STEPS - Recovering Deleted Data from an Android Device (using a Windows PC)
In case anyone finds this useful, here are some detailed steps for an Android device data recovery method we've used at our shop for quite a while. The first part (imaging) is extremely similar to Wartickler's excellent guide in this current thread, and the last part (recovery using the image) is more oriented to a Testdisk/Photorec recovery approach.
I thought I'd post our procedure here, for the benefit of people looking for more info on individual steps, or who are running into issues with other methods. Hope this helps someone!
---------------------------------------------------------------------
STEPS - Recovering Deleted Data from an Android Device (using a Windows PC)
Scenario: The Android device is still bootable/functional, but files have been lost or deleted from its internal memory.
FIRST, PRECAUTIONS AND BACKUP!
• First, disable phone/Wifi on the device (or just put it into flight mode), and take out the SIM. You don't want the system or apps being able to download updates or write anything else to the unallocated space.
• Make a full backup of everything still on the device (contacts, photos, texts, etc). This won't back up anything already deleted, but it'll make sure you don't lose the rest, in case something goes wrong during the recovery process. DO NOT SKIP THIS, unless you seriously don't care about anything left on the device.
• For Samsungs, you can use the Samsung Kies or Kies3 software to do the backup.
• For other devices, search for the manufacturer's native backup app, or use a reputable third party one.
• If you're not going to be attempting the actual recovery for a while, turn the device off in the meantime.
• NOTE: On a lot of modern Android devices, e.g. devices running Android v4.3 and later, TRIM support is enabled on the userdata partition. The means that TRIM functions will run periodically in the background to "clean up" the device memory, zero-filling any unallocated space. For device operating efficiency this is excellent, but for data recovery, it can be a disaster. As far as we've been able to tell, if the device detects that it has been left idle for an hour or so, TRIM functions may kick in. YOU DO NOT WANT THIS TO HAPPEN! Unfortunately though, it's often already happened before the device reaches us, which limits what we can get back. (Recovery is still worth trying though.) If there's a chance that TRIM hasn't affected the device yet, try to avoid it kicking in while you're working on it, by making sure the device is not left idle for too long and that it's kept turned off when you're not using it.
Then, prepare for recovery:
• First, in the device options, enable Developer Mode and then turn on USB debugging on the device. This is required for the next stages of recovery. If you're not sure how to enable USB Debugging, google your device model number + "usb debugging" for instructions.
• Note down the IMEI, serial number, and model/product number of the device. You can obtain this info either in Settings -> About Device, or on a sticker inside the battery compartment. Write them down. (As well as for your jobnotes, you may need this info for recovery later.)
STAGE 1 ANALYSIS - Consumer level software.
• In many cases it's worth looking at it with a quick and easy consumer level software first, as long as it's reputable. This may bring back what the person wants straight away, without getting too complicated or time consuming.
• If that doesn't work (e.g. the device won't connect, isn't detected by the software, can't find the correct deleted files, wants you to reflash the firmware to proceed further, etc), move on to next level recovery first to get a forensic image before risking anything. DON'T try to root or reflash the device through the consumer software - only try the simple non-invasive options. If something goes wrong and you manage to accidentally brick the device with consumer software before you've got your forensic image, any hope of a successful data recovery is probably toast.
STAGE 2 ANALYSIS - Forensic imaging of the device memory.
Get the device ready:
• Ensure that USB debugging is enabled on the device, and that you've already done a backup of anything valuable which is still left on the device (contacts etc).
• Root the Android device, if it isn't rooted already. You can use something like Kingo Root (
https://www.kingoapp.com/ ) or a reputable rooting utility of your preference.
• On the device, go to the Play Store and install BusyBox by Stephen Stericson (
https://play.google.com/store/apps/details?id=stericson.busybox).
• If the device has an SD card, see if you install BusyBox to that, instead of writing to the internal device memory. (If not, too bad, you'll have to install BusyBox to the internal memory and hope it doesn't overwrite anything important).
