my android device was quite maltreated by someone
i think that phone was not ecrypted
it was first factory reset
then Dr fone was able to recover some data
so Dr Fone eraser was applied
and as a finish screen was broken
screen replacement is usually easy
what about the possibility to recover some data from that phone ?
using recuva
minitool
autopsy ?
It's gone, gone, gone.
Even if you do recover anything the folder structure was destroyed. An ocean of juxtaposed files. Jpegs with no exif data.
A complete mess like a 747 slamming into a mountain side... that would be easier to reconstruct.
Plus Drfone encrypts the data; you got all you're going to get. Never use this app if you really need the data, take it to a data recovery $pecialist.
thank you for your answer
I did not do anything on that phone. Someone did with quite some succes
the folder structure is something that can be rebuilt with time
what would be interesting to recover even partially is :
call history
contacts
text messages
whatsapp messages
gps locations history
pictures could be nice
i you recommend a data recovery specialist.
what sort of tool they will be using ? autopsy ?
I also asked an offer from data recovery specialist
Android's internal folder structure ( read: layout ) always is left intact, a wipe operation - as a Factory Reset does - only marks any wiped content as re-useable by Android, hence it can get overwritten at any time.
If your phone's Android got rooted, you can establish an ADB connection with phone, then you can achieve a bitwise copy of the "unreadable" wiped data ( storage space ) by means of Android's dd command and later on try to read this copy by forensic tools.
thank you for information
I understood that factory reset only mark existing files as free space and that several tools can recover the files.
even Dr Fone could do at first.
but what does an eraser tool like Dr fone eraser ?
is the data really destroyed after this ? or still some tool could be used ?
autopsy maybe ? other suggestion ?
I think I clearly expressed what is to do.
FYI:
Wiped data isn't destroyed ( nulled out or similar ), it physically still exists.
File data is only really deleted when this storage space is needed by something else.
BTW:
Don't know anything about Dr.fone eraser app. But I think it overwrites data stored in Android's user-space with zeros or blanks.
I think it overwrites data stored in Android's user-space with zeros or blanks.
Click to expand...
Click to collapse
in that case maybe the data is really destroyed/unreadable right ?
or still something could be retrieved ?
jwoegerbauer said:
I think I clearly expressed what is to do.
FYI:
Wiped data isn't destroyed ( nulled out or similar ), it physically still exists.
File data is only really deleted when this storage space is needed by something else.
BTW:
Don't know anything about Dr.fone eraser app. But I think it overwrites data stored in Android's user-space with zeros or blanks.
Click to expand...
Click to collapse
True. What can be recovered and how it's indexed is another story. I have severe doubts the folders are still intact and it's probably worse than just that.
I use Drfone over a decade ago, it encrypted the found data but showed pieces of it. You had to pay for the encryption key.
You're right about it zero filling too I think. After running that app all that was left was Drfone's encrypted partition, folder, whatever and nothing else. It takes forever.
Related
I need to erase all data from my phone Sprint PPC 6700 (HTC Apache). How to do it to completly remove all my data from it?
I do not want to hear that there is "Clear Storage" procedure on device because you can retrive that kind of erased data. It brings device to factory state but you can still retrieve data.
Any program which will eg. 10 times write down in free memory space with 0's and then 1's.
I do not want any information to be recovered, info in device is strictly confidential like TaxIDs, SocialSecurityNumbers, passwords and other sensitive data.
It is like with computer format hard drive - normal user will not see data but user with knowledge can access it.
I do not post question in HTC Apache forum because maybe somebody have or may have similar problem with different device.
on wm2005 you format from inside the bootloader
There is no default secure way.
If you're that concerned about the sensitive data now, then really I am surprised it wasn't encrypted anyway.
If it was, simply use the same application to secure wipe those files, and then you have no problem.
If not, use something like http://www.pocketpcfreewares.com/en/index.php?soft=1694 to delete the files you are concerned about, and then simply wipe the storage as normal.
