±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24370
Visitors: 33
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
yes, this was the background of my question.
Thanks a lot for your help.
Regards
Joerg
iPhone SMS.db
iPhone SMS.db
Posted: Sat Feb 18, 2012 8:08 am
Hello,
I've one question concerning the SMS.db of an iPhone.
Is there a way to find out to which phone number a sms in the sms.db was sent?
The sms.db stores all incoming SMS in the sms.db, even I you switch the SIM card.
I've now the problem that I can't reconstruct to which phone number a SMS was sent.
Any hints?
Regards
Joerg
I've one question concerning the SMS.db of an iPhone.
Is there a way to find out to which phone number a sms in the sms.db was sent?
The sms.db stores all incoming SMS in the sms.db, even I you switch the SIM card.
I've now the problem that I can't reconstruct to which phone number a SMS was sent.
Any hints?
Regards
Joerg
-
Griso - Newbie
Re: iPhone SMS.db
Posted: Sat Feb 18, 2012 10:27 am
I did a quick Google search and found somethings that might be of interest:
www.igeekden.com/2010/...h-ifunbox/
linuxsleuthing.blogspo...abase.html
database-viewer-plus-f...oft32.com/
Seems this is a SQLite database; you can view the schema with something like SQLite Database Browser, and even write a script (Perl DBI) to extract the data, if you want...
HTH
www.igeekden.com/2010/...h-ifunbox/
linuxsleuthing.blogspo...abase.html
database-viewer-plus-f...oft32.com/
Seems this is a SQLite database; you can view the schema with something like SQLite Database Browser, and even write a script (Perl DBI) to extract the data, if you want...
HTH
-
keydet89 - Senior Member
Re: iPhone SMS.db
Posted: Mon Feb 20, 2012 2:44 am
Your best bet is to probably match records extracted from the database with any billing records you have obtained for each SIM card. I could be wrong, but there does not appear to be any field in the database regarding the receiving number.
iMessage messages have a 'To' and 'From' field, as do MMS messages. If there are any extracted from the handset then that could give you some idea as to the time frame that each SIM card was used in the handset.
_________________
Joshua Tedd
CCL-Forensics
iMessage messages have a 'To' and 'From' field, as do MMS messages. If there are any extracted from the handset then that could give you some idea as to the time frame that each SIM card was used in the handset.
_________________
Joshua Tedd
CCL-Forensics
-
Logan - Senior Member
Re: iPhone SMS.db
Posted: Tue Feb 21, 2012 12:05 am
Well, I am somewhat confused by what's being asked based upon the responses to your post.
Joerg, can you clear things up a bit?
Are you trying to figure out if the SMS.db contains "to" / "from" tags?
As Joshua said, the SMS.db does not have "to/from" tags for standard SMS messages. However, there are "to/from" tags in the following format "sender email address or telephone #" followed immediately by what appears to be a GUID followed by "Madridp" folled by ": host telephone number and GUID". Your best bet would be to obtain call detail records and compare date/time stamps or see if the cellular provider retains SMS content.
Are you saying the SIM card of the device was changed? Meaning on X date the iPhone had X SIM card and X SMS.db, but on Y date the iPhone now had Y SIM card but SMS messages were still being written to X SMS.db? This could be a problem, but you should see the change as indicated above if any of the messages are iMessages. Additionally, depending on what you are using to view the image you'r working with you might find other artifacts/date/time stamps helping identify when the switch was made or likely made.
Or are you trying to identify the destination of SMS messages sent from the iPhone? This is fairly easy to do and I am in the middle of writing a blog with simple instructions and a few tips to use.
Cheers,
Dave
Joerg, can you clear things up a bit?
Are you trying to figure out if the SMS.db contains "to" / "from" tags?
