Full Report
This evening we were featured on Channel 4’s DataBaby segment (link to follow). Channel 4 bought several second hand mobile phones that had been “wiped” (or rather reset to factory default) from various shops. Our challenge was to recover enough data from these seemingly empty phones to identify the previous owners. After a long night of mobile forensics analysis, we had recovered personal data from almost every phone we had been provided with. This information included:
Analysis Summary
# Incident Report: Mobile Device Data Remanence Exposure
## Executive Summary
This report details a forensic analysis exercise where recovered data from factory-reset, second-hand mobile phones was successfully used to identify previous owners. The experiment demonstrated that "wiping" phones via factory reset often leaves substantial user data recoverable, posing a significant risk to private individuals selling used devices. The response involved extensive mobile forensics to validate data recovery capabilities.
## Incident Details
- **Discovery Date:** February 6, 2014 (Date of publication/experiment conclusion)
- **Incident Date:** Occurred prior to February 6, 2014 (During the period Channel 4 acquired the phones)
- **Affected Organization:** Channel 4 (As the entity commissioning the recovery) / Previous phone owners (Data subjects)
- **Sector:** Media/Forensic Experimentation
- **Geography:** Not explicitly stated (Implied UK, related to Channel 4)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to February 6, 2014
- **Vector:** Physical acquisition of "wiped" used mobile phones.
- **Details:** Channel 4 purchased several second-hand mobile phones from various retail shops that had been reset to factory default settings.
### Lateral Movement
- *Not applicable in this forensic analysis scenario.*
### Data Exfiltration/Impact
- **Details:** Personal data from almost every provided phone was recovered, including browsing history, cookies (email/Facebook), contacts, SMS messages, photographs, address information, and personal documents.
### Detection & Response
- **Details:** The issue was discovered through active mobile forensics analysis conducted by SensePost following the acquisition of the devices.
- **Response actions taken:** Extensive forensic analysis was performed to recover data. Ethically, researchers chose *not* to utilize recovered cookies to impersonate previous owners. All data was securely deleted after the experiment using full-disk encryption wiped phones.
## Attack Methodology
*Note: This section describes the methodology used to *recover* data, which represents a potential attack vector if performed maliciously.*
- **Initial Access:** Physical acquisition of end-user devices (mobile phones).
- **Persistence:** *Not applicable - single analysis event.*
- **Privilege Escalation:** *Not applicable.*
- **Defense Evasion:** Exploitation of inadequate data sanitization methods (factory resets).
- **Credential Access:** Recovery of credentials stored within cookies (Facebook, email).
- **Discovery:** Mobile forensics analysis targeting file system remnants.
- **Lateral Movement:** *Not applicable.*
- **Collection:** Application of mobile forensics tools to retrieve deleted user files and databases.
- **Exfiltration:** *Data was analyzed internally, not exfiltrated externally.*
- **Impact:** Identification and potential compromise of previous owners' sensitive personal information and access tokens.
## Impact Assessment
- **Financial:** Not applicable (Experiment). Potential high financial/legal liability for vendors who poorly sanitized devices.
- **Data Breach:** Extensive recovery of private personal data (contacts, photos, documents, login session cookies) from devices categorized as "wiped."
- **Operational:** Disruption to the forensic analysts' schedule ("a long night of mobile forensics analysis"). No organizational disruption to the data subjects unless the recovered data was acted upon.
- **Reputational:** Negative exposure for mobile phone retail/resale industry regarding data handling practices. Positive exposure for SensePost for demonstrating the vulnerability.
## Indicators of Compromise
*Note: As this was a forensic demonstration, traditional network IoCs are not relevant. Behavioral IoCs relate to end-user practices.*
- **Network indicators (defanged):** N/A
- **File indicators:** Recovered artifacts (e.g., SQLite database remnants, web browser cache files, unallocated space data).
- **Behavioral indicators:** Failure to use full disk encryption on Android devices; relying solely on factory reset procedures for data destruction.
## Response Actions
- **Containment measures:** Researchers contained the recovered data and prevented its malicious use (e.g., prevented cookie-based impersonation).
- **Eradication steps:** All recovered data was securely deleted from the analysts' devices after the experiment concluded (using full-disk encrypted laptops).
- **Recovery actions:** None required for the data subjects, as the data was analyzed internally for demonstration purposes only.
## Lessons Learned
- **Key takeaways:** Factory default resets on unencrypted mobile phones (particularly older Android models) are insufficient for securely destroying user data. Vast amounts of personal and session-related data remain recoverable.
- **What could have been done better:** Device resale vendors should implement verifiable, secure data destruction procedures, rather than relying on user-initiated factory resets.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Encryption is Paramount:** Ensure all mobile devices (Android, specifically) utilize full-disk encryption, as this renders data practically irrecoverable after a reset, unlike unencrypted storage.
2. **Layered Wiping:** For users selling devices, always encrypt the device, perform a factory reset (to destroy the unencrypted data), and then re-encrypt the device twice (to destroy the key material used in the first wipe).
3. **Media Specificity:** Recognize this risk applies to all utilized storage media (laptops, memory cards) and implement appropriate destruction methods beyond simple deletion or formatting.