Table 3 - uploaded by Neil Rowe
Content may be subject to copyright.
Source publication
Mobile devices usually provide a “factory-reset” tool to erase user-specific data from the main secondary storage. 9 Apple iPhones, 10 Android devices, and 2 BlackBerry devices were tested in the first systematic evaluation of the effectiveness of factory resets. Tests used the Cellebrite UME-36 Pro with the UFED Physical Analyzer, the Bulk Extract...
Contexts in source publication
Context 1
... get a more detailed view of what a reset accomplishes, experiments were done with an Apple iPhone 4S phone (p18 in Table 3) and an Android Samsung Galaxy SIII phone (p9), after making copies of the original pre-reset and post-reset images to use later. These experiments placed specific files on the phones that we thought should be deleted by a reset. ...
Citations
... [13] State of erasing data is usually achieved through the following three techniques: updating the location of deleted files, overwriting, and unlinking files, but this is in the case of hard drives, not for android phones. [14] Presents that data can be recovered from android phones after using factory reset or wiping applications for data deletion and its impact on android phones' memory. [15] Point out problems in the techniques of personnel data erasing from android phones, proposed a competent data erasing technique considering android device situations with restrictions in hardware and Android version, this technique is for android version Lollipop and below. ...
... Overwrite Based Data Deletion A. Reardon [13] R. Schwa mm and N.C. Rowe [14] S. Hoon, K. Keun, P. Kim [15] Z. Peng, NIU Shaozhang, H. Zhenpeng [18] Encryption ...
Identity theft and financial fraud are happening very frequently, and data privacy becomes one of the biggest challenges for Android phone users. Cyber thefts are particularly perceptive when recovering confidential information from user phones after users have deleted/erased their data from phone memory using the factory restore or by using data wiping applications available on Google Play Store and Internet. This research work proposed and developed an efficient data wiping application for Android phones according to the National Institute of Standard and Technology (NIST) SP800-88 Standard of USA. The proposed application is based on the data overwrite technique. It has two layers, data erasing and data overwriting. After erasing the user data from phone memory, it overwrites deleted data locations by three overwrite phases, zeros, ones, and random characters. The data overwrite layer makes deleted data permanently unrecoverable from phone memory. To validate existing wiping applications, we selected the following data wiping applications from Google Play Store: Secure Erase with iShredder-6, Secure Delete, and Shreddit-Data Eraser for data wiping experiments and picked the following data recovery applications and software to validate the above-selected wiping applications: DiskDigger, Dr Fone, FonePaw and EaseUS MobiSaver for data recovery experiments on following selected Android phones: Samsung Galaxy SM-J600F, Vivo 1908 and Huawei Honor 9-lite LLD-21 having Android version Oreo 8.0 and 8.1. The experiments result show that the chosen wiping applications are not working according to the standard, and the erased data is recoverable through the above-mentioned data recovery applications and software. On the other hand, data could not be recovered from the phones which are wiped with the proposed framework. We maintained the record of the recovered data from wiped Android phones and proposed an efficient overwrite-based data wiping application for Android phones based on the experiment results. Recommendation: A preinstall secure data wiping application must meet standards such as NIST SP800-88 for complete data erasure and should be available on all android phones for users.
... 1-no consistent approach on test sample selection: devices have been selected randomly or based on availability 2-very small sample of devices [10], [11] 3-old Android OS version and device model 4-data recovery after Factory Reset has been done using very few tools, all from the same type (commercial mobile forensic) ...
Considering the amount of data stored on smartphones, it is critical that none of the user information is retrievable in case of device resell or disposition. Data security on disposed devices is one of the key enablers for device lifetime extension and, consequently, for making electronics more sustainable. Factory Reset, being default data wipe solution offered by Android, has already been challenged by researchers from University of Cambridge back in 2015. That has been the first comprehensive study and probably one of the most recognized works on evaluation of Android Factory Reset performance. The study proved that default erasure process is failing to securely sanitize the storage on Android versions from Gingerbread to Jelly Bean (v.2.3-4.3). However, despite frequent updates of Android OS, there was no further research conducted to reexamine Factory Reset reliability on newer devices and OSes. Our study has brought this line of research to the new level and investigated the changes of Factory Reset effectiveness over the past years. In addition, we have evaluated the robustness of in-built Android sanitization against attacks of different degree of sophistication including chip-level data read on one of the best-selling smartphones in history Samsung Galaxy S4 (80 Million units) [1]. The results show that Android Factory Reset logical sanitization has generally improved making user data more difficult to recover. However, default erasure process is still failing to irretrievably erase the data, which allowed us to retrieve the user data directly from the NAND flash bypassing the controller. Considering the share of smartphones running on Android Lollipop and below, over one third of Android devices (from Lollipop (5.0) and earlier) are vulnerable to improper storage sanitization. The magnitude of failing Factory Reset data sanitization is huge and despite the improvements the number of Android smartphones that may not properly sanitize the storage has grown by over 50% between 2015 and 2018. This means that over 770 million devices, that are currently circulating in the secondhand market, may still store previous owners' sensitive information, which represents serious security risk.
