Android phones can be easily wiped of personal data, but does it really wipe all data? I have played with an SPH-D710 this time.
I have tried the basic hard reset:
- turn off phone
- press the volume up + power button until then open chested android icon shows up
- wipe data/factory reset ( navigate with volume control, select with power button )
Note: did not select the "wipe cache partition"
- select yes to delete all user data
- press power to reboot
I also tried the interface option to wipe the device:
Settings->Privacy->Factory data reset
The results were the same in either case. Downloaded files, videos, Picasa cache, and Google account email address was still accessible easily by backing up the "wiped" device in Kies and reading the resulting files. The backup is stored in a folder structure without any proprietary structure or protection. Some files like the CallLog.bk is a simple ZIP file with SQLite 3 database.
The backup is located, by default, in the following directory C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730 where the backup folder is made unique by including the date and time of the backup.
Some cache folder can contain files with TEC file extension that contains a single JPG image that can be viewed by removing a few bytes before and after the jpeg signatures. picasa-cache.0 can also be carved for JPG images.
The list below shows the backup structure of the Galaxy S II after wiping the phone 3 times. Image caches, audio downloaded files, videos, and the email address of the user was not removed. The ... shows the removal the same type of files to shorten the output.
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CALL
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CONFIGURATION
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\EMAIL
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\MESSAGE
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CALL\BR
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CALL\BR\CallLog.bk
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CONFIGURATION\BR
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\CONFIGURATION\BR\Configuration.bk
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\EMAIL\BR
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\EMAIL\BR\Email.bk
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\MESSAGE\BR
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\MESSAGE\BR\Message.bk
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\media
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\MP3Download
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Music_Audio
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Notifications
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Ringtones
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\media\audio
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\media\audio\notifications
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\media\audio\notifications\facebook_ringtone_pop.m4a
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\MP3Download\AUDIO_FILES.mp3
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Music_Audio\AUDIO_FILES.mp3
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Notifications\hangout_dingtone.m4a
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Notifications\hangout_ringtone.m4a
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Music\Ringtones\hangout_ringtone.ogg
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\USER1
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\astrid
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\c360_debug.txt
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\download
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jp.co.johospace.jorte
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\MP3Download
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\preview.vpl
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\USER1\IMG_VIDEO_FILES.qt
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\astrid\auto.121024-0021.xml
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\Camera
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\NAME2
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\Camera\cache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\Camera\cache\2047040784001.tec
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\Camera\cache\8484480800.arc
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\NAME2\cache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\NAME2\cache\2047040784001.tec
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\DCIM\NAME2\cache\8484480800.arc
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\download\119091.pdf
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\download\20120417154424.ics
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\download\49052662.pdf
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\download\abscissa-1.apk
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\capture
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\capture\.nomedia
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\cmunst.otf
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\cmuntb.otf
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\Dancing_Script
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\lists.csv
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\Dancing_Script\DancingScript-Bold.ttf
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jorte\fonts\Dancing_Script\readme.txt
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\jp.co.johospace.jorte\jorte.db
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\MP3Download\lyric
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\MP3Download\lyric\AUDIO_FILE.txt
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\db
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\downloadingMedia_0.dat
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\downloadingMedia_3.dat
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\downloadingMedia_6.dat
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\playingMedia11.dat
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\playingMedia5.dat
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\db\mdd.db
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Music_Audio\db\mdd.db-journal
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos\.nomedia
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos\cache_versions.info
//Can be carved for JPG images
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos\picasa-cache.0
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos\picasa-cache.1
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Others\Pictures\cache\com.google.android.googlephotos\picasa-cache.idx
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Camera360
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.google.android.apps.books
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache\filecache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache\working
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache\filecache\1580054785.jpg
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache\working\2901071601_1345350763
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.box.android\cache\working\2901071601_1345350763\frontface.jpg
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\20120516_151344.mp4
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\Camera Uploads
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\Photos
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\20120516_151344.mp4\large.jpg
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\Camera Uploads\2011-05-15 22.32.24.jpg
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\Photos\Sample Album
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.dropbox.android\cache\thumbs\Photos\Sample Album\Boston City Flow.jpg
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.google.android.apps.books\files
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.google.android.apps.books\files\accounts
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Android\data\com.google.android.apps.books\files\accounts\USER_EMAIL@gmail.com
...
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Camera360\Data
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130320092730\Photo\Camera360\Data\test_old.png
Conclusion
If you don't have specialized forensic tools to analyze a phone and the phone appears to contain no relevant data navigating the interface, a simple device backup can reveal many valuable leads and relevant data. If a device can not be examined, think about examining the device backup on the computer the user had access to. Locating and examining mobile device backups can be an easier alternative and easier to validate than acquiring the actual mobile device.