• After installing BusyBox, don't forget to run it, and go through the prompts onscreen. This gives it root access and creates the correct directory structure on the device.
• At the top of the screen it will display the location of the installation, e.g. /system/xbin/busybox or /system/bin/busybox. Take note of this.
Get your PC ready:
• On your computer, install Cygwin 32-bit version (
https://cygwin.com/install.html) to c:\cygwin. Don't install the 64 bit version, as it sometimes results in problems later such as 0-byte image files). When it prompts for extra packages, install these two:
• PV
• util-linux
• Download Netcat in zip file (
http://www.daemon.de/Netcat). Extract the "nc.exe" file from the zip, and put it into c:\cygwin\bin.
• Install ADB (the Android Debug Bridge tool).
• OPTION 1 - Either install the full Android SDK Tools which includes ADB but is very large, 90MB+ (
https://developer.android.com/studio)
• OPTION 2 - Or alternatively, just try installing the small 2MB "Minimal ADB and Fastboot Tool" instead (
http://xdaforums.com/showthread.php?t=2317790)
• Then whichever one you install, add the folder location path of "adb.exe" in to the Windows "PATH" environment variable (Control Panel -> System -> Advanced System Settings -> Advanced tab -> Environment Variables -> System Variables -> select PATH -> Edit -> New). Copy and paste the folder location of your adb.exe from the installation above in there, e.g. "C:\android-sdk\platform-tools" or "C:\Program Files (x86)\Minimal ADB and Fastboot", and save. Now you can run adb.exe via command line from anywhere. You can test that it works by running this command from a CMD prompt:
adb devices
• Download Microsoft VHDTool.exe. Create a new folder "C:\cygwin\image" and put VHDTool.exe there. (The original MS download link
http://archive.msdn.microsoft.com/vhdtool appears to be dead, but it's still available from
http://www.techieshelp.com/downloads/VhdTool.exe).
Create the forensic image:
• In most cases we want to go after the entire device memory block "/dev/block/mmcblk0", to make sure we get absolutely everything on all partitions (not only the userdata partition). In this case, the instructions below are to capture the whole block (with all partitions), as a RAW image file, into the "C:\Cygwin\image" directory.
• Connect the device to the computer via USB cable, and unlock the screen. Watch the screen for the "Allow USB Debugging?" prompt and make sure you check "Always allow from this computer" before tapping OK.
• On the PC, open a Cygwin Terminal and enter the following commands:
Code:
adb forward tcp:5555 tcp:5555
adb shell
su
• At this point, the device screen may prompt for SuperSu permission - allow if so. Then enter the next command (assuming BusyBox is installed at /system/xbin/busybox):
Code:
/system/xbin/busybox nc -l -p 5555 -e /system/xbin/busybox dd if=/dev/block/mmcblk0
• Open a second Cygwin Terminal window, and enter the following commands:
Code:
adb forward tcp:5555 tcp:5555
cd /image
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.raw
• NOTE: If you get any errors on any of these lines, odds are you either haven't connected the device properly, or haven't installed the required tools properly, or you haven't entered the PATH environment variable properly, or you forgot to run BusyBox on the device after installing, or you didn't give root permission on the device when prompted, or there is some other incompatibility on your particular system. Go back, re-check everything, try installing the tools again, install a different version of them if available (e.g. netcat, pv, adb etc), try a different USB port, try a different computer, etc.
• Leave both Cygwin terminal windows running. Once the imaging process has started, it'll take ages to finish, usually 1-4 hours. Once it's done, you have yourself a complete RAW image saved in c:\Cygwin\image\. Your image file should end up with a size close to or equal to the whole device capacity (e.g. 14.7GB for an advertised 16GB device).
• The finished output in the first Cygwin terminal should look something like:
Code:
root@klte:/ # /system/xbin/busybox nc -l -p 5555 -e /system/xbin/busybox dd if=/dev/block/mmcblk0
55 -e /system/xbin/busybox dd if=/dev/block/mmcblk0
30777344+0 records in
30777344+0 records out
15758000128 bytes (14.7GB) copied, 4092.340537 seconds, 3.7MB/s
• Once the image is done, you're finished with the Android device now - you can disconnect it from the computer and turn it off.
