New Today: 0
New Yesterday: 4
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
Subforums: Mobile Telephone Case Law
I've one question concerning the SMS.db of an iPhone.
Is there a way to find out to which phone number a sms in the sms.db was sent?
The sms.db stores all incoming SMS in the sms.db, even I you switch the SIM card.
I've now the problem that I can't reconstruct to which phone number a SMS was sent.
Seems this is a SQLite database; you can view the schema with something like SQLite Database Browser, and even write a script (Perl DBI) to extract the data, if you want...
- Senior Member
iMessage messages have a 'To' and 'From' field, as do MMS messages. If there are any extracted from the handset then that could give you some idea as to the time frame that each SIM card was used in the handset.
- Senior Member
Joerg, can you clear things up a bit?
Are you trying to figure out if the SMS.db contains "to" / "from" tags?
As Joshua said, the SMS.db does not have "to/from" tags for standard SMS messages. However, there are "to/from" tags in the following format "sender email address or telephone #" followed immediately by what appears to be a GUID followed by "Madridp" folled by ": host telephone number and GUID". Your best bet would be to obtain call detail records and compare date/time stamps or see if the cellular provider retains SMS content.
Are you saying the SIM card of the device was changed? Meaning on X date the iPhone had X SIM card and X SMS.db, but on Y date the iPhone now had Y SIM card but SMS messages were still being written to X SMS.db? This could be a problem, but you should see the change as indicated above if any of the messages are iMessages. Additionally, depending on what you are using to view the image you'r working with you might find other artifacts/date/time stamps helping identify when the switch was made or likely made.
Or are you trying to identify the destination of SMS messages sent from the iPhone? This is fairly easy to do and I am in the middle of writing a blog with simple instructions and a few tips to use.
Are you saying the SIM card of the device was changed? Meaning on X date the iPhone had X SIM card and X SMS.db, but on Y date the iPhone now had Y SIM card but SMS messages were still being written to X SMS.db?
yes, this was the background of my question.
Thanks a lot for your help.
In that case I would be looking towards other artifacts in the phone. Based upon the information contained within these plists I would guess they may be of value. However, you may have to do some testing to find out. Or you might check with Apple Security to see if they will tell you whether or not these plists will be changed/updated depending on the insertion of a new SIM card.
In no particular order really, I would look at:
* Because this plist holds the carrier ID, ICCID, and telephone number notably. I would imagine this might have an updated date/time stamps or you may find a deleted com.apple.commcenter.plst in unallocated space if a new one was created.
/log/DiagnosticMessages/*.asl (can be opened in text editor)
Also as a second thought, I haven't looked at iTunes backups in some time though you might be able to use those as historical snapshots if it contains the com.apple.commcenter.plist (almost like using Windows Restore Points or Volume Shadow Copies to see historical changes on a machine).
And finally, you may serve Apple with legal paper - assuming you can - for data contained within the users iCloud backup should they possess an iCloud account. iOS 5 allows users to choose between their computer locally and iCloud for backups.
Hopefully this was helpful and leads to some useful information.