Deleted data only
This option is best best used with root access as it will return more deleted data. Some deleted data is possible to extract with a Logical extraction and no root access but, very limited.
Ther is more information about deleted data in Specific selection - Data - Deleted data
How to improve your chances of recovering deleted data
With MOBILedit Forensic, you can recover deleted data in numerous ways. One option is recovering data from SQLite (or SQL) databases; another one is recovering files and folders from Physical extraction. Below we will explain what each of these methods does and what kind of information you can recover.
Physical extraction
Physical extraction allows you to recover deleted files and folders which are still available through the file system and the SQL databases, which makes it the best option.
MOBILedit Forensic offers various ways to obtain a physical image, such as EDL, LG, MTK bypassing methods. These can only be used with Android and KaiOS devices.
Time plays a big role in data recovery - the longer you wait, the lesser are the chances for a successful recovery. Restarting the device or even apps decreases the chance of data recovery.
Deleted files can be extracted from the physical dump on Android and KaiOS devices.
SQL databases
SQL databases allow you to recover the data which were marked as deleted or are still present in a database file. It also enables you to recover data from phones where you are unable to obtain the physical image, such as with iOS devices. SQLite is the most common way to store data for both iPhone and Android.
A rooted device enables us to get straight to the file system and SQL databases as well, which increases the chance to obtain deleted data.
How SQLite data recovery works
There are three files associated with a database that may contain deleted records.
The database file - <database name> (https://www.sqlite.org/fileformat2.html#section_1)
The rollback journal - <database name>-journal (https://www.sqlite.org/fileformat2.html#section_3)
The write-ahead log - <database name>-wal (https://www.sqlite.org/fileformat2.html#section_4)
Basic recovery method
When SQLite B-Tree is parsed, Freeblocks and Unallocated blocks are detected.
We know which table blocks belong to, so we know the data types of item columns that should be recovered. Data in each block (Freeblocks and Unallocated blocks) is read sequentially.
Each potential item found in the database has a header with data types and lengths of incoming data, so we read the whole block of data as if it could be considered a header. If it fits the table data types it is most likely a deleted item.
Recovered records may be corrupted, incomplete or duplicate of an existing record.
Clutter filtering
Clutter filtering will help you to discover and remove unusable or random files. It has to be explicitly turned on under the “Deleted data only” settings, as it is turned off by default when the program is installed for the first time. This setup will help you to filter all duplicate or incomplete records.
How it works:
Each processed table in the database is defined as a set of columns.
Each recovered record is compared (according to the set of columns) with all valid records and all previous recovered records.
Depending on the result of the comparison the record is processed (duplicates are thrown away).
What deleted data can be recovered?
Recovered deleted data will appear in the report with the proper tag. Deleted data type depends on the phone being used.
Android
MOBILedit can retrieve maximum deleted data mainly in these cases:
Physical acquisition or physical image analysis is being used
An older version of Android or an older application is on the phone
Application downgrade method is being used - available in MOBILedit
Phone is rooted
If one of the above methods isn’t used, MOBILedit can still get some deleted application data, such as messages, browsing history, etc.
iOS
MOBILedit can retrieve deleted calls and messages if you have a password to an iTunes backup. In addition, some application data can be retrieved using the iTunes backup method. We can also retrieve deleted photos from an iPhone up to 30 days after being deleted.
Since iOS 17.4 Apple are including more deleted data in the iTuness backup due to the way it is created.
While MOBILedit often successfully recovers valuable information, no data recovery can be guaranteed. Keep in mind that the particular deleted data might be no longer present in the phone. We can recommend using more forensic tools, so you try more methods. If you are an expert, the last chance is to search for data manually.
Deleted data and mobile devices
Understanding the lifecycle of a file is important when considering deleted data on mobile devices. On most mobile devices, almost everything functions through applications, each typically utilizing an SQL database. These applications have built-in rules within their code for handling deleted data.
When an application decides it no longer needs to store certain data, it removes references to the file and delegates the responsibility to the operating system (OS). The OS has its own policies for managing deleted data. When it decides the data is ready for permanent deletion, all references to the file are removed, and the responsibility is passed to the memory chip controller. This controller uses a method called garbage collection to handle deleted data.
Up until the point of garbage collection, it may still be possible to recover deleted data. However, as time passes recovering this data becomes increasingly difficult and more advanced methods need to be used.