OK guys just a quick question. I seem to be getting conflicting views on weather deleted sms messages can be recovered from a backup mddata file.
Some people say that all SMS messages can be recovered some say that only non-deleted SMS messages can be shown.
Whats the real answer?
The answer to this question depends on a number of factors really.
The MDBACKUP / MDDATA file will contain the SQLite Database File as it was when it was copied from the handset.
The database will contain live records, however if the file hasn't been compacted on the phone, it may also contain dropped (deleted) records.
You may be able to recover these messages by carving for strings, then doing a comparison between the live records to determine which are deleted.
HTH
So there's no clear way of really defining if some of the messages are deleted. So it would probably be a cases of doing an actual disk image of the whole iPhone? If so I think I might try it at uni. Are there any free tools that could be used for a forensic disk image of an iPhone to recover not just SMS but everything else?
You'll probably be wanting to get your hands on Jonathan Zdziarski's book
http//
So there's no clear way of really defining if some of the messages are deleted.
The SQLite engine will only show live records and not those that have been dropped. Unfortunately you will need to do a comparison between what you can recover manually using a hex editor with what you can see in a SQLite browser.
If you get a disk image of the iPhone you should be able to use a variety of tools such as scalpel and foremost to carve out various types of files as well as carving out strings etc to recover messages.
There is plenty of good evidence to be found on the iPhone, and the backups can be a good place to get more historical evidence as well.
FYI,
UFED and UFED Physcial both extract deleted SMS messages from the sms.db SQLite iPhone database file.
Deleted SMS messages are marked as deleted so you do have a way to differenciate them from the live SMS messages.
I was under the impression that the UFED and UFED physical only at most obtain the file system in which a non jailbroken iphone the sms.db only contains the logical SMS messages?
UFED and UFED PA extract deleted SMS, call logs and phone book entries directly from the SQLite database files.
When entries are deleted their traces are still there and UFED recovers them.
You are correct this is done through logical file system dump (both jail broken and non-jailbroken devices)