Now a team of researchers from Purdue University is working on a new technique that could aid law enforcement in gathering this data more efficiently.
The team, led by Dongyan Xu, a computer science professor and interim executive director of the Center for Education and Research in Information Assurance and Security, has been working on the technique, coined RetroScope, for the past nine months, as a continuation of the team's work in smart phone memory forensics.
The research moves the focus from a smartphone's hard drive, which holds information after the phone is shut down, to the device's RAM, which is volatile memory.
"We argue this is the frontier in cybercrime investigation in the sense that the volatile memory has the freshest information from the execution of all the apps," said Xu. "Investigators are able to obtain more timely forensic information toward solving a crime or an attack."
While the contents of volatile memory are gone as soon as the phone is shut down, they can still reveal surprising amounts of forensic data if the device is up and running.
Earlier research resulted in work published last year, in which the team discovered you could recover the last screen displayed by an Android application. Building on that, it has now been discovered that applications leave a lot of data in the volatile memory long after that data was displayed.
To reveal that data, Purdue doctoral student Brendan Saltaformaggio suggested that instead of focusing on searching for that data, the phone's graphical rendering code could be retargeted to specific memory areas to obtain and recall several previous screens shown by an application.
RetroScope requires no previous information about an application's internal data. The screens that are recovered, starting with the last screen the application displayed, are presented in the order they were seen previously.
"Anything that was shown on the screen at the time of use is indicated by the recovered screens, offering investigators a litany of information," Xu said.
When the team tested the method, it was able to recover anywhere from three to 11 previous screens in 15 different applications, an average of five pages per application. The applications ranged from social media varieties like Facebook and Instagram to more privacy-conscious ones.
For more information, watch the demo video, put together by the team.
"We feel without exaggeration that this technology really represents a new paradigm in smart phone forensics," said Xu. "It is very different from all the existing methodologies for analyzing both hard drives and volatile memories."
While RetroScope removes a lot of the manual work conducted by smartphone forensics investigators, it also raises questions about how much is available for recovery from a person's smart phone.
"I was personally amazed by the lack of in-memory app data protection," said Xu. "One would expect these privacy-sensitive apps to have more completely shredded the information that was previously displayed.
The team is also working to figure out how to potentially disrupt the RetroScope tool.