Also, possibly use wm5torage and write/rewrite until you are satisfied with the result.
Rudegar said:
on wm2005 you format from inside the bootloader
Click to expand...
Click to collapse
May you please give me magic commands to do it?
Thank you
Well, format it from the bootloader sounds just like a normal formatting. Anyway, if you do not have ultra secret important information, nobody with that amount of skill will want to hack and recover your data after a hardreset. If you were to ask the gurus here, they may not want to go through the trouble to recover them (if possible at all). If you were to ask me, you are just being paranoid. The chances that your phone will fall into a hand of a [1]hacker capable of recovering data from hardreset phone AND [2]person interested in your data, is very very slim. You will be more likely to have your information stolen surfing the web (wired), getting a trojan in your PC, stolen via wireless, etc.
Anyway, the US military standard of 12 times write on a hardisk ensures that no data can be recovered via physical means. That is to disassemble the hardisk, and using sophisticated electron scanning equipment to get the data. That's because normal reading via the usual way is not possible after just 1 write.
Anyway, having babbled the above, from what I experienced from retrieving data from a hardisk (the normal way), your data is relatively gone if you fill it up with stuff. SO, if you can just hardreset your device, copy some movies, mp3s over (eg via WM5Storage) until it is full, and then hardreset it again, it ought to do the job. If you are still worried, do this 12 times. Those that are good enough to retrieve your data will just get he movies/mp3s you use.
FYI:
On magentic storage, like hard drives, one pass of zeros is sufficient to write over the data such that not even an electron microscope could determine what the bits previously contained. It may have once been possible on 10-20 MB MFM hard drives in the early 80s, but is certainly not possible anymore.
The American military and intelligence agencies use the same clean-room data recovery procedures as do commercial data recovery houses, and in fact often contract out to those houses.
Flash memory I'm not so sure about, especially because a lot of flash memory uses redundant sectors to fill in when a given sector has exceeded the number of read-write cycles it's supposed to be capable of.
I would probably just fill the device up with files, delete and repeat like hanmin is suggesting. If your data is so important that someone would try to steal the device (or buy it from you) and then subject it to a military-grade inspection, you can probably afford to destroy the device physically or at least destroy the memory chips inside it and resell it for parts.
mikesol: Thanks for clarification.
Latelly I read article about guy who recovered average od 20k pages from PocketPC Phones after where were "Clean Storaged" and owners thought that data are safely deleted.
Maybe I am paranoid but if somebody gave me theirs personal/confidential data I try to protect them as much as possible.
Device will stay in one company, but probably next person will not have such vital information as I did. That is why I try to clean it as much as possible.
Now, I am satisfy with what I did.
FYI: I do not work with DoD or cooperating company but level of security is high, ie. old harddrive - 10 times write over + drill over and apply acid inside. Just to be safe
http://www.informit.com/guides/content.asp?g=security&seqNum=234&rl=1
good read
Haahaha, with our old hard drives at my company we just take them apart and then tack up the platters because they look cool.
From what I've been reading, wear-levelling may make it possible to recover "old" bits on a memory card, but there's no context for them - the FAT (or whatever filesystem you're using) won't retain any links to them and it's possible that the microcontroller built into the memory card simply won't allow access to sectors that have exceeded their read/write cycle count.
Regardless, all that would be left in those sectors would be some random bits, context-free and virtually impossible to recover from.
As of now, most of the data recovery techniques for flash rely on the ability to read bits off of the card, and then applying the same utilities to them that you'd use for a disk image of a hard drive. I haven't read about any advanced, dissection-based approaches to determine whether previous states for a given bit can be read even when a bit has been overwritten.
I'd think that there's probably no good way to do that without a massive expenditure in R&D, and you're probably safe filling the memory up once or twice with a format after each. Anyone that gets old data back after that won't be going after you, they'll be working for the NSA or something.
