidence and generate forensic tool reports for the legal team's review for an average cost of $3,000 to $5,000. Each smartphone takes approximately 8 to 12 hours of lab time.
What can forensics recover from phone? ›
What Information And Data Mobile Phone Forensics Recover
- SMS and MMS.
- Videos & Photos.
- Audio Files, Voicemail.
- Calendar information.
- Call history.
- Browsing history.
- GPS data.
- Emails.
Whether your device is rooted or not has nothing to do it. Only requirement is having Google "Find My Phone" setup and active on the Google account signed into the device and the device being powered on so to be able of locating it, even if a factory reset is performed GRP should have your back.
How do you prove data has been deleted? ›
A digital certificate of data destruction is the best proof that data has actually been destroyed from your IT hardware. This digital certificate is produced following an intensive software data wiping process, certifying data destruction that meets or exceeds NIST 800-88 and DoD 5220-22-M standards.
When a file is permanently deleted from the Recycle Bin, it still resides on the hard drive until it's overwritten with new data. Therefore, a data recovery tool can be used to restore some or all of the data.
Where does permanently deleted data go? ›
When you delete a file from your computer, it moves to the Windows Recycle Bin. You empty the Recycle Bin and the file is permanently erased from the hard drive. ... Instead, the space on the disk that was occupied by the deleted data is "deallocated."
Is anything ever really deleted from your phone? ›
When you delete a piece of data from your device — a photo, video, text or document — it doesn't vanish. Instead, your device labels that space as available to be overwritten by new information.
Can the police see everything on your phone? ›
Police officers cannot obtain the information contained on your mobile phone without a warrant. However, police officers can use any information that other people give them regarding your mobile phone use.
Can forensics recover overwritten data on iPhones? ›
Once an item has been deleted, it is encrypted and it is gone for all practical purposes. It's not coming back. iOS encryption applies to deleted data on an iPhone. So within the forensics world, deleted photos, videos and call logs that have been deleted are deleted.
How long until Search history is permanently deleted? ›
Complete deletion of data from our servers is equally important for users' peace of mind. This process generally takes around 2 months from the time of deletion.
How far back can text messages be retrieved? ›
All of the providers retained records of the date and time of the text message and the parties to the message for time periods ranging from sixty days to seven years. However, the majority of cellular service providers do not save the content of text messages at all.
Can police look up old text messages? ›
In some cases, a court order may be necessary to retrieve data from a third-party messaging service. In general, it is highly likely that police are able to retrieve text messages depending on the messaging service used and other factors.
Can police recover a factory reset phone? ›
Yes, of course. They could just get a warrant to search the phone you sent them to. Quite possibly, the phone company would also have a log of them. It's also far from certain that a “factory reset” would wipe the memory clean either.
What holds all the files that have been deleted? ›
Check the Recycle Bin
When files have been deleted or even lost, the Recycle Bin is always the number one place to check. On almost all computer systems, once a file has been deleted this is the place it will end up next.
You can only retrieve the data from Google Drive if you factory reset the Android. Hence, a hacker intending to access your deleted photos backed up on Google Drive can factory reset the Android. After factory resetting the phone, he can easily access and misuse your deleted photos.
How long does it take forensics to search a phone? ›
Phone forensics may only take 24 hours, but this can extend to several days if there is a lot of data to process. If the investigator works on an hourly rate, ask the investigator to provide you with an estimate on how long the investigation should take to complete.
How long does a forensic examination of a phone take? ›
Typically, it will take 2 hours. But this can easily be reduced to 1 hour, or be expanded to 4-6 hours. Sometimes longer! The more information you can provide to the forensics examiner, the better estimate they will be able to provide.
How long does it take police to forensically analyze a phone? ›
Generally speaking, it can take anywhere from a few days to several months for phone and computer forensics to be completed by the police. However, some cases may require more time and resources and may take longer to complete.
How is mobile forensic done? ›
That's done by duplicating its files with a software imaging tool. The duplicate maintains the integrity of the original files and can be used as evidence for the original copy.
What is the biggest threat in mobile forensics? ›
One of the most common problems mobile forensics experts face is when a user accidentally resets their device. This can delete all the data on the device, making it difficult to recover.
What is a commonly used forensic tool to collect cell phone data? ›
Hex dump. A hex dump, also called physical extraction, extracts the raw image in binary format from the mobile device. The forensic specialist connects the device to a forensic workstation and pushes the boot-loader into the device, which instructs the device to dump its memory to the computer.
Can a stolen phone be wiped clean? ›
Remotely erase your phone's data
Make sure to erase your device's data to stop thieves from finding sensitive information or photos. On Android and iOS, you can wipe your phone's data remotely by using the “Find My” app. Follow the prompt for locking your phone, but then choose the “erase phone” option.
What phones can't be traced? ›
Here's our list of the most secure phones you can use today:
- Bittium Tough Mobile 2C. ...
- K-iPhone – One of the most secure Phones. ...
- Most secure Phones – Solarin From Sirin Labs. ...
- Among the most secure Phones – Purism Librem 5. ...
- Sirin Labs Finney U1.
Recovering lost files is not always possible!
If Windows overwrites the space a deleted file was occupying, the original file can no longer be restored. That's because the content of that original file is just not there anymore.
5 Best Ways to Permanently Delete Android Data
- Delete Items Using a File Manager. The worst way to delete a private file from your Android phone is from within the associated app. ...
- Erase Data With a File Shredder. ...
- Delete Android Files From Your PC. ...
- Erase Sensitive Files From SD Cards. ...
- Restore Your Phone to Factory Settings.
