The purpose of this material is to get additional information about the capabilities, specifics, uniqueness of the "ADR512" (Android Data Recovery) program. The description of this software can be found at: http://512byte.ua/articles/programma-android-data-recovery.html.
To test the software company "512Byte" invited specialists of the laboratory of digital forensics "Gross". We would like to sincerely thank the “512Byte” company for an invitation to participate in the testing of the program, which is unique in searching for digital evidences.
It's time for the practical tests.
The essence of the experiment step by step:
1. Two devices were taken: "Lenovo A319" (OS version 4.4.2) and "Xiaomi Redmi Note 3 Pro" (OS version 6.0.1).
2. "Lenovo A319" phone memory was "reset" to factory settings (all data, including the user`s, were deleted).
3. For "Lenovo A319", Root-Rights are obtained to have full access to the memory (Hynix eMMC H4G2a) of the device.
4. Finished image of the drive that installed in the phone "Lenovo A319". The size of the image 4GB.
5. The image of p.4 was investigated by the software designed for data retrieval and analysis - "Belkasoft Evidence Center Ultimate 2017". The section "Messages" is missing in the report.
6. For testing, has been selected the instant messaging application "imo" (http://imo.im/), that was installed from the Google Play Service. We chose this program because it has got over 100 millions downloads. We did not choose the most used applications like "Viber"and "WhatsApp" purposely.
7. Between these two devices was made an exchange of instant messages in "imo" (text: "512byte_gross", "gross_512byte"). There is a screenshot below with the contents of text messages from "Xiaomi Redmi Note 3 Pro".
8. After using the "imo" application, the image of the phone "Lenovo A319" was made again.
9. The image of the drive from p.8 was investigated by using the software "Belkasoft Evidence Center Ultimate". The "Messages" section appears.
10. After that, the "imo" application has been removed from the "Lenovo A319" phone in the standard way.
11. After removing the application, the image of the drive "Lenovo A319" was made again.
12. The image from p 11 was studied with "Belkasoft Evidence Center Ultimate" and "x-Ways Forensics 19.2". Belkasoft Evidence Center Ultimate did not detect deleted messages (no "Messages" section). The search was carried out among available and deleted data: the structure of the file system of the logical section was investigated; apply the carving method (signature analysis, carved); searched by keywords (since the message content is known). Research time - about 1 h. 20 min. The probable reason for the lack of a positive result can be explained by the fact that this software explores the SQLite database file (db) directly. In addition, this software can search this type of file as a result of signature analysis (carving). As a result, it can be assumed that in the event of damage of the SQLite data structures (damage or lack of signature), the evidence in the file will not be detected.
As a result of using "x-Ways forensics 19.2" software, entries in the free sectors of the section (image) were identified. At the same time, as in the previous case, the search was carried out among available and deleted data: the structure of the file system of the logical section was investigated; apply a carving method; searched for keywords. Research time - about 1 h. 40 min (including research of file system structures, signature analysis, searches for inputs). The positive result was achieved thanks to the well-known content of the messages.
13. Next, the study of the image from p. 11 was carried out by using "ADR512". Research time with the selected settings was less than two minutes (image). As a result, we detected deleted messages, from our test in"imo" application.
- This test demonstrated, that"ADR512" has the advantage of looking for deleted messages in front of applications that work directly with database files. The positive result is achieved due to the fact that the program "ADR512" implements the search for all SQLite records, without reference to the database file.
- If you know the message content, you can find it in any Hex editor. However, the question remains of the interpretation of the fields, date and time, and most importantly - the spent time.
- In the case where the unknown search context or the number of messages is too large, a fundamentally different approach is required. "ADR512" finds the message regardless of the content and number of records.
P. S. This article in no way adversely affects the software "Belkasoft Evidence Center Ultimate" and "x-Ways Forensics 19.2". A single case is considered.
P. S. 2. Particularly attentive readers will notice divergences of time in the correspondence and the report. This fact arose because of "just forgot to set the time on the Lenovo A319".