Mount the forensic image on the computer for analysis:
• Now, we need to convert the image file from RAW to a virtual hard drive that Windows will recognise. We do this by using VHDTool to put a VHD footer onto the end of the .RAW file, and then rename the file extension to VHD (which avoids mount point errors in some Windows versions).
• Open a Windows administrative command prompt, and enter these commands:
Code:
cd c:\cygwin\image
copy mmcblk0.raw mmcblk0-backup.raw
VhdTool.exe /convert mmcblk0.raw
ren mmcblk0.raw mmcblk0.vhd
• Now we can mount the converted image in Windows Disk Management:
• Open Disk Management
• Click Action -> Attach VHD
• Enter the VHD image file location: c:\cygwin\image\mmcblk0.vhd
• Tick "Read Only"
• Click OK
• The drive should now be mounted as read-only in Disk Management, and will show multiple partitions inside (seeing as we captured the whole block, not just the single UserData partition). The UserData partition should be the largest one displayed (probably around 11GB on a 16GB device).
• From here, you can now proceed to use your favorite forensic data recovery processes/software on the mounted image.
• NOTE - we have not assigned any drive letters or tried to format it at this stage. We recommend using the free TestDisk and/or Photorec tools, which don't require that you interfere with the image by quick-formatting it or assigning a drive letter first, and are extremely thorough for recovery. (This is why we don't really recommend Recuva, although Recuva is certainly easier to use. If you've made it this far though, you can probably easily handle a more advanced program like TestDisk).
Testdisk Data Recovery - if you know your own way around TestDisk already, just go for it! If not, here is one procedure you can follow for an Android recovery analysis (mileage will vary):
• Download TestDisk and PhotoRec from
http://www.cgsecurity.org/wiki/TestDisk_Download and unzip somewhere on your computer.
• Right click Testdisk (testdisk_win.exe) and choose "Run as Administrator" to start. Remember input is keyboard only (no mouse). ALWAYS carefully look at the menu of keyboard options down the bottom of the screen, as they change for each page. (They are also CASE SENSITIVE - "C" and "c" are different!)
• Choose No Log and press Enter. TestDisk will bring up a list of all disks it can see attached to your computer.
• Select the freshly mounted VHD from your list of disks, and choose Proceed. The VHD will look something like this:
Code:
Disk /dev/sdb - 15 GB / 14 GiB - Msft Virtual Disk
• Select EFI/GPT as the partition table type.
• Choose "Analyse". You should see a list of partitions, including one named [userdata] at the end if you arrow down, which will look something like:
Code:
>26 P Unknown 6420480 30777310 24356831 [userdata]
• Move the selection to the [userdata] partition and check the bottom list of options to see if it gives you a "P: List Files" option for that partition.
• If yes, type a capital P, and you should see a list of files/folders inside.
• If not:
• Make sure "Quick Search" is selected at the bottom, and press Enter. Let TestDisk run through its quick partition finding process (be patient). When it finishes you'll see a list of partitions again, but probably with less info and no names.
• Arrow down to the largest one (the biggest number under "Size in Sectors"), which is the [userdata] partition - it will probably look something like
Code:
>P MS Data 6420480 30777271 24356792
• Select that partition, and the options at the bottom should now include the the "P: List Files" option. Type a capital P, and you should see a list of files inside. (Common mistake: pressing Enter instead of P, which means you have to go back and do it again.)
• Now that you can see the files inside the [userdata] partition, browse around and see where your lost files are. Useful info:
• The most likely location for personal data (photos etc) is under the /media/0/ directory. Look for the DCIM folder (photos taken with your device camera), Pictures folder (other images/albums), Music folder, etc.
• Normal files/folders come up in white. Deleted files/folders will come up in RED.
