Android Mobile Forensics, Recovery, & Debugging

Unmasking Deleted Files: Carving MTP/PTP Remnants and Unallocated Space from Android Dumps

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Elusive Nature of Deleted Android Data

Recovering deleted files from Android devices presents a unique set of challenges for digital forensics investigators and data recovery specialists. Unlike traditional hard drives where files might simply be marked for deletion and reside in unallocated space for extended periods, modern Android devices, particularly those leveraging Flash-based storage (eMMC, UFS), employ sophisticated techniques like TRIM commands, garbage collection, and full-disk encryption. These mechanisms drastically reduce the window for traditional “undelete” operations. However, not all hope is lost. By understanding the underlying protocols like MTP/PTP and meticulously carving unallocated space from raw disk images, valuable artifacts can still be recovered.

Understanding MTP/PTP and Their Forensic Implications

What are MTP and PTP?

Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) are standardized protocols designed for transferring media files between digital cameras, portable media players, and computers. On Android devices, MTP is the primary protocol used when connecting the device to a computer via USB to access its internal storage. PTP is a subset of MTP, primarily focused on image transfer, often used when Android devices are recognized as digital cameras.

When files are transferred via MTP/PTP, the Android operating system acts as a server, providing a logical view of the filesystem to the connected host. This interaction, while designed for user convenience, can leave distinct forensic traces. Importantly, MTP/PTP do not directly expose the raw filesystem block device to the host, making direct block-level access for recovery tools impossible without a raw disk image.

How MTP/PTP Interaction Leaves Traces

Even if a file is “deleted” from an Android device, its metadata or parts of its content might still reside in unallocated clusters or in filesystem journals before being overwritten or trimmed. MTP/PTP transactions themselves can also generate temporary files, logs, or cached thumbnails that, while not the original file, can be indicative of file existence and type. When a user deletes a file accessible via MTP, the OS marks the corresponding inode/entry as deleted. The actual data blocks are not immediately wiped, especially if TRIM hasn’t been executed or garbage collection hasn’t yet processed those specific blocks. This is where data carving shines.

The Necessity of Raw Disk Images for Carving

To effectively carve for deleted data, a raw, bit-for-bit image of the Android device’s storage is paramount. Logical extractions via tools like ADB backups are often insufficient as they only provide access to user data and do not include unallocated space or system partitions in a forensically sound manner. Physical acquisition methods (e.g., JTAG, eMMC/eMCP chip-off, ISP – In-System Programming) or specialized forensic tools capable of bypassing device security (e.g., Cellebrite, MSAB, Oxygen Forensics) are typically required to obtain a full filesystem dump or a raw block-level image.

# Example of creating a raw disk image (hypothetical, requires root and specific device setup)
# CAUTION: This command can be destructive if used incorrectly.
# Replace /dev/block/mmcblk0 with the actual block device for your internal storage.
# Always work on a forensic copy, not the original device.
dd if=/dev/block/mmcblk0 of=/mnt/forensic_drive/android_raw_image.img bs=4M status=progress

Data Carving Principles for Android Forensics

Data carving is the process of extracting files from raw data based on their unique headers and footers, or other identifying characteristics, without relying on filesystem metadata. This technique is particularly effective in recovering files from unallocated space, where filesystem entries have been removed.

Key Concepts for Carving MTP/PTP Remnants:

  • File Headers (Magic Numbers): Most file types begin with a distinct sequence of bytes (e.g., JPEG starts with FF D8 FF E0, PDF with 25 50 44 46).
  • File Footers: Many file formats also have distinct ending sequences (e.g., JPEG often ends with FF D9).
  • Internal Structures: For complex file types, carving tools might look for internal structures or specific offsets to validate a carved file.

Essential Tools for Data Carving

Several open-source and commercial tools are available for data carving. Here, we focus on commonly used open-source options.

1. Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. It’s pre-configured for various file types and allows custom definitions.

