UFED Ultimate pulls the logical data from an unlocked iPhone 5 well enough and the data is parsed in Physical Analyzer and all looks good.
Except if I grab the phone and do a spotlight search via iOS (6.1) and enter a keyword, in this case 'molest" and "sex". Multiple message previews are shown that are not present in the parsed logical image, at least as far as I can tell.
Is there a way to get these iMessages?
For giggles I went through a friends iPhone 4 and via spotlight search I am able to see message fragments almost a year old, long deleted. This phone has never been backed up to iTunes, only iCloud.
Spotlight maintains a separate index of SMS messages. I can't remember if the this file comes down on a backup or whether you'll need a more "physical" extraction, but the file (SQLite database, naturally) should be in
mobile/Library/Spotlight/com.apple.MobileSMS
You get the message text, and sometimes a date. You don't get a straight phone number, but there's a field which contains identifiers which you might be able to reconcile with the SMS database.
Thanks I'll take a look.
Appears the /Library/Spotlight is not part of the logical data. Did an EnCase logical and it doesn't see this database either.
If you want to recover from iTunes or iCloud, go to http//
If you want to recover deleted imessages quickly and safely, you can try some recovery apps.
Jailbreak the iPhone. After that, run a file system extraction and choose the "jail break" selection. (Cellebrite) You should be able to grab the spotlight database.
You can also retrieve iMessages from iChat archives on Mac devices.