Hmm.. I never thought I will see this, such software do exist!
http://pocketpcapps.net/fileshredppc.aspx
Pawlisko, you may ask your company to get a few copies of this.
hanmin - I used exactly this program. I do not have Apache no more and I feel quite secure about wipe out.
Probably my company will use this software in future, but for now our major concern is case when somebody will lose device. Of course we will remotly wipe it out, but data will not be securly deleted.
Every employee knows that loosing device is not an option
You used this software before or after my post? You ought to let others know your discovery
Anyway, in what form your 'secret' information are in? I mean, text, recordings, pictures? There are some software out there that do encrypt these things. I mean, if they were to be encrypted at stage 1, you won't have to worried about it anymore. If you were to let us know in what form the information is, probably members here can think of a better idea
So, what are you using now?
when it is avaliable, ma i recommend that your company upgrades to wm6, it has built in encryption for everything (optional) it will even encrypt stuff on sd cards.
If by WM6 you mean Crossbow, the encryption option is for the SD card, not the internal memory.
It's so that if you remote wipe a device, the contents of the card can't be read on another device or system, unless you restore that device from ActiveSync.
If the company information is that sensitive, it should be stored encrypted with any one of the hundreds of applications aimed at corporate users.
If they aren't doing this, then their IT department simply is not providing the solution to the business that it should be, and someone should do something about it.
Something like this will encrypt all of the PIM, and for instance your My Documents folder so all files stored will also be encrypted.
http://www.safeboot.com/products/device-encryption/windows/
And this one is quite impressive, I saw a demo at IPSEC in London last time:
http://www.pointsec.com/products/smartphonepda/
hanmin - fileshredppc I used after your tip, thank you very much.
What is sensitive stuff - PIM, text, PDF files and photos. Do you know any good solution to encrypt it in Stage 1?
Midget_1980 - for now on there are no plans to go for WM6. But I am monitoring if WM6 would be worth to invest money in it.
AlanJC - I will investigate your links. Thanks in advance.
I need to wipe two Android Phones that do not have the "encrypt" option. I am selling them very soon so this is important. One phone is running stock Gingerbread, the other is using a custom rom running ICS 4.04.
I attempted a secure wipe on the ICS phone by choosing every wipe option found in TWRP (dalvik, cache,etc), then I did 2 factory resets and flashed a NEW ROM after that. Guess what..? I used the free program "DiskDigger" on my PC and I found THOUSANDS upon THOUSANDS of recoverable files. FULL pictures, not just thumbnails; I found videos, I found zip files, I found voice recordings, I found music, and more!
There is no way in hell I can sell these phones until I know they are CLEAN of my information. What pisses me off is that with iPhone, it's as simple as pressing "Erase All Content And Settings". That takes maybe 5 minutes tops and it works on iPhone's as old as the iPhone 3GS! I thought custom flashing a new rom and wiping cache in TWRP would do the trick but NOPE.
Can anyone help me?
An update for you... I downloaded these two apps and ran them on both phones. Here are the results...
https://play.google.com/store/apps/details?id=com.pinellascodeworks.securewipe&hl=en - Secure Wipe
https://play.google.com/store/apps/details?id=com.aiuspaktyn.secureeraser&hl=en - Secure Eraser
On the stock Gingerbread phone, 3 photos were found by DiskDigger and I was able to preview them and recover them. Recuva found 20 files, the same 3 pictures, plus some overwritten garbage. I ran both apps AGAIN and got the same results, those same 3 photos were still there, intact. So what I then did was click on the photos in Recuva and selected "Secure Overwrite Checked". I ran the scans a THIRD time, Recuva first. It found 15 different files, 11 ignored all labelled as "unrecoverable" or "very poor". Only one photo was from before was found, but there was no preview. I recovered it, but no photo program could open it, so it looks to be successfully overwritten and corrupted.
