iOS SQLite database...
 
Notifications
Clear all

iOS SQLite database deleted data

11 Posts
6 Users
0 Likes
3,126 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Given how on the newer models of iphone and ios the only way of accessing any kind of deleted data is by carving the sqlite database, please tell me what kind of data might be found here that was deleted.

Might it include
-Deleted photos?
-Deleted/InPrivate browsing history?

 
Posted : 23/06/2015 4:22 am
(@dcs1094)
Posts: 146
Estimable Member
 

Take a look at Recovering deleted records from an SQLite database article.

 
Posted : 23/06/2015 12:36 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

That article doesn't specifically answer - will you find deleted photos and in private browsing in the SQLite database?

 
Posted : 23/06/2015 11:33 pm
(@dcs1094)
Posts: 146
Estimable Member
 

In all fairness your original query is generic, there are numerous databases stored on iOS devices. Some databases may contain data types such as BLOB (Binary Large OBject), which in turn may contain an image - the article does refer to this. As for Safari, the iOS browser does not store the main web history (URLs) within a SQLite database on an iPhone for example, instead it stores within a PList.

 
Posted : 24/06/2015 1:36 am
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

So does that mean deleted browser history can or can't be recovered?

 
Posted : 24/06/2015 1:39 am
(@dcs1094)
Posts: 146
Estimable Member
 

If all you have is the Safari 'history.plist' from an iPhone logical (backup) extraction, you will only be able to extract the live records, as the file only stores the web history until the user opts to clear the history; Property List files are completely different to SQLite databases. Your best bet would be to look into other sources of Safari browser data, such as Cookies.binarycookies.

 
Posted : 24/06/2015 1:58 am
(@belkasoft)
Posts: 169
Estimable Member
 

Given how on the newer models of iphone and ios the only way of accessing any kind of deleted data is by carving the sqlite database, please tell me what kind of data might be found here that was deleted.

Might it include
-Deleted photos?
-Deleted/InPrivate browsing history?

You can read our article at http//belkasoft.com/en/sqlite-analysis on how to analyze SQLite.

InPrivate browsing is not stored in history database so is not deleted and thus cannot be recovered.

You can also request a free trial of our Belkasoft Evidence Center (http//belkasoft.com/ec) in order to see what can be recovered. Evidence Center has a full SQLite recovery capabilities, it can analyze freelists, WAL/journal files, unallocated space.

 
Posted : 24/06/2015 2:09 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi Wotsits

Your question re private browsing has been answered and as DCS1094 says the question re pictures is database specific. There are a number of SQLite applications that store pictures as blobs within the database (these include Skype and WhatsApp for instance) and in these instances the picture shoud be recoverable but with the following caveats

If SQLite secure deletion is enabled then when the picture is deleted the space occupied by it is overwritten with NULLs.

If secure deletion is not enabled then pcitures may be recoverable but as pictures tend to be quite large and will often span multiple database pages, if the deleted overflow pages are overwritten then you may only get part of the image back.

As in the article linked to above (thanks DCS1094) my Forensic Toolkit for SQLite is capable of recovering any record that is deleted and has not been overwritten. There is no distinction made between any record types and if a blob contains a picture then it is potentially as recoverable as a string record.

Of course pages from a database may also be found in swap files etc. and even if secure deletion is enabled then these old coopies of records can also be recovered. Again my software provides facilities to recover deleted databases and records from unallocated space/swap files etc.

There is more information on my website at the following link along with a form to request a fully functional demo.

http//sandersonforensics.com/forum/content.php?195-Forensic-Toolkit-for-SQLite

 
Posted : 24/06/2015 2:34 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Further to my post above. In the following animated gif I have created a database and populated a table with a number of records containing images. I have disabled secure delete in SQLite and then deleted the complete content of the table using "DELETE FROM pictures". I then open the database in the Forensic Browser for SQLite and choose to recover deleted records (the default), I then create a simple visual query to show just the blob (rendered as a picture) and the staus field. You can see the images have been recovered

As mentioned please visit the web site for more info

http//sandersonforensics.com/forum/content.php?198-Forensic-Browser-for-SQLite

 
Posted : 24/06/2015 4:12 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

1. Thumbnails of deleted photos are usually stored in \private\var\mobile\Media\PhotoData\Thumbnails\ folder. In SQLite databases pictures from a particular app can be found.
2. In recent iOS versions Safari web history is in History.db, not plist format any more. So you will be able to recover deleted history and bookmarks. Unfortunately private browsing mode leaves no traces in the database so you will extract nothing.

 
Posted : 07/07/2015 3:35 pm
Page 1 / 2
Share: