A guide to secure your personal data before disposing your phone


panasonic-p11-review-8

As global smartphone sales have gone off the charts, not many fully understand the concept of data security. Many assume that phone companies take care of this well. Actually this is not true. There is this other scenario where the data you save can be retrieved no matter what you do over the years. How is this possible? Lets start with the basics. Everything I explain here has an Explanation and a Technical Explanation for a better understanding.

What happens when you delete a file?

Explanation: When you delete a photo or a text file from your phone, there is nothing that’s actually getting destroyed. It just indicates the Operating System that the “space” the file takes up, is available for overwriting. What does this mean? For this you need to know how a fat32 or an ext3 file system works. Most memory cards you use on your phone are either fat32 or NTFS partitioned. Yes these are technical terms that you might take time to fully understand.

What is FAT32?

A hard disk (in this case a memory card) must be partitioned (and formatted) before files can be stored on it. The maximum number of partitions is limited by the type of file system used, and by the size of the memory card (abbreviated mmc). FAT32 is one such file system. It is most commonly used in a computer where large amount of data needs to be stored. FAT32 derives its name from the fact that it employs a File Allocation Table (abbreviated FAT) to record the disk address of each file in the partition, and also from the fact that the Table uses 32-bit storage. (Explained more on the technical side of things).  So basically this is the format in which data gets stored on your phone.

 

Technical explanation: All of the FAT file systems were originally developed for the IBM PC machine architecture.

32-bit FAT entry stored on disk as a series of four 8-bit bytes—the first being byte[0] and the last
being byte[4]—here is where the 32 bits numbered 00 through 31 are (00 being the least significant
bit):

byte[3]               3 3 2 2 2 2 2 2
1 0 9 8 7 6 5 4

byte[2]                2 2 2 2 1 1 1 1
3 2 1 0 9 8 7 6

byte[1]                1 1 1 1 1 1 0 0
5 4 3 2 1 0 9 8

byte[0]              0 0 0 0 0 0 0 0
7 6 5 4 3 2 1 0

 

A FAT file system volume is composed of four basic regions, which are laid out in this order on the volume:

0 – Reserved Region
1 – FAT Region
2 – Root Directory Region (doesn’t exist on FAT32 volumes)
3 – File and Directory Data Region

There is considerable confusion over exactly how this works, which leads to many “off by 1”, “off by
2”, “off by 10”, and “massively off” errors. It is really quite simple how this works. The FAT type—
one of FAT12, FAT16, or FAT32—is determined by the count of clusters on the volume and nothing
else.

 

So coming back to what happens when you delete a file:

Technical Exp: I just created a file called test1.txt on my phone. And it contains some data that is confidential. Lets look at the file data transfer bits

FDT hex before deleting "test1.txt"
FDT hex before deleting “test1.txt”

The first clusters number of the file is “000C”, i.e. 12. The offset of the cluster record in FAT is “0184800”, whose content is “0D 00 00 00”

OD 00 00 00 00
OD 00 00 00 00

 

3
Before Deletion
After deletion
After deletion

 

From two charts we can see, after deleting”test1.txt”, the first byte of registration entry is changed to “E5H”, other bytes remain the same. So are long filenames. “E5H” represents that this file has been deleted. For operation system, it no longer exists. When users request the file again, operation system will tell that this file does not exist.

From the comparison, it makes no difference in FAT: the file still takes 10 continuous clusters. Obviously, the space the file takes is not released actually. Data still exist in data region indeed. As for data, it is in the same situation. Now if users write in new data, when system detects that the clusters are still in use, it will use other blank cluster and DATA space. By this way, fast deleted files will not be destroyed by new data.

What happens when you completely remove test1.txt?

 

Before full deletion
Before full deletion

 

After complete deletion
After complete deletion

 

From the comparison we can see, the registration entry of the file in FAT has been reset, being marked as “empty”. Now, if the user writes in new file to the partition, it is probable to cover the released empty cluster, thus covering the space ever used by the two files.

This is what technically happens when you delete a file.

What will happen if I just factory reset my phone before selling?

In one word, Disaster. Yes, even if you have a phone without an sdcard slot like the nexus. Why?

Factory resetting a phone wipes all your data(internal) but using simple steps anyone can recover your old photos and videos and whatnot. How?

  • back up the entire internal memory partition to your computer as a single, massive .RAW file,

  • convert the .RAW file output to a VHD,

  • mount the VHD as a disk in Disk Manager,

  • scan the attached VHD volume for files that have been deleted and recover them

Scary right?

So what do I do?

You can always NOT sell the phone. Works almost all the time. For those who are adamant in selling their device can use apps like Advanced File shredder (Requires root) on Android or iShredder on iOS (Paid app) that can wipe your files on some level. On a device with sdcard you can just mount the card on your PC or MAC and there are tons of applications that can permanently delete your files.

So next time you sell your phone, make sure your data is safe. A phone is your personal device. Keep it safe!

 


Author: Siddharth Sai

Siddharth Sai is a former Googler passionate about Devices, their security and functionality. He writes occasionally, and is pro-active on the use of day to day Technology.