Phones carry more evidence than any other device in most investigations. Data Rescue Labs performs full-spectrum mobile forensics on iOS and Android — including the deep recovery work that most examiners cannot or will not attempt.
Whether your device is current, locked, water-damaged, or wiped — we have a proven workflow. Each capability below is available as a standalone engagement or as part of a full examination.
Full file system (FFS), file-based and logical extractions of iPhones and Androids using court-validated extraction tooling. Lawful AFU (After First Unlock) and BFU (Before First Unlock) acquisition for locked devices, with every method documented for chain-of-custody integrity. Every extraction is hash-verified before analysis begins.
Recovery of deleted third-party messaging apps — WhatsApp, Signal, Telegram and Messenger — including SQLCipher-encrypted databases and WAL/freelist carving that recovers data beyond standard tool output. We do not recover deleted SMS, iMessage or Snapchat — those pathways are not viable from current iOS/Android devices.
Deep analysis of dating apps, financial and crypto apps, ride-share, marketplace, ephemeral messaging and secure communication tools. We extract app artifacts that vendor tools ignore or misparse.
Significant locations, frequent locations, route history and geofence-anchored activity. We correlate location data across apps, device logs and cloud artifacts to build a timeline that survives cross-examination.
One of the few Canadian labs still performing BlackBerry chip-off acquisition. Legacy BB10 and earlier devices: NAND desolder, raw read, and reconstruction in our Faraday-shielded acquisition bay. Specialty service for historical custody, archived evidence and discovery matters where the only surviving device is a BlackBerry.
Extractions for Apple Watch, Wear OS, Fitbit, smart home devices and connected accessories. IoT devices often contain timestamped behavioral data — location, motion, biometrics — that phones alone cannot provide.
Device placed in a Faraday bag at intake to prevent remote wipe. Photographed, logged, sealed under privilege.
licensed extraction tooling. Chip-off via NAND read when the device is locked or damaged.
SQLCipher decryption, WAL frame carving, freelist recovery — the deleted-message work most vendor tools miss.
Screenshot exhibits, app-by-app artifact tables, geofence timelines, metadata appendix — all bates-stampable.
Translating BFU vs AFU, chip-off and recovered-message provenance into language a jury understands.
A deleted text, photo, or message is central to a legal dispute and needs to be recovered or confirmed unrecoverable.
A phone belongs to a departing employee suspected of data theft — app access logs, file transfers and cloud sync artifacts tell the story.
An infidelity, custody, or family-law matter requires admissible mobile evidence — location history, communications and timeline reconstruction.
A cryptocurrency theft traces back to a compromised phone — private key exposure, clipboard hijacking, or SIM-swap artifacts recovered.
A device is locked, damaged, or otherwise inaccessible by conventional means — BFU acquisition, chip-off, or ISP may still recover what's needed.
An expert opposing-side report needs to be independently verified or challenged — we review methodology, tool validation and conclusions.
Eight evidence classes — recovered, parsed and presented as exhibits.
We routinely recover deleted Telegram, Signal and WhatsApp messages from full file system extractions — including SQLCipher-encrypted databases, WAL frames and freelist remnants — that vendor tools mark as unrecoverable.
If your case turns on what was deleted, this is the difference between a finding and a dead end. Every report is authored by a credentialed examiner, documented for Daubert scrutiny and reproducible by opposing experts.
The mobile questions we hear most often from counsel, HR and individuals across Canada.
For third-party messaging apps — WhatsApp, Signal, Telegram and Messenger — often yes. These apps store messages in SQLite (sometimes SQLCipher-encrypted) databases. When a message is deleted, the row is usually only flagged — the data persists in the SQLite WAL (Write-Ahead Log) and freelist until the database vacuums. We carve those structures to recover deleted content.
Success rate is highest within days of deletion and drops as the device gets used. Heavy daily use speeds up the vacuum.
We do not currently offer deleted SMS, iMessage or Snapchat recovery — those vendor pathways are not viable from current iOS/Android devices.
BFU (Before First Unlock): phone has been powered on but never unlocked since boot. Encryption keys are not yet derived — most user data is inaccessible.
AFU (After First Unlock): phone has been unlocked at least once since boot. Keys are in memory and full-file-system extraction is possible.
For seized devices we try to acquire AFU when possible. For locked iPhones, we use court-validated unlock tooling appropriate to the chipset.
With proper authorization, yes. We use licensed forensic tooling that exploits known vulnerabilities to bypass the lock without altering data. Success rates vary by chipset and iOS version — we tell you up front what we can and cannot recover before any work begins.
We do not jailbreak as a first step — jailbreaking modifies the device and weakens the chain of custody.
WhatsApp: deleted messages can often be recovered from the local SQLCipher database and from iCloud / Google Drive chat backups. Signal: limited recovery — sealed-sender and disappearing messages don't leave readable traces beyond their lifetime. Telegram: cloud-backed, so even "deleted" messages can sometimes be recovered from server-side artifacts if accessible.
Depends on the wipe method.
Factory reset: limited recovery — the cryptographic key is destroyed, making the data unreadable even though raw NAND blocks may persist. Full overwrite: nothing to recover.
Chip-off: in some cases, we can desolder the NAND, read it raw and recover unencrypted file fragments — but modern Android (10+) encrypts by default, so success is limited to older or unencrypted devices.
No and we avoid it when possible. Jailbreaking modifies the device, weakens chain of custody and can corrupt user data. We prefer licensed forensic tooling (licensed forensic tooling) which exploits the device without modifying user-accessible storage.
Jailbreak-based extraction is a fallback for older devices when no licensed exploit is available.
Yes — iOS keeps deleted photos in a "Recently Deleted" album for 30 days by default. Beyond that, deleted photos may persist in the Photos.sqlite WAL, in iCloud Photo Library recovery, in the camera roll's hidden cache, or in old iTunes / Finder backups. We check all sources.
Android: deleted photos can sometimes be recovered from internal storage, the trash folder, Google Photos cloud and emulated SD card slack space.