On the phone running custom ROM ICS: I ran DiskDigger and it found 0 files; Recuva found 3 files after secure wiping. One was in "poor state" and two were in "excellent" state - a .bin file and .M file. I overwrote these files in Recuva and ran the scans a second time. DiskDigger found nothing, Recuva found 3, 14 ignored, all were "unrecoverable".
So I have some peace of mind now. Before running these Secure erase programs, DiskDigger found 99% of the contents on the phone that was running custom ROM ICS. So wiping dalvik cache, other cache, multiple factory resets, and flashing a new ROM did NOTHING!
If anyone has suggestions on other recovery programs, I will do a third check to put my mind at ease.
Wow... very surprised that there is no discussion on this. Do people not care about about the security of their devices?
umirin said:
Wow... very surprised that there is no discussion on this. Do people not care about about the security of their devices?
Click to expand...
Click to collapse
General rule is basically no to sell your old devices and physically destroy them, if you care for privacy. A phone is no different to PC or any other piece of hardware here, so you're either aware of this and don't give/sell your stuff or don't care.
Destroying old equipment is pointless unless you are a career criminal avoiding the police or some other high profile person that a large organization with spend tones on resources on investigate.
Data breaches are far more likely from bad practices during ownership
Quality wipe apps with root access over writing old data multiple times is quite effective..
So I selected photo to delete and it somehow selected albums. So now Almost all my important pictures and videos are gone. I downloaded several apps and got back a good bit of pictures but I did not recover any videos. I read several pages about rooting the phone to actually get all the stuff back. Is this something that needs done? Also doesn't rooting wipe your phone so would that get rid of the deleted items? I am so devastated those pictures were my life and like an idiot I didn't back them up. Any ideas on how I can recover them?
Any ideas? I read an article saying you can root the phone and still recover deleted items but want to see what you guys think.
Sent from my SM-G935V using Tapatalk
If your files were stored internal there's a big chance that the rest might've got overwritten by other applications. On SD-Card you might be able to get more back but if you worked with it (meaning storing other files or probably even editing), it will most likely overwrite them.
Since every phone behaves different I can't say what you should use. I can only say what I read the most people suggesting.
They talk about the program recuva, which runs on your computer. After connecting your phone to your pc, they say you should run a 'deep scan'.
I never used it myself so I can't say if it works. You'd have to search how to use it.
(Program Link: Piriform - Recouva)
Rooting might also help in your favor, because those apps have more access to the storage and can perform actions normal apps can't do in there rather limited workspace.
But rooting also means writting/modifying data on your phone which could use the space where the remainings of your files are stored (deppends if they are internal or external/sd-card).
But from my expirence on pc, chances are very slim that you get all of your files back. I accidentally formatted my hard disk and after force stopping the process I only could restore about ~30% of my files (and most of them were corrupted).
You see formating or deleting doesn't actually delets stuff.
You could see all your stored files as a book and the index is that what you can see in your file manager. When you delete something it doesn't touches the file at first, it only deletes the entry in the index that a file was at that point in your storage and tells the system that place is free to use again. So apps will begin using that free space. After that it becomes almost imposible to get the file back.
So I'm selling my old Meizu M2 Note which is running Flyme OS that doesn't allow me to encrypt the whole phone. How can I ensure the data is actually gone before selling? Normal wiping doesn't erase everything.
That's a good but hard to answer question.
A good old fashioned hard drive can be single pass overwritten (debate about overwrite passes is still an open discussion) making it unrecoverable for anything but an MFT, Mobile devices use flash memory just like a USB drive or an SSD.
What is the difference? Wear leveling (https://en.wikipedia.org/wiki/Wear_leveling).
Because of that people came up with crypto-shredding or crypto erase which only truly works with Hardware Encryption because Software encryption can never, with 100% certainty, know how the wear leveling reacts on every device.