• IMPORTANT NOTE: If you're using a modern Android device/OS with TRIM enabled, unfortunately the odds are that the deleted file space has already been zero-filled, and so many files won't be recoverable, such as deleted photos from your Camera roll (under the DCIM folder). If you got your hands on the device soon enough, before TRIM ran, you might get lucky and the original photos might still be there inside the DCIM/Camera folder, showing up in red to indicate they were deleted but are still there. If not, all that might be left under DCIM could be the thumbnails (which although small are still better than nothing).
• Once you've found the data you want to recover, select it (use the colon symbol ':' to select/deselect single files, or the 'a' key to select all in a folder). Then type capital C to tell TestDisk you want to copy it.
• TestDisk will then jump over to its own parent folder (it wants to know where to save the recovered data to). You can save the recovered data directly in TestDisk's parent folder if you like, or if you want to put it somewhere else, you can. In Windows Explorer, create yourself a new folder called "Recovered-TestDisk" under C drive, and then back in TestDisk, use the arrow/Enter keys to navigate to it (see the keyboard navigation options at the bottom). When you're in the right place, press capital C again, and TestDisk will copy your file(s) there.
• TestDisk will report "Copy done!" in green text when finished. You can then continue finding and copying more files until you're done.
• When finished, quit TestDisk properly by hitting 'q' until TestDisk exits (instead of just closing the window).
• Open your "C:\Recovered-TestDisk" folder in Windows Explorer and check out your recovered files.
Photorec Data Recovery - if TestDisk didn't work for you, or if you just want to try another method anyway (it's definitely worth a go), try Photorec too. Photorec ignores filesystems and folder structures, and blindly rips everything that looks vaguely like a useful file out of raw memory. It's excellent for last ditch data recovery (all kinds, not just photos, despite its name). Folder locations and filenames are not recovered, only the files themselves, but often that's all you need.
• From the same folder as Testdisk: right click Photorec (photorec_win.exe) and choose "Run as Administrator" to start. Same principles with keyboard navigation etc apply.
• Select the VHD from your list of disks, and choose Proceed. The VHD will look something like this:
Code:
Disk /dev/sdb - 15 GB / 14 GiB - Msft Virtual Disk
• A list of partitions will appear. Arrow down to the [userdata] partition.
• OPTIONAL: At this point, if you want to limit the types of files that Photorec is looking for (for example if you're only after photos or music files etc), you can tell Photorec to ignore everything else, by selecting only certain file types under "File Opt" at the bottom. Otherwise, it will attempt to recover everything it finds.
• With the [userdata] partition selected, check that "Search" is selected at the bottom, and press Enter.
• Select "Other" as the filesystem type.
• Photorec then jumps straight over to its own parent folder (like Testdisk, it's asking you to know where to save the recovered data to). In Windows Explorer, create a new "C:\Recovered-Photorec" folder, then in Photorec, navigate to it. When you're there, press capital C, and Photorec will start the recovery to that folder.
• Recovery may take a while, so be patient. When it's finished, Photorec will report "Recovery completed".
• When finished, quit Photorec properly by hitting 'q' until Photorec exits (instead of just closing the window).
• Check your "C:\Recovered-Photorec" folder in Windows Explorer to see what it managed to get back. You'll see a bunch of recup_dir folders with random file contents. Hopefully your lost files will be in there somewhere. Remember the original filenames will be gone, so you're relying on file extensions and thumbnails to identify what they are.
• If there are too many files to sort out manually, you can:
• Use the Windows search function on the whole "Recovered-Photorec" folder to find all files of a certain type (e.g. Pictures, or *.jpg, etc) and move them into a separate folder together.
• Check out the various sorting options here:
http://www.cgsecurity.org/wiki/After_Using_PhotoRec.
When you're finished with everything, remember to cleanly unmount the VHD image in Disk Management, by right-clicking the disk name to the left and choosing "Detach VHD". Store a copy of the VHD image file in a safe place, in case you ever want to re-mount it again for further recovery attempts.
Good luck!