Basically, the answer is a bit complicated but here's the short version: you should assume that data is never truly deleted unless the device has had a complete wipe. To understand why this is this case, you need to look at how data is generally “Deleted” (and those quotes are intentional) from devices.
Where does the deleted data goes in mobile? ›
The file will stay in your trash for 30 days before being automatically deleted. If you're the owner of the file, others can view it until you permanently delete the file. If you're not the owner, others can see the file even if you empty your trash. On your Android phone or tablet, open the Google Drive app.
Can police recover deleted ring videos? ›
Unfortunately, police also can't retrieve the deleted Ring videos. Since the Ring company doesn't come up with any recovery service for customers, even police having the warrant to access the videos won't be able to retrieve them.
How do you know if your phone is being watched by police? ›
How to tell if your cell phone is being spied on
- Unusual sounds during calls. ...
- Decreased battery capacity. ...
- Phone shows activity when not in use. ...
- Phone takes a long time to shut down. ...
- Battery temperature feels warm. ...
- Receiving unusual texts. ...
- Increased data usage. ...
- Android.
Much of your phone's data is stored in other places that law enforcement can access. For example, if you back up an iPhone regularly via iCloud, the police may request access from Apple.
Do the police watch you through your phone camera? ›
States can set up their own laws regarding local law enforcement, and nine states have reportedly limited live cell phone spying without a warrant. (California is not one of them.) It's a complicated legal issue because people have fewer privacy rights regarding surveillance when they're in public.
Can forensics recover deleted text messages? ›
Keeping Your Data Secure
So, can police recover deleted pictures, texts, and files from a phone? The answer is yes—by using special tools, they can find data that hasn't been overwritten yet. However, by using encryption methods, you can ensure your data is kept private, even after deletion.
How to permanently erase data from iPhone so that it cannot be recovered? ›
Go to Settings > General > Transfer or Reset iPhone. Do one of the following: Prepare your content and settings to transfer to a new iPhone: Tap Get Started, then follow the onscreen instructions. When you finish, return to Settings > General > Transfer or Reset iPhone, then tap Erase All Content and Settings.
What can forensics retrieve? ›
As well as recovering data, forensic data recovery can include accessing hidden areas of a computer to check for suspicious activities or recovering data that has been purposefully deleted or corrupted.
Go to Settings > Security > Advanced and tap Encryption & credentials. Select Encrypt phone if the option isn't already enabled. Next, go to Settings > System > Advanced and tap Reset options. Select Erase all data (factory reset), and press Delete all data.
Can the police pull up deleted text messages? ›
Depending on the device, law enforcement may be able to retrieve deleted messages in certain situations. If a device is seized, for example, police may attempt to use forensic software to retrieve evidence. On some devices, deleted messages can be recovered as recently as a few weeks after they were sent or received.
Can police access your phone history? ›
Police officers cannot obtain the information contained on your mobile phone without a warrant. However, police officers can use any information that other people give them regarding your mobile phone use.
How far back can police get text messages? ›
All of the providers retained records of the date and time of the text message and the parties to the message for time periods ranging from sixty days to seven years. However, the majority of cellular service providers do not save the content of text messages at all.
How do you permanently erase data so that it Cannot be recovered? ›
#1. Download Reliable File Shredder Software to Permanently Delete Files so They Can't Be Restored. You must wipe and erase your computer to eliminate files from your PC or laptop without recovery. In this way, data that has been irreversibly erased can no longer be recovered.
How to erase all data from phone permanently before selling? ›
How to wipe your Android
- Go to “Settings” > “System.”
- Tap “Reset Options.”
- Choose “Erase all data (factory reset).”
- Tap the “Reset phone.”
- Tap “Erase everything.” Your phone will be returned to the same state as when you purchased it.
Even if someone deletes text messages, memos, calendar updates and call records, a private investigator may be able to recover this information. This level of detail can inform someone of who the person has had contact with, at what time and date the contact occurred and the content of the contact.
Can police remotely access my phone? ›
There are many backups of data on your phone. Anything saved outside of your device can be accessed by law enforcement if they follow the correct and established legal routes to do so.
Are deleted text messages permanently gone? ›
However, just because you erase texts on Apple and Android products doesn't mean they're gone for good, according to an expert on the Apple Support Community and Business Insider. They will be hidden, but they may still be saved in system data or elsewhere with your cellphone carrier.
How long does it take for the police to track your phone? ›
"As soon as the call is placed, it can be tracked and traced to where it is being originated." An FBI agent who spoke on condition of anonymity agrees: "If someone is calling from a landline, the carrier will know immediately. They can't hide it from the phone company.
On Android
- Go to Settings.
- Select Locations.
- Choose App Locations Permissions.
- Select each app individually and change permissions based on what you feel comfortable sharing.
Without a warrant, the police cannot listen to a person's phone conversations, unless one of the parties to a phone conversation consents to the use of a wiretap. Any information they gather without a warrant and without consent cannot be used against a defendant in a criminal trial.
Can you subpoena deleted text messages? ›
Can a Lawyer Subpoena Text Messages That Have Been Deleted? As mentioned above, a divorce lawyer can't subpoena the actual content of a text message. However, if a spouse deletes a text from their phone, that communication record can still be subpoenaed.
How are phones tracked by police? ›
Tower dumps
As mobile phone users move, their devices will connect to nearby cell towers in order to maintain a strong signal even while the phone is not actively in use. These towers record identifying information about cellphones connected to them which then can be used to track individuals.
Can screenshots of text messages be used in court? ›
Even though it might seem unusual, screenshots are admissible evidence. Yes, you can use them as legal proof, but you can't just present them and expect everything to be okay. Time and date matter a lot in a litigation process.
