First I want to say thank you all so very much for trying to help me. Your generousity is greatly appreciated.
I am to the point of giving up… It's quite maddening knowing the information is in there, but I just can't decipher it.
Im able to see the phone number & the first few letters of the deleted text (but surrounded by jibberish) when I view it all the different ways I've tried. Then there's the texts that weren't deleted… They look like the same way… But THOSE show up plain as day in the SQLite! Arggggggghhhh!
It's in there… I just.cant.get.to.it!
Hex is the key… I know this. But I don't think I'll be able to figure out how to use hex editing without losing my mind. It's QUITE confusing.
I did read another article
On page 10 of the above pdf, It says to use plutil (provided in the apple software) and to unencode the base64. (I found base64 online decoders)
I've never used anything like plutil, only ever used windows, never anything where you have to type in commands or prompts.
Do any of y'all think the data I'm seeking will come up if I use this? Or will it be the same that I can already see in sqlite?
I've read the Zdzarski method & although I don't have the actual phone, just the backup, I did download Scalpel, but can't get it extracted and running. It's a tar.gz file so I had to download WinAce to extract it, but scalpel still will not open. (something about a .dll accompanying file)
So anyway… Thank you all again. This whole thing has been a huge learning experience…. And I don't mean just about computers. cry cry cry
Im able to see the phone number & the first few letters of the deleted text (but surrounded by jibberish) when I view it all the different ways I've tried.
This suggests one of three things to me
a) The deleted message has been overwritten by another live (possibly that one's deleted now as well!
b) The deleted message is very long (and it'd have to be VERY long for a text message) and has been shunted to an overflow page in the database (you might still be able to identify where in the file, but less likely with new versions of iOS which autovacuum by default)
c) It's a mms message and you're seeing the subject.
As a side note - generally not a good idea to post hex dumps of the data being examined without redacting the hex translation of the sensitive parts (not just the ascii portion).
Thank you… I removed the pics.
I didn't see the Hex you posted earlier, but what AlexC is saying is correct - the rest of the text is probably overwritten, and not recoverable.
If you've got something like the following
+1234566xxxxText of the message which is cut off
The only other data you probably have, but (I'm guessing) have not yet been able to interperate yet is the date field which sits between the phone number and the start of the text of the message.
Something like
http//
Might help you translate the hext to decimal (e.g. 4934F316 -> 1228206870), then that decimal value (which is the number of seconds since 1/1/1970) to the date (Tue Dec 2 193430 2008)