Anyone have any luck extracting Voxer texts from an iPhone 4S yet?

Have a rather sensitive case involving an iPhone 4S.

Thanks,

Ptl. Bob Couchman
Madisonville Police Department
Kentucky Internet Crimes Against Children Task Force
Electronic Crimes Investigator  

What have you tried so far? What software have you used to perform an extraction more generally? Do you have any files in the Application's folder?  

Hey everyone,

I bumped at the Voxer App as well. But I'm not interested in the text messages, but in voice recording from the Push to Talk app. It seems that is not a typical audio codec. At least VLC doesn't recognize it. On their homepage http://voxer.com/legal/proprietarynotices they are listening

Voxer® Proprietary Notices and Third Party Licensor Notices, Disclaimers and License Requirements

I've found there the Skype audio codec SILK listed. But after doing research on Silk I've found out that it's not the SILK codec but something else. It has to have #!SILK\n as header information. I didn't find this header on my files.

Does anybody have an idea how to play that voice record files?  

What header did you have on your files?
_________________
Colin Mortimer
FishNet Security 

there is the folder Documents\Messages\. There are more than 100 sub-folders with message_ as prefix i.e
message_1341678560945_0866591922_3abba19 or
message_1341670699412_0287941589_2b3b730

i've figured out
1341670699412 is unix-time formated, confirmed with the creation timestamp of the folder
0287941589 don't know yet
2b3b730 there are several folders with this suffix. could be parts of one conversation which belong together

inside this folder are two or three files and a subfolder named parts
files:
"END" size 0
"journal" with this content 17589:7800
"header.json" with this content: (XYZ, ABC and MySubject are replacements for real names)
{"content_type":"audio","create_time":"1341670699.412435",
"from":"user.XYZ.1340641899195_62153783",
"message_id":"1341670699412_0287941589_2b3b730",
"subject":"MySubject","talk_mode":"ptt",
"thread_id":"HL_user.ABC.1331775136058_73026264_user.XYZ.1340641899195_62153783","to":["user.ABC.1331775136058_73026264"]}

the subfolder "parts" has always only one file named 0. the size of 0 varies from 10kb to 150kb, mostly less than 100kb
here are the header of some the files "0". the values in brackets differ
04 [31 64 0A] 20 20 20 20 20 20
04 [31 62 0A] 20 20 20 20 20 20
04 [31 35 0A] 20 20 20 20 20 20
04 [66 0A 20] 20 20 20 20 20 20

thats all I have figured out for now. I appreciate more given hints.  

The most relevant part seems to me the "header.json".
From the (very, VERY little) I know JSON:
www.json.org/
is a sort of XML , a kind of "descriptive" language (and "container"):
www.w3schools.com/json/default.asp
en.wikipedia.org/wiki/JSON

I would try to find a JSON parser capable of correctly reading the "textual" part, first thing.

See if this fits:
tomeko.net/software/JS...hp?lang=en

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

If you want a free json viewer try Allan Hay's site www.ash368.com/#/os1/4547935104

H
_________________
ADF Solutions - Leaders in Digital Forensic Triage
www.adfsolutions.com/
--------------------------------------------------------
Resources for Forensic Practitioners
computerforensics.parsonage.co.uk