Hello Everyone,
I am doing a research on iPhone Forensics. I have installed an OpenSSH server and using dd tool, got a full physical image of the phone. For data carving, I have tried to use scalpel. Since scalpel works on the headers and (optionally) footers of the files you want to recover, when I searched the internet, it appears sqlite3 don't have any footer. But when I run the scalpel using only the header info to recover all sqlite3 files, to recover files from an 8-GB image, it requires a lot of extra space, recover a lot of false files. Can you people suggest some ways how data carving can be done on a iPhone physical image obtained through dd? I would greatly appreciate your help.
Have you looked at
Thank you very much CaptainF for your reply. On
db y 20000000000 \x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33
sqlitedb y 20000000000 \x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33
I would really appreciate any help on this.
My advice to you would be to open the dd image up in a hex editor and look for those signatures manually and see if you can decode a SQLite table manually. Then begin to work on a signature to pull the data out.
It takes a lot of time to begin with but it is worth it in the end )
Thank you very much for your help. I am going to see the dd image in WinHex editor to determine the sqlite file structure and match it with my rules. I will post my findings here in this forum.
Thank you very much once again.
You might find that you have more success attacking SQLite on a record level rather than a file level.
If you have a dd image, why are you not using FTK 3.x? You can then see your database files and export them out to be viewed with the SQLite Database Browser. Granted that you might not get deleted items in the database but it would save time getting the current entries. Or another approache would be to make a copy of the dd image with the extension of .dmg and then mount the image on a Mac in read only mode. That way you could browse the image file and extract the database files that way. Personally I prefer FTK 3.x since it does such a good job of listing the files by type.
what IOS version are you running on your iPhone?
from IOS4 I believe the entire disk is encrypted so you won't get much from a raw dd image, I think the device decrypts the files on-the-fly when they are accessed, meaning a dd will only get the encrypted data since it doesn't actually access any files.
if its a device that was originally bought with iOS4, it is indeed encrypted and file system dump would be the next best thing, but if its a device that was upgraded to iOS4, most chances it is not encrypted.