You already said this isn't an option so what can you do to be sure nothing can be recovered? The answer is unfortunately short, nothing.
However recent research showed that multi pass overwriting caught a lot of data but even the Gutmann method (35 passes) did not get rid of everything (I forgot the link to the Whitepapers).
That said, you aren't selling it to a forensic specialist.
My best suggestion is to use one of the higher rated wiping apps (Shreddit for example) to first destroy your files, then factory reset and download a few good recovery apps and again a wiping app. Make sure you can't recover your own files anymore (if you have very sensitive data you can connect it to a PC and use even better recovery or, if you are paranoid, forensic tools) then overwrite it with as many passes, rounds and algorithms you feel comfortable with. Check recovery tools again and call it a day when you feel satisfied.
This WILL eat at the wear level so keep that in mind when you want to start overdoing it.
Not everything will be gone but it's as good as it's going to get and I highly doubt the person you sell it to will be able to recover anything.
Good luck!
GU42 said:
So I'm selling my old Meizu M2 Note which is running Flyme OS that doesn't allow me to encrypt the whole phone. How can I ensure the data is actually gone before selling? Normal wiping doesn't erase everything.
Click to expand...
Click to collapse
#noob guide incoming
(potentially useless and harmful)
i just thought of it
shred memory
download custom rom and flash
fill memory with stuff
shred again
xD
TheMarchHare said:
That's a good but hard to answer question.
A good old fashioned hard drive can be single pass overwritten (debate about overwrite passes is still an open discussion) making it unrecoverable for anything but an MFT, Mobile devices use flash memory just like a USB drive or an SSD.
What is the difference? Wear leveling.
Because of that people came up with crypto-shredding or crypto erase which only truly works with Hardware Encryption because Software encryption can never, with 100% certainty, know how the wear leveling reacts on every device.
You already said this isn't an option so what can you do to be sure nothing can be recovered? The answer is unfortunately short, nothing.
However recent research showed that multi pass overwriting caught a lot of data but even the Gutmann method (35 passes) did not get rid of everything (I forgot the link to the Whitepapers).
That said, you aren't selling it to a forensic specialist.
My best suggestion is to use one of the higher rated wiping apps (Shreddit for example) to first destroy your files, then factory reset and download a few good recovery apps and again a wiping app. Make sure you can't recover your own files anymore (if you have very sensitive data you can connect it to a PC and use even better recovery or, if you are paranoid, forensic tools) then overwrite it with as many passes, rounds and algorithms you feel comfortable with. Check recovery tools again and call it a day when you feel satisfied.
This WILL eat at the wear level so keep that in mind when you want to start overdoing it.
Not everything will be gone but it's as good as it's going to get and I highly doubt the person you sell it to will be able to recover anything.
Good luck!
Click to expand...
Click to collapse
Thanks for your amazing reply!
I finally found the solution I was looking for: as Avast! support told me, you can still use Avast! Mobile Security to securely erase your phone (by overwriting data), it's just a hidden feature. You just have to deactivate the Device Administrators permission for the app.
Then you just use the "erase device."
Was that research about multi pass overwriting done on SSD, or HDD? I always thought that one pass is enough on a standart HDD.
Can you recommend me any good forensic tools to use to check if the data is truly erased, please? And does the phone need to be rooted in order to restore deleted data?
Thanks for all your insight and advice !
GU42 said:
Thanks for your amazing reply!
I finally found the solution I was looking for: as Avast! support told me, you can still use Avast! Mobile Security to securely erase your phone (by overwriting data), it's just a hidden feature. You just have to deactivate the Device Administrators permission for the app.
Then you just use the "erase device."
Was that research about multi pass overwriting done on SSD, or HDD? I always thought that one pass is enough on a standart HDD.
Can you recommend me any good forensic tools to use to check if the data is truly erased, please? And does the phone need to be rooted in order to restore deleted data?
Thanks for all your insight and advice !
Click to expand...