# Install Foremost (on Debian/Ubuntu)
sudo apt-get install foremost

# Basic usage to carve common file types from an Android image
# Output will be placed in a directory named 'output'
foremost -i android_raw_image.img -o output -v

To specify particular file types, you can use the -t flag:

# Carve only JPEGs, PDFs, and MP4s
foremost -t jpg,pdf,mp4 -i android_raw_image.img -o output_specific -v

Foremost will create subdirectories within the output folder (e.g., `output/jpg`, `output/pdf`) containing the recovered files.

2. Scalpel

Scalpel is a more advanced and faster file carving tool based on Foremost. It uses a configuration file (`scalpel.conf`) to define file types, headers, footers, and maximum file sizes, offering greater flexibility.

# Install Scalpel (on Debian/Ubuntu)
sudo apt-get install scalpel

# Customize scalpel.conf
# Uncomment desired file types or add custom ones.
# Example entry in scalpel.conf:
# # gif y 50000000 GIF89a 0 GIF89a;
# jpg y 50000000  xffxd8xffxe0x00x10  xffxd9

# Run Scalpel
scalpel -o output_scalpel -i android_raw_image.img

Scalpel often performs better on larger images due to its optimized indexing and parsing capabilities.

3. Binwalk

While primarily a firmware analysis tool, Binwalk can identify embedded files and executable code within binary images, making it useful for a preliminary scan to identify potential file types present in an Android dump.

# Install Binwalk (on Debian/Ubuntu)
sudo apt-get install binwalk

# Scan the image for known file signatures
binwalk android_raw_image.img

# Extract recognized files (can be noisy, but good for initial exploration)
binwalk -e android_raw_image.img

Post-Carving Analysis and Validation

After carving, the recovered files are often given generic filenames. Manual review is critical to:

  • Validate File Integrity: Ensure the carved files are complete and not corrupted. Often, partial files are recovered.
  • Identify Content: Determine the actual content and relevance of the recovered data.
  • Metadata Analysis: Extract creation, modification, and access timestamps from the recovered files where available. These timestamps might be internal to the file format (e.g., EXIF data in JPEGs) and could differ from filesystem timestamps.
  • Deduplication: Remove duplicate files that might arise from different carving passes or fragmented data.

Challenges and Limitations

  • Fragmentation: Severely fragmented files are difficult to carve completely, often resulting in partial or corrupted recoveries.
  • Encryption: If the Android device’s storage was fully encrypted and the encryption key is unknown, carving on the raw encrypted image will yield only ciphertext, which is forensically useless without decryption. Carving is only effective on decrypted data or unencrypted partitions.
  • TRIM/Garbage Collection: Modern Android devices aggressively use TRIM commands and garbage collection on NAND flash, which can erase data blocks shortly after deletion, making recovery impossible. The success rate often depends on how quickly the acquisition was performed after deletion.
  • Overwriting: Any new data written to the device after deletion will overwrite previous data, further reducing recovery chances.

Conclusion

Carving MTP/PTP remnants and unallocated space from Android dumps is a specialized but powerful technique in the arsenal of digital forensics. While modern Android storage mechanisms pose significant hurdles, a deep understanding of file structures, coupled with effective carving tools and meticulous post-analysis, can yield crucial evidence. The key to successful recovery lies in obtaining a forensically sound raw image and employing a systematic approach to identify, extract, and validate these hidden artifacts. As Android devices continue to evolve, so too must the techniques used to uncover their secrets, making data carving an indispensable skill for anyone delving into mobile forensics.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Forensics #Data Carving #Deleted File Recovery #digital forensics #MTP PTP

Related Technical Guides

Custom WeChat Data Parsers: Building Tools for Specific Artifacts (e.g., Stickers, Payment Records)

May 30, 2026

WhatsApp Forensics Lab: Decrypting Live WhatsApp Data from Android 12+ Devices

May 30, 2026

Chip-Off Forensics: A Step-by-Step Guide to Data Extraction from Encrypted Android UFS Storage

May 29, 2026