By: Navid Sobbi and Claude Khoury
Yes, data can be recovered utilising a forensic data recovery process after a factory reset.
In this article we will outline:
What happens to your phone when a factory reset is performed?
The circumstances where a factory reset may be required by the user.
The circumstances where a factory reset occurs independent of the user.
The best practices for data backup.
The conditions required for a successful forensic data recovery.
The forensic data recovery process NSI will use to recover data after a factory reset.
Should I use data recovery software? Can I damage my data?
I have done a factory reset. What is the best way to get my data back?
WHAT HAPPENS TO YOUR PHONE WHEN A FACTORY RESET IS PERFORMED?
A factory reset, also known as a system restore, factory restore, master reset, or software restore, is when your phone is reset back to its original settings.
This process wipes all data from the phone and reinstalls a fresh version of the system software so that your mobile phone reboots with a clean generic version of the software minus any of your personal data or personal system settings. The mobile phone now looks and behaves essentially like the day you purchased it.
THE CIRCUMSTANCES WHERE A FACTORY RESET MAY BE REQUIRED BY THE USER.
At some time, you may need to perform a factory reset on a mobile phone for a variety of reasons, such as:
Your phone may have been acting up and has become very slow,
You may have given it to a family member and wanted to ensure there is no data on the phone, or
You intend to sell your phone and you wish to erase all your personal data beforehand.
THE CIRCUMSTANCES WHERE A FACTORY RESET OCCURS INDEPENDENT OF THE USER.
Other times, a factory reset happens without the user’s input due to a fault such as:
A software update has gone wrong and the phone attempts to revert back to a previous install and this process fails, thus resetting the phone and wiping all the user data.
If the phone is being repaired and the repairer, while changing parts, accidentally wipes all the data.
NOTE: We have seen an increase in factory resets due to software updates or some phone repairers accidentally wiping data from the phone during the course of the repair.
THE BEST PRACTICES FOR DATA BACKUP.
TIP – BEST PRACTICE FOR DATA BACKUP: Always make sure to backup your data, either to the cloud or by connecting your phone to a computer and transferring files such as images and videos.
To backup your iOS device using iTunes
Make sure you have the latest version of iTunes.
Open iTunes then connect your device.
If your phone asks you to “Trust This Computer”, press yes and follow the steps.
When your device appears in iTunes, select it.
Select “This Computer” and if you select “Encrypt local backup” you will need to select a password. You may also be asked to enter a backup password if you want to store your health and activity data. This will ensure your data is encrypted. Make sure you note this down. Click on the “Back Up Now” button.
When the process finishes, you will notice the Latest Backup date under the backup button.
To backup your iOS device using iCloud
Make sure your device is connected to a Wi-Fi network.
Go to Settings on your device then click on your name then tap iCloud.
Tap iCloud Backup then tap the “Back Up Now” option.
You can check the progress and confirm if the backup is completed by repeating Steps 1 to 3. Under “Back Up Now” you will see the date and time of the latest backup.
To backup your Android device using your computer – this backup is useful only for backing up your images, videos, and audio. App data and other categories such as SMS messages may not be backed up.
Connect your Android device to your computer.
If you have a Windows computer, an option will display on the computer screen that asks you to “Tap to choose what happens with this device”.
Click on “Open device to view files”.
Find the DCIM folder and right-click on it, select copy, then paste it on your computer, for example on your desktop or pictures folder. Wait until this process completes. This will back up all your photos and videos to the computer.
If you want to back up your other data such as SMS, MMS, etc, it is best to use third party software such as SMS/MMS Backup Utility.
If you have a Mac computer, it is best to download a program named “Android File Transfer” here.
To backup your Android device using Google Cloud
Go to the “Backup and Reset” menu option and select “Backup My Data”.
The options and selections may vary between different Android devices.
THE CONDITIONS REQUIRED FOR A SUCCESSFUL FORENSIC DATA RECOVERY.
Your phone or device will need to be in operational order, that is, it must be able to be switched on and hold its power.
You must stop using your phone or device. It is highly recommended to switch it off and take the SIM card out so you can use it in another phone. This will prevent data being overwritten.
Do not attempt to recover the data yourself by using software.
If your phone or device has physical damage, is water damaged, or not turning on, do not connect your phone or device to power and charge it, and if taking it to a phone repairer, you must ensure that they do not short circuit the phone and permanently wipe your data.
These conditions will ensure that you have the best chances for Android data recovery or iPhone data recovery.
THE 5 STEP FORENSIC DATA RECOVERY PROCESS NSI WILL USE TO RECOVER DATA AFTER A FACTORY RESET.
The first step involves the triage of the device and identifying the purpose of the digital forensic investigation and the tools that are going to be utilised. We take on both private and legal matters and have legally qualified digital forensic examiners that have been called upon by law firms to provide expert witness testimony.
Step 2 is the collection of data from the device. This involves the device being connected to our proprietary hardware in our forensic lab and a digital forensic technician beginning an extraction of the device.
Step 3 is the analysis phase of the forensic process. The digital forensic technician processes the raw binary data that has been extracted. Factors such as the way in which the device was used since the data was deleted, if there were any software updates or factory resets, and the amount of memory on the device, will determine the success of the recovery.
Step 4 is the reporting phase of the investigation. Once data is recovered and analysed, we then create reports based on our client’s requirements such as messages between a group of people at a particular time. If required, legally admissible reports can be prepared and examiners can present evidence in court.
Step 5 is the completion phase. Our examiners prepare the device and reports for the client and go through the findings with them.
SHOULD I USE DATA RECOVERY SOFTWARE? CAN I DAMAGE MY DATA?
Common software that can be downloaded from the internet or other apps that claim data can be recovered, require you to connect your device to a computer in most instances. The process of connecting your phone to a computer allows both the phone and computer to begin communicating with each other. This communication writes data into both the computer and the phone.
The software/app will then require you to either ‘root’ your Android device or ‘jailbreak’ your iOS device (which essentially means gaining administrative access to the devices operating system). This process, if not followed correctly, may wipe all data from the device, however, the fundamental thing it does is write data into an area of the memory that forensic data recovery would analyse.
I HAVE DONE A FACTORY RESET. WHAT IS THE BEST WAY TO GET MY DATA BACK?
As you know, a factory reset wipes all data from a device and puts the device back into its original state. This is usually done in a number of stages. Stage 1 wipes all data from the device, stage 2 fills the memory with zeros, and finally stage 3 puts the factory apps and settings back onto the device.
Forensic data recovery does not require your phone to be rooted or jailbroken. It preserves the phone’s memory as it is and extracts data through a ‘one-way connection’ to the forensic equipment. This means that data can only be extracted from the device onto the forensic equipment and no data is written back on to the device.
At NSI Global Counter Intelligence, we utilise the same digital forensic equipment as used by law enforcement agencies worldwide. This highly specialised equipment is not available to the general public or common computer stores or mobile phone repairers. We also do not limit ourselves by using one type of forensic equipment. Cyber Risk use multiple tools to give you the best chances of recovering your precious data. Our forensically sound data recovery process will not overwrite and data on the phone and is legally admissible in an Australian court of law.
Currently, this specialised digital forensic equipment allows NSI to forensically recover data, specifically deleted data, from more than 30,000 different mobile phones from all manufacturers worldwide.
Contact us today and speak to one of our legally qualified forensic examiners and let us get your data back.