... Another interesting observation from the (Schatz, 2015), (Garfinkel & McCarrin, 2015), (Fitzgerald et al., 2012), (Axelsson, 2010); ICDF2C: (Karabiyik & Aggarwal, 2014), (Breitinger et al., 2014b); DI: (Breitinger et al., 2014c), (Penrose et al., 2013), , (Savoldi et al., 2012) 1st Emails/Enron DFRWS: (Schmid et al., 2015), (Shields et al., 2011); ICDF2C: (Crabb, 2014); DI: (Magalingam et al., 2015), (Quick & Choo, 2013b), (Quick & Choo, 2013a) (Al-Zaidy et al., 2012, (Cheng et al., 2011), (Iqbal et al., 2010); IEEE S & P: (Naveed et al., 2014) 3rd t5 File Corpus/Roussev DFRWS: (Breitinger & Roussev, 2014), (Breitinger et al., 2014a), (Breitinger et al., 2013), (Roussev, 2011); ICDF2C: (Gupta & Breitinger, 2015), (Breitinger & Baggili, 2014), (Breitinger et al., 2014b) 4th M57-patents Scenario/Digital Corpora DFRWS: (Garfinkel & McCarrin, 2015), (Beebe & Liu, 2014b); ADFSL: (Woods et al., 2011); DI: (Beebe & Liu, 2014a), (Marturana & Tacconi, 2013), (Roussev et al., 2013) 4th Real Drive Corpus/Digital Corpora DFRWS: (Brown, 2011), (Beverly et al., 2011); ICDF2C: (Schwamm & Rowe, 2014), (Rowe, 2013), (Rowe & Garfinkel, 2011); DI: (Noel & Peterson, 2014) 6th Android Malware Genome Project b DFRWS: (Guido et al., 2013); DI: (Talha et al., 2015); IEEE S & P: (Xia et al., 2015), (Bianchi et al., 2015), (Zhou & Jiang, 2012) 7th Pictures/BOSS e Break Our Steganographic System DFRWS: (Quach, 2014); DI: (Lu et al., 2015), (Lu et al., 2014), (Quach, 2012) a Note: Three papers used more than one dataset. b Site is no longer available. ...
This paper targets two main goals. First, we want to provide an overview of available datasets that can be used by researchers and where to find them. Second, we want to stress the importance of sharing datasets to allow researchers to replicate results and improve the state of the art. To answer the first goal, we analyzed 715 peer-reviewed research articles from 2010 to 2015 with focus and relevance to digital forensics to see what datasets are available and focused on three major aspects: (1) the origin of the dataset (e.g., real world vs. synthetic), (2) if datasets were released by researchers and (3) the types of datasets that exist. Additionally, we broadened our results to include the outcome of online search results. We also discuss what we think is missing. Overall, our results show that the majority of datasets are experiment generated (56.4%) followed by real world data (36.7%). On the other hand, 54.4% of the articles use existing datasets while the rest created their own. In the latter case, only 3.8% actually released their datasets. Finally, we conclude that there are many datasets for use out there but finding them can be challenging.
... "Factory reset" serves as a simple method to remove all user data from mobile device. However, studies have shown that factory reset does not sufficiently remove personal data from mobile devices (88)(89)(90)(91)(92)(93)(94). Factory reset typically just logically deletes data, leaving data residue that could be forensically recovered. ...
Mobile devices have become ubiquitous in almost every sector of both private and commercial endeavors. As a result of such widespread use in everyday life, many users knowingly and unknowingly save significant amounts of personal and/or commercial data on these mobile devices. Thus, loss of mobile devices through accident or theft can expose users—and their businesses—to significant personal and corporate cost. To mitigate this data leakage issue, remote wiping features have been introduced to modern mobile devices. Given the destructive nature of such a feature, however, it may be subject to criminal exploitation (e.g., a criminal exploiting one or more vulnerabilities to issue a remote wiping command to the victim's device). To obtain a better understanding of remote wiping, we survey the literature, focusing on existing approaches to secure flash storage deletion and provide a critical analysis and comparison of a variety of published research in this area. In support of our analysis, we further provide prototype experimental results for three Android devices, thus providing both a theoretical and applied focus to this article as well as providing directions for further research.
... Testing of on-phone + remote-way procedure tools on a phone [19] Testing of on-phone + remote-way procedure tools on different phones with the same OS, but different versions [18] Testing of on-phone tool on a phone [14] Testing of on-phone tool on different phones with the same OS, but different versions [20] Testing of remote-way procedure tools on a phone [21], [22], [23] Testing of remote-way procedure tools on different phones and OS [24], [25] Testing of remote-way procedure tools on different phones with the same OS of different versions [26], [27] 2. ...
