Recovering Deleted Messages
by Michael Dean Thompson
It should come as no surprise that anything you delete on your device is not necessarily gone. Cops using forensic software can often look into a device’s primary storage (as well as cloud storage) and pull up information that the user may have believed was permanently deleted long ago. That capability extends beyond images and documents. It can include items stored in databases like text messages and emails.
Two employees of the forensic software company Cellebrite highlighted the issue in a recent article in the industry magazine Forensic. The problem arises in how storage systems allocate space under the covers. Whether the storage is a file system or a database, with rare exceptions, that system will allocate space in discreet units, often called pages, such as 1024 bytes (1 KB), 2048 bytes (2 KB), 4096 (4 KB), or some other similar chunk. Data is then stored within the next available page as needed. When the data is deleted, the associated headers (rows of data that describe the information and point to the page(s) involved) and pages (if every datum on the page is deleted) are marked as deleted but not actually removed.
The article describes the process as the deleted data being moved into free pages. The process differs by the storage system so that this may be an accurate description for the software they describe, but it is unnecessary work to move deleted data to alternative locations to await intentional removal. Instead, deleted pages are generally reallocated only as needed, which may not be for a very long time—depending on the number of allocated pages.
Various storage systems have tools to overwrite deleted pages and reorganize them. Most PC users have seen this with “Defrag.” For the database software highlighted in the article, SQLite, there is the command VACUUM that will purge the deleted data, though that may not be available to the end user. Note that for most tools, the deleted data purge is an effect of reorganizing the page layout rather than an actual intent to permanently remove deleted data.
Forensic tools like Cellebrite do not generally access storage through that storage system’s software. For example, it may not use SQLite’s tools to look at the underlying information. Rather, the forensic tools look directly at the underlying file structure or the raw data. This gives them significant access to data that would not be visible otherwise, along with a unique viewport into the data. There may be times that they cannot see the metadata (who sent what, when), but the content of one or more messages is merged together, a kind of inverse of what’s often seen described regarding police surveillance of consumer communications.
Even with great storage hygiene, some clues may still exist that a message has been deleted. A messaging system may use sequential numbering to uniquely identify a message. In these cases, a numeric skip—say, from 29 to 31—may indicate that message number 30 was deleted while the dates and times of the surrounding messages provide temporal boundaries for when the message was sent or received.
Maybe it is natural that a Cellebrite evangelist would see message deletion as a nefarious act of someone intent on hiding a crime. But privacy is important to everyone. Prosecutors and spouses alike have long histories of intentionally misrepresenting meanings to satisfy their purposes. Being aware of the limits of even the best data hygiene practices can at least inform the user of the potential limits to private speech.
Source: Forensic
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login
