Recovering Data from Cell Phones

People sell, give away, and throw away their cell phones without even thinking about the data still on them:

A company, Trust Digital of McLean, Virginia, bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.

Curious software experts at Trust Digital resurrected information on nearly all the used phones, including the racy exchanges between guarded lovers.

The other phones contained:

  • One company's plans to win a multimillion-dollar federal transportation contract.

  • E-mails about another firm's $50,000 payment for a software license.

  • Bank accounts and passwords.

  • Details of prescriptions and receipts for one worker's utility payments.

The recovered information was equal to 27,000 pages -- a stack of printouts 8 feet high.

"We found just a mountain of personal and corporate data," said Nick Magliato, Trust Digital's chief executive.

In many cases, this was data that the owners erased.

A popular practice among sellers, resetting the phone, often means sensitive information appears to have been erased. But it can be resurrected using specialized yet inexpensive software found on the Internet.

More and more, our data is not really under our control. We store it on devices and third-party websites, or on our own computer. We try to erase it, but we really can't. We try to control its dissemination, but it's harder and harder.

Posted on September 5, 2006 at 9:38 AM

Comments

KieranSeptember 5, 2006 10:04 AM

I wonder what percentage of phones on eBay are stolen in the first place? Hard to erase your data in that case...

ordajSeptember 5, 2006 10:29 AM

Why isn't a solution like trusted computing more widespread? It's almost criminal.


www.trustedcomputinggroup.org

Dom De VittoSeptember 5, 2006 10:30 AM

The only was to clear the memory of a phone, I would propose, is to delete everything you can and then copy as much onto it as you can (overwriting the flash memory)

Really phones should have a "clear all user data and settings" feature that erases the flash and basically puts the phone in "as new" condition.

Currently it's a real ain to even delete the dozens of photos/texts that a phone can store, as I've never used a phone with a "delete all photos" or "delete all SMS messages" option :-(

Swiss ConnectionSeptember 5, 2006 10:34 AM

Same with incriminating photos. I accidentally delete all the photos off my SD card last time I went on vacation. A quick google around the internet for the right (free) recovery software and I had all my pictures back.

AnonymousSeptember 5, 2006 10:53 AM

I figure if the cost of potential malicious use of data recovered from the cell phone is greater than the cell phone hardware cost, I think that the best way to get rid of that threat is to destroy the cell phone.

dan_linderSeptember 5, 2006 11:45 AM

My last cell phones have been donated to the local police department. They in turn get free/reduced activation from the cell provider and use them in the local womens shelters.

I know I've always used the built-in "erase all" feature, but now this starts to put me a bit at odds. Do I help those less fortunate wherever possible but risk losing some personal information, or do I keep my information safe and destroy the old phones while avoiding helping those in need?

Do phones with SIM cards have this problem if you keep/destroy the SIM card before giving the phone away? Or is there still stuff stored on the phone itself after the SIM card is removed?

Dan

vwmSeptember 5, 2006 12:12 PM

Somehow strange that 5 of 10 phones did contain such sensitive data from begin with and not just boring spam...

@dan_linder The memory of SIM Cards is very limited, they can save a phone book (about 100 to 250 Entries, only Name and one Number each) and some SMS (about 10 - 25) but no E-Mails, Pictures, MP3 etc. Besides they are a bit slow. Most modern Phones by default do not use the SIM Storage.

Andre LePlumeSeptember 5, 2006 12:25 PM

The draft NIST Special Publication 800-101, /Guidelines on Cell Phone
Forensics/, is available for public comment. The guide outlines general
principles and provides technical information intended to aid
organizations evolve appropriate policies and procedures for preserving,
acquiring, and examining digital evidence found on cell phones. Computer
forensic specialists and members of the law enforcement community are
encouraged to provide feedback on all or part of the document.

For complete article see:
http://csrc.nist.gov/publications/drafts/...

[Copied from a closed mailing list]

Chase VentersSeptember 5, 2006 1:18 PM

ordaj:

Part of the problem with 'trusted computing' (treacherous computing) is being eagerly tied to DRM (digital restrictions management) by obnoxious content interests in America and abroad. DRM is a sinking ship; anything tied to it will sink as well.

