iPhone 6, iOS 11.4....
 
Notifications
Clear all

iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS?

11 Posts
8 Users
0 Likes
2,641 Views
(@urq82)
Posts: 10
Active Member
Topic starter
 

A client iPhone 6 - A1586 - that hasn't been connected to a PC previously (no iTunes backup) - I have been provided unlock code and 2FA access to the AppleID / iCloud.

This is a civil client case (not LE) where the iPhone 6, 16GB, iOS 11.4.1, is believed to contain old deleted text messages (SMS). Internal memory use is almost 100%. The objective is to try to retrieve previously (ca 3 months back in time) deleted text messages. Backup on iCloud exists but storage is also maxed out - 2% free, only two generations of backup shown (recent both).

The phone was logically acquired with Magnet Acquire (latest version), resulting in a 8GB file (Apple iPhone7,2 Quick Image.zip). Also tried acquisition using Encase 8.07 and Belkasoft Acquisition Tool (less data was collected by these tools).

The files acquired are the backup files (such as 3d0d7e5fb2ce288813306e4d4636395e047a3d28 of the sms.db). These files does not seem to contain any deleted messages though (using SQL-tools to search).

Is there a working option to get hold of the sms.db under these circumstances? Is it even likely that the sms.db contains larger numbers of deleted messages (as is the objective to find)? Jailbreaking the phone is possible if it helps the case. Any method that positively would be useful to extract the sms.db? Paid service is an option if offered!

Appreciate any help on this issue! I have searched the net and this forum for options - then I decided to post this request instead!

Location is Sweden.

 
Posted : 29/09/2018 6:15 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I sent you a PM.

 
Posted : 29/09/2018 9:47 am
(@jonny_boy)
Posts: 10
Active Member
 

@urq82 How did you get on with this phone? Any luck. I currently have a similar issue.

 
Posted : 31/10/2018 1:15 pm
(@urq82)
Posts: 10
Active Member
Topic starter
 

Update on this issue.

After seeking additional advice from several mobile forensics vendors I finally got hands-on advice from Elcomsoft (Thank You!).

It turns out that the only known way to - with a higher likelihood - retrieve deleted text messages in IOS 11.4.1 would be through a physical extraction. This would then include not only the active sms.db but also the important WAL file(s). And that the only method known (at this time) to obtain a physical image for the IOS version in the case is use of GrayKey services. That was not an option to my case.

If the sms.db would have been found on the iCloud backup, this would have been a vacuumed version of the database with low likelihood of containing deleted data.

One decision factor also involved in the case was that an estimated 3,000 new text messages had been sent since the time of the initial deletion. This fact also mattered in the sense that the likelihood of finding deleted text messages was reduced due to the large amount of potential over-writes in deleted space in the database.

I hope this can help others seeking solutions to similar matters. I am not an expert on this matter but I managed to get slightly wiser as a result of this!

 
Posted : 07/11/2018 8:35 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

 
Posted : 07/11/2018 5:03 pm
(@jonny_boy)
Posts: 10
Active Member
 

Thanks Urq for the update, much appreciated.

 
Posted : 07/11/2018 10:43 pm
(@zeroonezero)
Posts: 16
Active Member
 

iCloud backups flush database free space?

Has anyone else noticed that recovered deleted iMessages lack content when parsed by Cellebrite?

 
Posted : 20/11/2018 8:27 pm
(@armresl)
Posts: 1011
Noble Member
 

Cellebrite doesn't handle this?
Oxygen?
Guessing you can't JB or root that particular firmware.

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

 
Posted : 20/11/2018 11:37 pm
(@nylarose)
Posts: 5
Active Member
 

Physical extraction can solve this problem, but you must look for a reliable local data recovery service. My suggestion is to use the data recovery function of RecoveryTool Fix Recovery or the data recovery software of Wondershart. This will save you a lot of time. Taking into account the iPhone internal memory usage rate is almost 100%. You need to make a decision as soon as possible.

 
Posted : 11/10/2021 7:01 am
(@jadams951)
Posts: 37
Eminent Member
 

I can tell you that Gray Key will only get you a file system extraction.  Since the A4 chip, in the iPhone 4, physical acquisitions have not been possible.  If I'm wrong please let me know.  My experience of getting deleted messages in iPhones is not that great.  

 
Posted : 11/10/2021 11:40 pm
Page 1 / 2
Share: