In my experience, the Android phone might be easier to get at the physical level, but the iPhone backup tends to be more extensive and more prevalent. Maybe because of the nature of iTunes, people tend to backup to a laptop. So I don't think there's a preference of one phone or another. Forensically, we've got possibilities to go after deleted text messages on either one.
CIO.com: What should IT do to retrieve these messages?
Luehr: First of all, secure the phone and don't turn it on and poke around. Deleted text messages just sit there until they're overwritten. With the growing memory on phones, it's not uncommon to have thousands of text messages. Most phone systems operate on a database, and so the data may still be there marked with a flag that says deleted. A normal user or IT person won't be able to see the deleted messages, but that's where forensic tools are helpful. If you poke around, you may start overwriting important pieces of information.
Second, secure the laptop or workstations that may have been used to back up the phone.
Third, you may need to call computer forensics expert who is well-versed in a variety of different phones and forensic tools. Unlike a hard drive, laptop or desktop where you have three flavors — Apple, Windows and Unix or Linux — cellphones have maybe 150 flavors.
Fourth, make sure you note the make and model of the phone, because that will dictate whether or not the forensics expert can handle it and how difficult to job might be. You'll also want to provide information about specific dates, addresses and phone numbers, which will help the forensics expert wade through the thousands of text messages.
One thing you should be ready for with cost estimates from a mobile forensics company is that you'll probably pay as much, if not a little more, than you would for the analysis of a [PC] hard drive. With cell phones, we'll often go at them with two or three different tools.
CIO.com: How far back can you go?
Luehr: We just had a case last week where we were able to harvest and recover 8,000 text messages. They covered between 12 and 15 months of activity; a year's worth of text messages is quite normal to see. The phone had been recently wiped and reformatted, but we found a thousand text messages within the backup.
CIO.com: Were they all stored on the phone?
Luehr: So we talked about the database, where there are active texts you can pull up and deleted texts using forensic tools. Depending on the phone, you can also perhaps go down and get information off the physical layer of the phone, much like making a forensic image of a hard drive.
Sign up for Computerworld eNewsletters.