Monday, December 17, 2012

Easily Recover Files from Phone or Tablets

The quickest and easiest way to check your hunch that your spouse is cheating is to investigate their mobile devices. Full data recovery from a phone or tablet is difficult but there are some methods which you can do yourself at home with little cost or technical expertise.

SD Card Recovery

Many phones use a Mini SD card for expanded memory. Cameras and camcorders also use expanded memory slots. Devices save data to either an internal memory or to the external memory card, sometimes both.

Data recovery from an memory card can be as simple as removing the memory card from the device, putting it in a card reader attached to your computer, and running a file recovery program.

Memory Card Readers


Many computers these days have a built in card reader. If your computer doesn't have a card reader, you can purchase a USB card reader almost anywhere for $5-$20 or so. Here are a few places where you can order online

File Recovery Software

The good people at CNet's Download.com have quite a few file recovery tools. However, there are some that aren't free. Limited trials may allow one to view the thumbnails of recovered images but the full licensed product is required for retrieval. The geek-elite at Lifehacker have provided their own guide for the best file recovery software. I highly recommend reading through their article before proceeding in your file recovery efforts.

The following software has been recommended by BSC blog readers:

Other Uses for File Recovery Software

One benefit of the file recovery software is that it can be run on several types of devices. Make sure to check the memory cards of all of you mobile phones, cameras, camcorders, GPS devices, video game consoles, etc... A second use for the software is that it can be run on hard drives of computers and laptops. The recovery software is a versatile information gathering tool.


Trouble Ahead: Internal Memory

The hard part of data recovery from devices comes from the internal memory of the device. The big culprits here are the Apple iDevices and the Blackberry. Apple prevents the use of external memory in its iPhone and iPad devices by not supporting physical slots for memory expansion. Some Blackberries default to using internal memory. The Blackberry Curve series will only use the external memory slots for message storage, photo storage, contact storage if the user modifies the default settings in the menu. In most cellphones some data is even stored on the SIM card, but Blackberry doesn't even do that.

Big Trouble

Even forensic professionals have a difficult time reaching into internal memory on mobile devices. It's a complex problem with lots of layers.

In the first layer you have firmware. This is the basic operating software on the phone that boots it up. Not only does each manufacturer have their own firmware on the device but each model of device can have a different firmware as well.

The next layer is the operating system. The main contenders in operating system are Apple and Google. Apple is notorious for closed systems and actively prevents the open source community from developing utilities that would have helped our purposes. Google's Android is much more open and has more development community involvement. There may be some applications out there on the net which would help recover data.

The third layer is a twist on the second. Jailbreaking the iOS or Android operating system adds a further wrinkle. The Cydia jailbreak adds a new app store for the iOS system where third-party developers can sell software. As with any operating system modification, apps designed for the original configuration may or may not work on the jailbroken device. Additionally, apps added after the jailbreak may modify how data is stored or can be retrieved.

The icing on the crap-cake is that special equipment and decoding software may be needed. For my outdated early-2000's Blackberry, the kit would have been ridiculously expensive. For those of you with deep pockets, there's a list of links below.

If anyone out there knows about a good tool set for Android, Blackberry and iOS... Please share!

What can you do?

There are cellphone reading kits that police and professional private investigators use to access the internal memory of the device. These kits are ungodly expensive. My recommendation is to seek professional help if you absolutely need to see the internal memory on a device. Contact a private investigator in your area, ask your lawyer for a referral, check out the firm's reputation, see if they outsource the forensic work and check the reputation of the lab. Be prepared to pay - I was charged $750 for one phone.

Also, be prepared to get zippo off the device. That's right... I spent $750 for "no data" because the lab couldn't read internal memory off the phone (not the SIM or expansion memory - the internal data store). The lab had a good reputation and updated equipment. They just were not able to read the internal data. Luckily, they refunded my payment. Contractually they didn't have to refund anything so I do feel very lucky indeed.

Professional Tools:


Cell Phone Records

Don't forget to log into the online account for mobile phones. I used this access to download a couple of years worth of calls and text message records. The data is simple; date, time, number, duration, placed/received call, sent/received text, and sent/received mms.

You should look for a pattern. For example- your wayward spouse has been calling and texting a suspicious number every day for months and then has a few days with little or no texts or calls. If this aberration occurs at the same time your spouse was away on a business trip, visiting family, working over the weekend, etc. I think you have some very strong evidence for a rendezvous.


Spoofing a Cloud

I have been researching a new approach for forensics. This is based on the distributed memory principle of cloud computing. For example; Apple's iOS for iPad and iPhone is utilizing a 'live backup' to their iCloud service which basically runs a backup of apps, contacts, and data through the internet connection of the device. Somewhere, out in the net, is an encrypted copy of all of the device data. I'm looking into how one could access this information -- so stay tuned.

--- DNS

Wednesday, December 5, 2012

Hacking help!

I've been contacted a few times recently to provide help getting to some part of a computer file or recovering some sort of data. I don't mind responding to people who reach out and generally need help, in fact, I'd like to think I've actually helped quite a few people. Here are some guidelines to make sure I can help you as much as I can.

What to do before reaching out to me for help

  1. It would be really awesome if you would read the relevant blog posts and attempt it on your own first.
  2. Know what you are asking for and likely to get. Data recovery and carving can generate lots of data but it generally is a shotgun approach.
  3. Do the work once you have the data. I can't generate lovely time-indexed, cross-referenced, collated reports of the data. I'll just generally give you the data and expect that you'll donate some elbow-grease to the equation.

What I need to help you

  1. A description of the system (Mac, PC), the operating system (XP, 7), the relevant programs (Skype, Firefox). Version of the programs is a nice-to-have for me.
  2. The relevant files!
  3. Any information that would help searching data. Names of the parties, dates of events, locations, etc...

What I can promise

  1. My best effort to recover data
  2. Getting to the task of investigating as soon as possible (I do have a life!)
  3. Utmost secrecy... I will only share your information with you, no one else. Nobody but me will ever see it. I promise to delete all copies of data and emails once I've finished investigating and sent results. 
  4. Discretion. I've been through this myself and I know how personally devastating going through this kind of event can be through my own experience.

How to contact me

  1. Post a comment to the blog and I will reach out to you. I moderate all comments and will not make any comments public that contain personal info like an email address.
  2. Email me at dead.nt.sleeping [at] gmail [dot] com
  3. I have put together a web form for a contact page you will be able to see on the top tabs of the blog. Here's a link to it anyway: Contact Form.

V/r - DNS