iOS Deleted SMS - T...
 
Notifications
Clear all

iOS Deleted SMS - Timestamp in future

ThePM
(@thepm)
Active Member

Working on an iPhone 5C running iOS 8.3.

Did an extraction with Cellebrite UFED PA. It was able to recover deleted SMS.

One of the recovered SMS is however raising questions. It's timestamp makes it look like this message was received in December … 2016! According to UFED PA, the source file of the SMS is the sms.db file (as expected)

I'm trying to figure out why this could be happening? My hypothsis is that since the SMS was deleted, it might have been partially modified or overwritten with new data.

However, what is strange with this hypothesis is that this SMS is the only message affected by this issue (only message whose timestamp is after seizure).

What do you guys think?

Thanks

Quote
Topic starter Posted : 17/05/2016 10:02 pm
Deltron
(@deltron)
Active Member

Working on an iPhone 5C running iOS 8.3.

Did an extraction with Cellebrite UFED PA. It was able to recover deleted SMS.

One of the recovered SMS is however raising questions. It's timestamp makes it look like this message was received in December … 2016! According to UFED PA, the source file of the SMS is the sms.db file (as expected)

I'm trying to figure out why this could be happening? My hypothsis is that since the SMS was deleted, it might have been partially modified or overwritten with new data.

However, what is strange with this hypothesis is that this SMS is the only message affected by this issue (only message whose timestamp is after seizure).

What do you guys think?

Thanks

Have you dump the sms.db out of UFED and opened it in a database viewer and check to see if the message is in there? Also how does it look in hex view? Where is it pulling the date, is it at the right offset? The new Ufed does a great job of referencing the source data and hightligths where it parsed the data.

ReplyQuote
Posted : 17/05/2016 10:44 pm
PaulSanderson
(@paulsanderson)
Senior Member

I would like to see the structure of your DB and this particular table before being certain but without this I would say that it would seem to be unlikely to be factor of the record being deleted.

There are three date fields in my sms.db messages table and all of these fields are in the middle of the schema when a record is deleted. In SQLite the first few bytes can sometimes be over written with a 4 pointer structure but the rest remains intact. So for corruption due to deletion to occur I would not expect it to manifest itself in this way. There are of course caveats.

Reconstructing a deleted record where the first 4 bytes have been overwritten (if this is the case) is possible but it involves educated guesses a sto what these values were. That can result in recovered data being offset by a byte or two and therefore corruption that spans the whole record.

The first column in my SMS.db is a rowid column that has an incrementing number - if this is recovered intact (i.e. not overwritten as above) then it could be used to determine where in the table the record came originally and therefore looking at surrounding records might cast some light on what is happening.

As I said there are three dates in my table, what do the others say (cellebrite may or may not show this).

if you would like a fully functional demo of the Forensic Browser for SQLite so you can view this additonal info (including the hex - highlighted in yellow for the current record in my pic below) then please visit the page at the link below and request one.

http//sandersonforensics.com/forum/content.php?198-Forensic-Browser-for-SQLite

ReplyQuote
Posted : 17/05/2016 11:05 pm
ThePM
(@thepm)
Active Member

Have you dump the sms.db out of UFED and opened it in a database viewer and check to see if the message is in there? Also how does it look in hex view? Where is it pulling the date, is it at the right offset? The new Ufed does a great job of referencing the source data and hightligths where it parsed the data.

Indeed, I have exported it out of UFED and opened it in SqliteBrowser. The message is not there. I tried searching by text as well as per message GUID (that I could find in hex view in UFED) and I could not find the message in the DB. When I open up the SMS.db using an hex editor (HxD), I can see the message at the same offset that UFED sees it.

The fact that the message does not show in Sqlite Browser, could that mean that UFED possibly carved it from within the SMS.db file? If so, it might be safe so say that we should not rely on the metadata about this message ?

ReplyQuote
Topic starter Posted : 18/05/2016 12:06 am
Share:
Share to...