- Edited
Scenario
- Example user (U) has an up to date, uncompromised GrapheneOS device
- U needs to access a confidential file (F) that is sensitive both in name and content
- U obtains F by downloading it through Vanadium
- Shortly thereafter, U deletes F through the standard Files app
- A week later, the device falls into the hands of law enforcement
- Law enforcement (LE) strongly suspects the existence of F, but requires proof for a conviction
- LE has permanent unencrypted access to the whole device, including all user profiles
Questions
- Will LE succeed in reconstructing F to partial or full extent? What level of motivation and willingness to spend resources would be required for LE to succeed?
- What countermeasures could U have implemented to increase the required motivation and resources? Still assume LE has permanent unencrypted access to the device and user profiles.
- Assume U used a guest profile to store F, which was deleted afterward. What possibly compromising information might LE still be able to reconstruct, like time of guest profile creation, time of guest profile deletion, etc?
Clarification
Let me be clear that this is primarily not about simply utilizing the encryption of (deleted) user profiles. I am aware that this will generally provide sufficient protection, and there are already enough threads about that. I mainly want to find out whether all traces of F could be erased reasonably well inside a user profile, and what options there are to increase the practical likelihood LE will not recover F.
This might be useful as additional layer of defense if an attacker gains possession of the device before U can end the session, or should the attacker gain knowledge of the password/PIN. Should there be a reliable, secure method of erasure, it might also give U the option to feign innocence and unlock the device willingly in case of severe consequences for non-compliance.