As Joshua said, the SMS.db does not have "to/from" tags for standard SMS messages. However, there are "to/from" tags in the following format "sender email address or telephone #" followed immediately by what appears to be a GUID followed by "Madridp" folled by ": host telephone number and GUID". Your best bet would be to obtain call detail records and compare date/time stamps or see if the cellular provider retains SMS content.
Are you saying the SIM card of the device was changed? Meaning on X date the iPhone had X SIM card and X SMS.db, but on Y date the iPhone now had Y SIM card but SMS messages were still being written to X SMS.db? This could be a problem, but you should see the change as indicated above if any of the messages are iMessages. Additionally, depending on what you are using to view the image you'r working with you might find other artifacts/date/time stamps helping identify when the switch was made or likely made.
Or are you trying to identify the destination of SMS messages sent from the iPhone? This is fairly easy to do and I am in the middle of writing a blog with simple instructions and a few tips to use.
Cheers,
Dave
-
meatball4rensix - Newbie
Re: iPhone SMS.db
Posted: Wed Feb 22, 2012 4:23 am
- meatball4rensix
Are you saying the SIM card of the device was changed? Meaning on X date the iPhone had X SIM card and X SMS.db, but on Y date the iPhone now had Y SIM card but SMS messages were still being written to X SMS.db?
yes, this was the background of my question.
Thanks a lot for your help.
Regards
Joerg
-
Griso - Newbie
Re: iPhone SMS.db
Posted: Thu Feb 23, 2012 8:52 am
Joerg,
In that case I would be looking towards other artifacts in the phone. Based upon the information contained within these plists I would guess they may be of value. However, you may have to do some testing to find out. Or you might check with Apple Security to see if they will tell you whether or not these plists will be changed/updated depending on the insertion of a new SIM card.
In no particular order really, I would look at:
/wireless/Library/Preferences/com.apple.commcenter.plist
* Because this plist holds the carrier ID, ICCID, and telephone number notably. I would imagine this might have an updated date/time stamps or you may find a deleted com.apple.commcenter.plst in unallocated space if a new one was created.
/root/Library/Lockdown/data_ark.plist
/logs/AppleSupport/general.log
/logs/lockdownd.log
/log/DiagnosticMessages/*.asl (can be opened in text editor)
Also as a second thought, I haven't looked at iTunes backups in some time though you might be able to use those as historical snapshots if it contains the com.apple.commcenter.plist (almost like using Windows Restore Points or Volume Shadow Copies to see historical changes on a machine).
And finally, you may serve Apple with legal paper - assuming you can - for data contained within the users iCloud backup should they possess an iCloud account. iOS 5 allows users to choose between their computer locally and iCloud for backups.
Hopefully this was helpful and leads to some useful information.
Cheers,
Dave
In that case I would be looking towards other artifacts in the phone. Based upon the information contained within these plists I would guess they may be of value. However, you may have to do some testing to find out. Or you might check with Apple Security to see if they will tell you whether or not these plists will be changed/updated depending on the insertion of a new SIM card.
In no particular order really, I would look at:
/wireless/Library/Preferences/com.apple.commcenter.plist
* Because this plist holds the carrier ID, ICCID, and telephone number notably. I would imagine this might have an updated date/time stamps or you may find a deleted com.apple.commcenter.plst in unallocated space if a new one was created.
/root/Library/Lockdown/data_ark.plist
/logs/AppleSupport/general.log
/logs/lockdownd.log
/log/DiagnosticMessages/*.asl (can be opened in text editor)
Also as a second thought, I haven't looked at iTunes backups in some time though you might be able to use those as historical snapshots if it contains the com.apple.commcenter.plist (almost like using Windows Restore Points or Volume Shadow Copies to see historical changes on a machine).
And finally, you may serve Apple with legal paper - assuming you can - for data contained within the users iCloud backup should they possess an iCloud account. iOS 5 allows users to choose between their computer locally and iCloud for backups.
Hopefully this was helpful and leads to some useful information.
Cheers,
Dave
-
meatball4rensix - Newbie