Mobile technology, over the years, has improved tremendously in sophistication and functionality. Today, there are mobile phones, known as smartphones, that can perform virtually most functions associated with personal computers. This has translated to increase in the adoption of mobile technology. Consequently, there has been an increase in the number of attacks against and with the aid of this technology. Mobile phones will often contain data that are needed as evidence in a court of law. And, therefore, the need to be able to acquire and present this data in an admissible form cannot be overemphasized. This requires the right forensic tools. This is the focus of this study. We evaluated the ability of four forensic tools to extract data, with emphasis on deleted data, from Android phones. Our results show that AccessData FTK Imager and EnCase performed better than MOBILedit Forensic and Oxygen Forensic Suite at acquiring deleted data. The conclusion is that, finding a forensic tool or toolkit that is virtually applicable across all mobile device platforms and operating systems is currently infeasible.
... In the case study, we first determine the characteristics of the thumbnail in order to customize existing file carving tools to recover thumbnails from the forensic image in an efficient manner (e.g. by reducing the number of irrelevant files). Previous studies [8][9][10][11][12][13] have shown that performing a factory reset on Android devices does not remove the actual data content. Therefore, we demonstrate that it is possible to recover thumbnails even after the photos have been deleted, a factory reset has been undertaken by a user, or the file system has been corrupted. ...
JPEG thumbnail images are of interest in forensic investigations as images from the thumbnail cache could be intact even when the original pictures have been deleted. In addition, a deleted thumbnail is less likely to be fragmented due to its small size. The focus of existing literature is generally on the desktop environment. Considering the increasing capability of smart mobile devices, particularly Android devices, to take pictures and videos on the go, it is important to understand how thumbnails can be collected from these devices. In this paper, we examine and describe the various thumbnail sources in Android devices and propose a methodology for thumbnail collection and analysis from Android devices. We also demonstrate the utility of our proposed methodology using a case study (e.g. thumbnails could be recovered even when the file system is heavily fragmented). Our findings also indicate that collective information obtained from the recovered fragmented JPEG image (e.g. metadata) and the thumbnail could be akin to recovering the full image for forensic purposes.
... However, studies have shown that factory reset does not sufficiently remove personal data from mobile devices (Simon and Anderson 2015a;Schwamm 2014;Schwamm and Rowe 2014;McColgan 2014;The Guardian 2013;Siciliano 2012;Honan 2013). Factory reset typically just logically delete data, leaving data residue that could be forensically recovered. ...
The usage of smartphones is increasing day by day
compared to other gadgets, and as a result, the devices have
become common exhibits in most criminal investigations. Forensic
analysis of smart phones is incredibly challenging due to the
security features enforced on them. The factory reset facility
available in smart phones clears all the user-generated data,
including third-party applications, from the internal memory
and completely resets the device back to its original state as
a new phone. Therefore, evidential artefacts such as contacts,
messages, call logs, photos, videos, and documents get deleted
from the device memory, and recovery becomes difficult.Forensic
acquisition of data remnants from mobile phones after factory
reset is of utmost importance to forensic investigators. This paper
discusses the impact of factory resets on Android devices and
describes in detail the evidential artefacts left behind after the
factory reset of Android phones.
Penelitian ini bertujuan untuk membandingkan efektivitas dan efisiensi dari metode disk overwrite dan fitur factory reset bawaan sebagai teknik anti-forensik di perangkat Android. Proses pengumpulan data di penelitian ini dilakukan dengan proses eksperimen di perangkat Android versi 10 yang telah melalui proses teknik anti-forensik tersebut secara bergantian sebelum dilakukan upaya pemulihan data yang telah terhapus dengan perangkat lunak Photorec. Dari hasil eksperimen, ditemukan bahwa proses recovery yang dilakukan memberikan hasil nyaris sama antara penggunaan metode disk overwrite, baik itu 1-pass, 3-pass, 7-pass, maupun 35-pass, jika dibandingkan dengan metode factory reset bawaan, meski dari sisi waktu operasinya terdapat perbedaan mencolok antara kelimanya. Dengan kata lain, penggunaan metode disk overwrite sebagai teknik anti-forensik, dalam kondisi normal, tidak memberikan nilai tambah jika dibandingkan dengan factory reset bawaan Android. Hasil dari penelitian ini dapat digunakan sebagai pegangan dan acuan oleh para praktisi forensika digital baru sebelum melakukan pemrosesan barang bukti elektronik berupa perangkat Android. Selain itu, hasil dari penelitian ini dapat menjadi bukti empiris akan efektivitas dan efisiensi dari fitur factory reset bawaan di perangkat Android dalam menjaga privasi pengguna saat perangkat tersebut berpindah kepemilikan.