DonSeptember 5, 2006 1:22 PM

All these devices need a way to actually overwrite the current free space.

Of course, you'd have to trust that the phones actually did this, or independently verify it with phone-accessing forensic software that lets you read data from free space.

ordajSeptember 5, 2006 1:49 PM

@Chase Venters

The primary reason of trusted computing is not DRM, it's security. If certain parties want to abuse it, then take issue with them. TCG has taken great pains to ensure privacy and security.

Software alone doesn't and will never cut it.

derfSeptember 5, 2006 1:52 PM

Unfortunately, trusted computing doesn't stand up to scrutiny. All it does is hand control of your PC and data to Microsoft. If Microsoft says you can read a document using their software, you can. If Microsoft decides that trusted computers will no longer be able to read documents created from Open Office or blogs that criticize Microsoft, you're just out of luck.

I'd rather have control of a system that works.

JasonSeptember 5, 2006 2:53 PM

I was going to say the same exact thing as Kieran.
I'd be interested to hear if the "Trust Digital" folks got in touch with the original owners, and saw if the phones were personally auctioned, or stolen.

ScottSeptember 5, 2006 2:53 PM

"All these devices need a way to actually overwrite the current free space."

With flash memory, it is not necessary to overwrite memory to erase it. Flash memory devices have a "Block Erase" command that will erase blocks of memory. It would be very simple to include erase functionality in the phone if the vendor wanted to. It seems that the flash memory is being treated as if it were magnetic storage media.

robSeptember 5, 2006 5:47 PM

I remember reading recently that some of the UK airports have a mountain of cell-phones dumped during the last "heightened security". Almost all will be corporate (general public don't like to waste money like that and arrange collection). I don't suppose that it is easy enough to erase everything while standing in line so they would be a treasure trove. (I think that they go to the local auction houses after a few months).

RodSeptember 5, 2006 6:10 PM

I may be hallucinating, but I recall (from somewhere; I don't think it was here in Japan, but I could be wrong) some software you could install on your phone that would allow you to remotely delete the data in it. If your phone is stolen, you send a particular SMS or email to the phone, and it interprets that as a "self-destruct" command.

Of course, there's a window where the thief might get something, and it requires the phone to be online, and it probably is imperfect erasure, but it's a step in the right direction.

Of course, anyone who has critical data in their phone that they haven't backed up is just SOL.

Zoom LensSeptember 5, 2006 6:31 PM

@Don
@Scott
"All these devices need a way to actually overwrite the current free space."

Thanks for tip about flash memory Scott. I would like to go off topic now but I think this is related.

I have a camera with a "Secure Digital" memory stick in it. There is an option on the camera to "format" the memory. I decided to format the SD memory and then try to recover the data from a Windows machine with a suitable media reader attached.

It was trivial. All my photos were easily recovered using free file recovery software from the web.

From my perspective, the techniques for recovering data from mobile phones or cameras are likely to be similar.
How do you protect your data? Not simple. I suggest that one method suitable for cameras and phones with embedded cameras may be just to take lots of with pics/video of a wall or something until the device complains that it has run out of memory.

How long is it before we hear about defragging the RAM in your phone? :)

Regards everyone.

ErikTheRedSeptember 5, 2006 6:38 PM

One thing to keep in mind is that the company that produced this report (drumroll) sells software to encrypt the data on your phone - so it's not like they're some disinterested third party doing helpful research - they have a financial stake in making this problem seem as large as possible. Heck, the news article ever reads like a slightly re-written press release (which many "news articles" in fact are). Heck, check the link on their front page for "Looking to justify budget...?" with a creepy bobble-head-looking picture of somebody.

What'd I be really interested in finding out is how much can you recover from a "wiped" Palm, Blackberry, WinMobile, etc. device? (preferably from somebody who's not trying to sell me something).

bob dobbsSeptember 5, 2006 6:46 PM

You can recover pretty much anything from most of the Flash data types. If you buy the SANdisk high end products, they actually come with that software!

I'd advise saving all your everything to the memory card on your phone. That way, you can simply remove it before you wipe the phone, or pull everything off it if you have to surrender the phone to police/pseudo-police. Heck, ask the mugger nicely if you have a chance, and he might let you keep the card, it's only worth a few dollars compared to the phone...

RogerSeptember 5, 2006 7:00 PM

Any GSM-based phone I've used, I have kept my contact information on the SIM, even if it is slow, for a very good reason: it's portable.

When I change phones, I can take the SIM with me. If other phones let you store data on SD cards, the premise is similar.

In my view, the people who are relying on mobile devices for critical corporate communications are endangering their company business by transmitting and storing confidential data on devices that are easy to steal, which use no encryption for transmission OR storage, and which can be plundered for said data afterwards.

RandallSeptember 5, 2006 8:03 PM

@Zoom Lens

Same here, but with a CF card.

Then I plugged the CF card into a Firewire-based reader, plugged it into my Mac, then used Disk Utility to erase the free space (once, with zeros). That cleaned all the "deleted" data off, AFAICT.

TimSeptember 6, 2006 3:54 AM

I would have thought this would work quite well:

a) Erase data on phone
b) Fill the phone's memory with as much rubbish as you can
c) Erase data on phone

Probably not good enough if you need to stop a highly funded governmental agency from uncovering evidence, but for most people it would probably be enough to prevent the next owner downloading some software and poking around.

The problem is step b), of course; it could prove quite laborious.

sidelobeSeptember 6, 2006 7:11 AM

I think I'll go develop a Blackberry-like device that has proper data management and security. Then I'll go to the CIOs and IT departments of the big companies and convince them that mobile data security is critical. I'll go to the CFO's of those same companies and remind them that there's SOX-significant data on those same mobile devices. They'll both contact the lawyers (over their mobile devices, of course), and paranoia will take over.

I'll be rich, if I can just fulfill the flood of orders!

Mr WSeptember 6, 2006 7:51 AM

"I would have thought this would work quite well:

a) Erase data on phone
b) Fill the phone's memory with as much rubbish as you can
c) Erase data on phone"

This also works very well on hard drives, USB sticks, camera memory cards, etc. Just delete your old files then make multiple copies of e.g. a huge Microsoft Service Pack until the disk is completely full. Ideal for the really paranoid as there's no need to trust any third party tools.

While it may still be possible to find old meta-data such as filenames, the actual content will be unrecoverable.

bobSeptember 6, 2006 8:46 AM

A problem you need to consider with filling a storage device with rubbish, is that you need to make sure the rubbish fits the exact "unit size" it works in. In other words if your drive/chip/card stores data in 512 byte blocks but you only write 128 characters into a particular block (especially the last one in a chain), the remaining 384 bytes will contain whatever they did before.

When I turn in a hard drive I use video capture of QVC or something similarly obnoxious at maximum resolution and hifi stereo sound to fill the whole thing with a single file.

Mads RasmussenSeptember 6, 2006 9:05 AM


Anyone knows "Scream Alert" suposedly able to delete personal data on the phone when activated by the operator after reported stolen?
See http://www.synchronica.com/ for details, doesn't say exacly how data is deleted though, wonder if it's not recoverable?

TackSeptember 6, 2006 10:32 AM

@sidelobe:

"I think I'll go develop a Blackberry-like device that has proper data management and security."

Or you could just get a BlackBerry, which from what I've seen has proper data management and security. A company concerned about sensitive data on lost or stolen devices will roll out an IT Policy that enforces content protection, among other security options. (BlackBerry is also FIPS 140-2 certified.)

sidelobeSeptember 6, 2006 12:02 PM

@Tack

"Or you could just get a BlackBerry..."

I have one on my hip. If I lost the handset, you could pick it up and have immediate, though secure, access to all of my e-mail, notes, calendar, and intranet web. Even if I told the wireless network to deny it access, you would still have access to all data that was already resident on it.

But, look! In the Security menu: There are all of the security options for setting a password and content protection. And a 3-letter password isn't enough. Looks pretty good. OK, I'll try it for a while, to see how cumbersome the password option is. No, I'm not going to try out the "wipe handset" option to see if it really works.

Anyone want to venture a guess as to how many executives and professionals actually turn on the security options?

buntklicker.deSeptember 7, 2006 3:18 AM

I would not count on manufacturers to do anything to make a true "restore to factory settings and erase all data" easy. Why should they? They are not interested in used-phone sales anyway. According to them, we should ditch our old phones as we buy new ones, thus forcing the used-phone buyers of today to buy new phones too.

JungsonnSeptember 7, 2006 4:41 AM

In case of phone numbers one should always store them on the sim, and not the phone. If you have a memory card in it, you can store files on them, and remove if you sell it. One can also delete all text messages and the made calls list. For the rest there shoudnt be any sensitive dat i guess? Of just have the phone flashed, reset it it factory settings. Not a big deal.

LonnieSeptember 7, 2006 12:43 PM

I find that taking a sledgehammer to the device and to its memory components does a satisfactory job of making the data thereon irretrievable.

I routinely thoroughly destroy outdated PDAs, drives, and phones with this technique.

True, I surrender any resale value but the peace of mind is worth that cost.

Clive RobinsonSeptember 8, 2006 4:32 AM

@Lonnie, James

"find that taking a sledgehammer to the device and to its memory components does a satisfactory job of making the data thereon irretrievable."

Unfortunatly this sort of behaviour will fairly soon be illegal...

Seriously if you search the web for things like RoHS and WEEE legislation in the EU (Similar laws coming to you all over the world) you will see that for the sake of the environment you soon will not be able to stick your old kit in the ground (or any other place). You will be required to return it to the retail outlet for Re-Cycling....

TackSeptember 9, 2006 9:44 AM

@sidelobe:

"Anyone want to venture a guess as to how many executives and professionals actually turn on the security options?"

Companies that are concerned about security (which _should_ be all of them) can enforce content protection and other security features via an IT Policy. Any BlackBerry that is on the corporate BES inherits that policy. So it doesn't require a security-conscious executive, but rather an IT department that has setup their BES to push a policy to the handheld that meets their security needs.

(I have a BlackBerry on my hip too.)

Jimmy GilbreathSeptember 15, 2006 11:33 AM

What is the procedure to remove all data completely? Does anyone have a link they can post? Thanks.

BrianSeptember 19, 2006 3:38 PM

Lately there has been a lot of buzz lately on the personal information that can be recovered from phones sold on eBay.

A friend of mine was telling me about some high profile business man in Hong Kong who lost his cellular phone with video of his movie star wife taking a shower. The taxi driver that found the phone apparently tried to blackmail him, and ended up posting the video on the 'net.

I don't think you need to be Paris Hilton, or the CEO of GE (remember his wife found his notes to his mistress on his Blackberry) to loose personal information. With camera phones all over the place and drafts of documents being sent between blackberries all the time, I'm sure everyone has something on their phone, blackberry, or wireless PDA that would best be kept personal.

A new product that is currently in beta, but looks like an outstanding tool, is the Mbience Security Suite (http://www.mbiencegroup.com/).

It offers syncronisation (S-Sync), encryption, and most importantly, the ability to destroy remotely the contents of the device if it is lost (Q-Switch). Once the critical info (like mobile wallet info) is destroyed their L-Report function will report the loss to the credit card company or IT security group.

It looks like a comprehensive solution, and worth taking a look at.

BrianSeptember 19, 2006 3:39 PM

Lately there has been a lot of buzz lately on the personal information that can be recovered from phones sold on eBay.

In addition, a friend of mine was telling me about some high profile business man in Hong Kong who lost his cellular phone with video of his movie star wife taking a shower. The taxi driver that found the phone apparently tried to blackmail him, and ended up posting the video on the 'net.

I don't think you need to be Paris Hilton, or the CEO of GE (remember his wife found his notes to his mistress on his Blackberry) to loose personal information. With camera phones all over the place and drafts of documents being sent between blackberries all the time, I'm sure everyone has something on their phone, blackberry, or wireless PDA that would best be kept personal.

A new product that is currently in beta, but looks like an outstanding tool, is the Mbience Security Suite (http://www.mbiencegroup.com/).

