Australian Digital Forensics Conference

Document Type

Conference Proceeding


The Android operating system is the current market leader on mobile devices such as smartphones and tablet computers. The core operating system is open source and has a number of developers creating variants of this operating system. These variants, often referred to as custom ROMs are available for a wide number of mobile devices. Custom ROMs provide a number of features, such as enhanced control over the operating system, variation in user interfaces and so on. The process of installing custom ROMs is often accomplished through the use of a ROM manager application. Such applications often provide mechanisms to back up the contents of the mobile device prior to upgrade. This mechanism is utilised in the case of a failed update to restore the device to its previous functional state. Backups produced in this manner are often stored in on an external media such as a micro-SD card.In the conducted research we evaluated devices inbuilt data erasure mechanisms within the context of erasure of backups produced by ROM managers. It was found that simply using the devices Format External / SD function is not an effective means of completely erasing these backups. Once recovered, these backups offer a quick source of information that a potential attacker could carve to retrieve user files such as media transferred to the external or from applications. Although the same files could be recovered from an image of the external storage itself, the carving process is more efficient than traditional carving methods.


Originally published in the Proceedings of the 12th Australian Digital Forensics Conference. Held on the 1-3 December, 2014 at Edith Cowan University, Joondalup Campus, Perth, Western Australia.