±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34693
New Yesterday: 0 Visitors: 240

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS?

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS?

Post Posted: Sat Sep 29, 2018 12:15 am

A client iPhone 6 - A1586 - that hasn't been connected to a PC previously (no iTunes backup) - I have been provided unlock code and 2FA access to the AppleID / iCloud.

This is a civil client case (not LE) where the iPhone 6, 16GB, iOS 11.4.1, is believed to contain old deleted text messages (SMS). Internal memory use is almost 100%. The objective is to try to retrieve previously (ca 3 months back in time) deleted text messages. Backup on iCloud exists but storage is also maxed out - 2% free, only two generations of backup shown (recent both).

The phone was logically acquired with Magnet Acquire (latest version), resulting in a 8GB file (Apple iPhone7,2 Quick Image.zip). Also tried acquisition using Encase 8.07 and Belkasoft Acquisition Tool (less data was collected by these tools).

The files acquired are the backup files (such as 3d0d7e5fb2ce288813306e4d4636395e047a3d28 of the sms.db). These files does not seem to contain any deleted messages though (using SQL-tools to search).

Is there a working option to get hold of the sms.db under these circumstances? Is it even likely that the sms.db contains larger numbers of deleted messages (as is the objective to find)? Jailbreaking the phone is possible if it helps the case. Any method that positively would be useful to extract the sms.db? Paid service is an option if offered!

Appreciate any help on this issue! I have searched the net and this forum for options - then I decided to post this request instead!

Location is Sweden.  

urq82
Newbie
 
 
  

Re: iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS

Post Posted: Sat Sep 29, 2018 3:47 am

I sent you a PM.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 
  

Re: iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS

Post Posted: Wed Oct 31, 2018 7:15 am

@urq82 How did you get on with this phone? Any luck. I currently have a similar issue.  

jmorgan10
Member
 
 
  

Re: iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS

Post Posted: Wed Nov 07, 2018 2:35 am

Update on this issue.

After seeking additional advice from several mobile forensics vendors I finally got hands-on advice from Elcomsoft (Thank You!).

It turns out that the only known way to - with a higher likelihood - retrieve deleted text messages in IOS 11.4.1 would be through a physical extraction. This would then include not only the active sms.db but also the important WAL file(s). And that the only method known (at this time) to obtain a physical image for the IOS version in the case is use of GrayKey services. That was not an option to my case.

If the sms.db would have been found on the iCloud backup, this would have been a vacuumed version of the database with low likelihood of containing deleted data.

One decision factor also involved in the case was that an estimated 3,000 new text messages had been sent since the time of the initial deletion. This fact also mattered in the sense that the likelihood of finding deleted text messages was reduced due to the large amount of potential over-writes in deleted space in the database.

I hope this can help others seeking solutions to similar matters. I am not an expert on this matter but I managed to get slightly wiser as a result of this!  

urq82
Newbie
 
 
  

Re: iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS

Post Posted: Wed Nov 07, 2018 11:03 am

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 
  

Re: iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS

Post Posted: Wed Nov 07, 2018 4:43 pm

Thanks Urq for the update, much appreciated.  

jmorgan10
Member
 
 

Page 1 of 1