It offers syncronisation (S-Sync), encryption, and most importantly, the ability to destroy remotely the contents of the device if it is lost (Q-Switch). Once the critical info (like mobile wallet info) is destroyed their L-Report function will report the loss to the credit card company or IT security group.

It looks like a comprehensive solution, and worth taking a look at.

Jan ESeptember 21, 2006 7:07 AM

Does anyone know how long an SD card will *hold* data for? I mean, say you took some photos on your camera a year ago, would they still be there to be recovered, assuming in the interim you had taken dozens more? Is there anything at all that would get them back, even partially? When you format an SD card, does it destroy all data that was originally on there? For example, if a card had photos, that were deleted, then the card was formatted, perhaps several times, then more photos were stored on the card, would the very original photos be able to be recovered, even forrensically?

roxannaOctober 1, 2006 1:07 PM

can you still retrieve text messages from cell phones that do not have sim cards?

danaJanuary 31, 2007 3:33 PM

I have recently been a victim of fraud by someone who works closely with politicians...i am DESPERATELY TRYING TO RECOVER DELETED TEXT MESSAGING FROM A SAMSUNG VI660, AND WILL BE GLAD IF ANYONE CAN ASSIST ME. SPRINT INFORMED ME THAT THEY ONLY KEEP THEM FOR 45 DAYS..THE MESSAGES ARE NEEDED FROM MARCH 2005-OCTOBER 2006...PLEASE HELP!!

RickMarch 24, 2007 12:33 AM

I have a Motorola V557, when I turned on my phone today all my phone number entries were lost. Can you help me recover them

leighApril 2, 2007 4:57 PM

i need to recover a text message from my alltel phone. the message came on january 1 2007 at 1:30.a.m.

T.K.April 5, 2007 2:18 PM

My daughter was assaulted,previous to the assault there was a death threat but her (razor)only holds a limited amount of voicemails or texts. Is there a way to retrieve these messages of the pre meditated incident.If there is anyone out there that can offer some advise it would greatly be appreciated.Thank you in advance.

pradsApril 9, 2007 11:42 PM

I want to know if the contents of phone memory be recovered even after the data is deleted. If yes, how this works technically?
Also help me with the software that can do my job.
Thanks in advance,
Pradeep
kashyapsa@gmail.com

RockyApril 11, 2007 8:41 PM

ALL MY TEXT MESSAGES WERE ACCIDENTLY DELETED. I AM DESPERATELY TRYING TO RECOVER DELETED TEXT MESSAGING FROM A NOKIA 6600. THE MESSAGES ARE NEEDED FROM JANUARY 2006 TILL DATE. PLEASE HELP!

priyaAugust 3, 2007 6:34 AM

is it possible to recover deleted videos and datas from motorola RAZR V3(BLACK). It doesnt have an extended memory.It is using VGA memory.

blueyAugust 8, 2007 12:47 AM

Is it possible to recover photos and videos for nokia phones if you already removed the SD Card? Thanks

need helpSeptember 19, 2007 10:50 PM

I accidentally deleted all of the photos on my cell phone (RAZR V3 as well) just a few minutes ago and I really need to get them back because some of them are just so priceless and important to me. Please, if you know how to get them back, let us know!

motophobeNovember 14, 2007 8:35 PM

I was trying to move all my contacts from my motorola PEBL. I had 40 contacts on my sim and 200+ on the phone. I accidentally overwrote the 200+ with the 40 leaving me with only 40 of my 250+ contacts(and none of the important or interesting ones!).
Is there a way to recover the lost contacts or has my overwriting them ensured they stay lost?

AmitNovember 30, 2007 2:32 AM

I have nokia 7610 , which is recently fall down on road , where was some water. finally cell is not switching on . my precious messege is stored in phone (not in SIM or MM Card). So is there any way to recovery my data from cell. kindly Help.

AmitDecember 6, 2007 3:28 AM

Iam posting my problem again , Kindly help me .

I have nokia 7610 , which is recently fall down on road , where was some water. finally cell is not switching on . my precious messege is stored in phone (not in SIM or MM Card). So is there any way to recovery my data from cell. kindly Help.
amitaswal@rediffmail.com

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..