Click to collapse
Avasts shredder works but it's a single pass on flash memory so it doesn't clear everything with 100% certainty because of the wear leveling but no algorithm does. I'm pretty sure that's a feature they added after purchasing CCleaner.
They also added it as a module in their windows platform.
The multi pass research was done on Solid State Drives and I still can't find the link. Just from a research paper in 2011.
SSD's are still closest in comparison to the kind of memory used in Mobile devices.
As for HDD's it's an open debate. Forensics have claimed to be sble to read past 200 writes in the past but there is no research to support this. I believe that they showed that 1 pass PRNG is enough in 2005, however the DoD was still developing machines to perform 7 pass DoD standard wipes so, I have to say that I have no idea.
If you want serious forensic tools you're looking at these kind of distributions (infosec just made me laugh, SSL_ERR_CERT_COMMON_NAME_INVALID, it's infosec! ??).
http://resources.infosecinstitute.com/computer-forensics-tools/
But if anyone you sell it to would try something it would be more along the lines of Recuva and similar software.
On phones you can just download a bunch of high rated recovery tools and see if anything pops up.
You do not need root for most of them.
You could run fstrim which I'm pretty sure has no root requirements either. This would mark all blocks as invalid so Garbage Collection can pick it up as well. Even though GC has been show not to clean everything it doesn't hurt.
Hi XDA members,
So I am a wiz at Apple software..... but
I have been provided with a Customers phone ( Google Pixel 3a) they have accidentally emptied the Trash Can instead of selecting the Restore option...All there photos have been deleted permanently.
I understand that the phone will need to be put into 'root' mode, but have read that rooting will wipe the phone which I do not want to happen.
My customer has got applications to do with taking regular Medication setup, and many more application that they do not want deleted with the data wiped.
Your urgent help on this matter would be kindly appreciated.....
Paul
P.s. I have installed ADB & Fastboot along with Bluestacks application but am stumped from here on in.
They are probably lost unless Google cloud gives you restore options.
Always redundantly back up critical data to at least 2 hdds that are physically and electronically isolated from each other and the PC.
It’s not my phone but a Customers well more of a friend but Customer still regardless..
I work tirelessly on Apple devices, but trying to do a big favour on this occasion with an Android.
The advanced software I use daily does not support Android devices.
In regards to Backup..I do back up everything of mine to a NAS drive…just my friends doesn’t/didn’t and their Google account doesn’t seem to show any photos of the deleted items from Trash at least..and they apparently hold precious moments that cannot be captured anymore.
My friend was trying to create a folder to put the images in, but instead deleted them then when they went to restore from the trash they ended up deleting them… no idea how they made this error with all the extra warnings that appear during the process, but that’s what they did and I’m not one to argue with a customer.
Could really do with someone being able to get my friend/customer out of this horrid situation
many thanks
Paul
At this point if the pictures are that important I would power down the phone and give it to a data recovery specialist. Any more mistakes may make recovery impossible if it is now.
Do not use online apps that claim to be able to do this!
If the jpegs that haven't been overwritten already can be recovered, it will be only the image. All file structure, exif data, time stamps, etc are lost in a sea of juxtaposed data. Only file types and file size can be searched for in the recovered data. This alone is a daunting task. The images have no time structure at all. Only memory can separate and index them back to order.
It's a rude shock... to the neat, organized data that once existed.
The magnitude of this is enormous. Even a flash card with a 120 images is a true pain to reconstruct and of limited value without the exif data. I need a stiff drink just thinking about it... always redundantly backup critical data. Never encrypt data drives.
Maybe your friend did back them up on Google at one point. Worth a shot, on a different phone/PC. Remember every second the victim phone is on is a second it can be overwriting data! Even after Backup Transport is disabled I've seen Google servers retain that data in spite of the warning to the contrary. If deleted on Google it's self... that's a question for Google.
I loathe cloud services and don't use them now.