This evening we were featured on Channel 4’s DataBaby segment (link to follow). Channel 4 bought several second hand mobile phones that had been “wiped” (or rather reset to factory default) from various shops. Our challenge was to recover enough data from these seemingly empty phones to identify the previous owners.
After a long night of mobile forensics analysis, we had recovered personal data from almost every phone we had been provided with. This information included:
- Browsing history
- Cookies (e.g. email and Facebook)
- SMS messages
- Address information
- Personal documents
It would have been theoretically possible to use the cookies to impersonate the users – i.e. log in as the previous owners. We opted not to do this, as it was crossing an ethical line.
What’s the lesson here?
Be very careful when selling your phone. It’s fairly trivial to recover large amounts of data from mobile phones – and the tools to do so are freely available.
How can I protect myself?
This will depend on what type of phone you have, and specifically whether the data is encrypted, and if it is, if the key is recoverable. Unencrypted phones were easy game.
iPhone devices encrypt their data by default, which makes it hard (almost impossible) to recover data after performing a factory reset. There are some attacks against iPhones older than 4s which may have more success.
Android devices by default have no encryption, which means that somebody (like us) could easily recover large amounts of supposedly deleted data. It’s a good idea to keep your phone encrypted.
Both Windows phone 8 and BlackBerry allow optional encryption to be configured, but this is not enabled by default. Windows phone 7 does not support encryption of the core filesystem.
If you have an existing phone that you’re about to sell we’d recommend you encrypt the phone twice after resetting it to factory default (once to destroy your data, the second time to destroy the key used for the first round).
Keep in mind, this applies to all storage media – hard drives on laptops, camera memory cards, etc. It’s largely recoverable, even when seemingly deleted.
We would like to thank Paolo Dal Checco (@forensico) and fellow SensePost’er Vlad (@v1ad_o) for their help during the experiment.
On a legal note, the experiment was conducted on a laptop with full disk encryption, and *all* data was deleted after returning the phones to Channel 4.