With MOBILedit Forensic, you can recover deleted data in numerous ways. One option is recovering data from SQLite (or SQL) databases; another one is recovering files and folders from Physical extraction. Below we will explain what each of these methods does and what kind of information you can recover.

Physical extraction

Physical extraction allows you to recover deleted files and folders which are still available through the file system and the SQL databases, which makes it the best option.

MOBILedit Forensic offers various ways to obtain a physical image, such as EDL, LG, MTK hacks. These can only be used with Android and KaiOS devices.

Time plays a big role in data recovery - the longer you wait, the lesser are the chances for a successful recovery. Restarting the device or even apps decreases the chance for data recovery.

Deleted files can be extracted from the physical dump on Android and KaiOS devices.

SQL databases 

SQL databases allow you to recover the data which were marked as deleted or are still present in a database file. It also enables you to recover data from phones where you are unable to obtain the physical image, such as with iOS devices. SQLite is the most common way to store data for both iPhone and Android.

A rooted device enables us to get straight to the file system and SQL databases as well, which increases the chance to obtain deleted data.

How SQLite data recovery works

There are three files associated with a database which may contain deleted records.

  1. The database file - <database name> (https://www.sqlite.org/fileformat2.html#section_1)

  2. The rollback journal - <database name>-journal (https://www.sqlite.org/fileformat2.html#section_3)

  3. The write-ahead log - <database name>-wal (https://www.sqlite.org/fileformat2.html#section_4)

Basic recovery method 

When SQLite B-Tree is parsed, Freeblocks and Unallocated blocks are detected. 

We know which table blocks belong to, so we know the data types of item columns that should be recovered. Data in each block (Freeblocks and Unallocated blocks) is read sequentially.

Each potential item found in the database has a header with data types and lengths of incoming data, so we read the whole block of data as if it could be considered a header. If it fits the table data types it is most likely a deleted item.

Recovered records may be corrupted, incomplete or duplicate of an existing record.

Clutter filtering

The Clutter filtering will help you to discover and remove unusable or random files. It has to be explicitly turned on under the “Deleted data only” settings, as it is turned off by default when the program is installed for the first time. This set up will help you to filter all duplicate or incomplete records.

How it works:

  • Each processed table in the database is defined as a set of columns.

  • Each recovered record is compared (according to the set of columns) with all valid records and all previous recovered records.

  • Depending on the result of comparison the record is processed (duplicates are thrown away).

What deleted data can be recovered?

Recovered deleted data will appear in the report with the proper tag. Deleted data type depends on the phone being used. 

Android

MOBILedit can retrieve maximum deleted data mainly in these cases:

  • Physical acquisition or physical image analysis is being used

  • Older version of Android or an older application is on the phone

  • Application downgrade method is being used - available in MOBILedit

  • Phone is rooted

If one of the above methods isn’t used, MOBILedit can still get some deleted application data, such as messages, browsing history, etc.

iOS

MOBILedit can retrieve deleted calls and messages if you have a password to an iTunes backup. In addition, some application data can be retrieved using the iTunes backup method. We can also retrieve deleted photos from an iPhone up to 30 days after being deleted.

While MOBILedit often successfully recovers valuable information, no data recovery can be guaranteed. Keep in mind that the particular deleted data might be no longer present in the phone. We can recommend using more forensic tools, so you try more methods. If you are an expert, the last chance is to search for data manually.