Physical Analzyer r...
 
Notifications
Clear all

Physical Analzyer recovering imessages

5 Posts
2 Users
0 Likes
1,509 Views
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Trying to find deleted imessages. PA is only recovering 324 when it is suspected there are 1000 of deleted imessages. I performed a logical IOS and physical IOS extraction. Can I search for screen shots that were sent thru imessages? A search og the phone number associated with the imessages and or name is not producing the imessage. Any help would be appreciated. I just want to be able to explain I have done everything to recover or locate the imessages. If nothing can be done at least an explanation why the imessage isn't there anymore. The strange thing, PA recovered deleted imessages in the same time period but not the particular imessage from the particular person I'm looking for.

Note. Iphone 7 plus IOS 11.3.1
The contact was deleted and blocked. PA recovered the deleted contact

 
Posted : 03/07/2018 1:12 pm
(@anucci)
Posts: 21
Eminent Member
 

Hello There CCSO

Do you mean that you did a Logical extraction for the iOS device via Advanced Logical Method 1 and Method 2 using PA? I did not think you can do Physical extractions of iOS devices unless we are referring to very old iPhones like the 3s and 4. Anything above that, I think PA no longer does physical as all the extraction does is use iTunes to obtain a backup of the phone contents.

The problem I run into with iOS devices is that the extraction method it does is simply an iTunes back up. Generally… when I work with Androids I can inspect the sms.db file directly for any deleted entries to the databases and recover deleted text message… but with iOS I have yet to be successful. Aside from what ever PA gives me… I do not get a file system to browse through and review the sms.db file holding the information.

The recovery of deleted db records by an automated tool is not always 100%. If the forensic tool cannot verify that the contents its recovering its indeed a message, it will not display as such. Often times I have recovered messages the tool did not display by looking at the databases directly. Of course… the content of the messages was there but some of the metadata was missing. However… with iOS I can only obtain a logical extraction…which does not give me a File System to browse to get the database from where the messages came from.

So aside from thinking that the message never existed… the only other way I know is to look directly at the source, but this would only work if the extraction you obtain gives you access to the database, and I don't think you get that with a logical extraction in PA.

My only other idea is to check when the last back up of the device to the cloud was… or see if the device was being backed up to a computer and go after archived backups that are near the date of when your message in question was sent/received.

If the phone has iCloud backups… the get search warrant for them. If there are computers that were used to back up the device… then go after the backups in the computer and see if any of them contain the message you are searching for.

Also, how do you suspect there were 1000 deleted messages, but only 324 were recovered?

Good Luck!

 
Posted : 03/07/2018 7:10 pm
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Thanks for the insight! The victim in this case said she had imessage conversations with the person and deleted then. The victim also said she suspects she had deleted alot more then just 324 because this is her primary way of communicating with people. Any other suggestions to locate the deleted data would be helpful

 
Posted : 05/07/2018 12:12 pm
(@anucci)
Posts: 21
Eminent Member
 

Do you have any other tools you can obtain an extraction with?

At times, I have recovered deleted iMessages using BlackLight when Cellebrite did not recover them. Sorry if my suggestions are things you've already tried, but figured I wold mention it just in case.

 
Posted : 05/07/2018 1:47 pm
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

I'm running oxygen forensic now to see what I get.

 
Posted : 05/07/2018 1:56 pm
Share: