Physical acquisition - iPhone 5 Jailbroken

Cellebrite will provide you with the logical (backup) option and also an alternative file system extraction method, but not physical support for iPhone 4S & above.

The aforementioned methods will not only provide you with the live data, but in addition if it is deleted data you are after, this can also be obtained. This is due to the fact it is possible to recover deleted data from the relevant SQLite db files which are extracted. This can be done by using Physical Analyzer or/and various other software including Oxygen.

Regarding Elcomsoft iOS Toolkit, read this to understand support for iPhone 5 running iOS 7 physical support

http//www.elcomsoft.com/PR/eift_140130_en.pdf

Cellebrite will provide you with the logical (backup) option and also an alternative file system extraction method, but not physical support for iPhone 4S & above.

The aforementioned methods will not only provide you with the live data, but in addition if it is deleted data you are after, this can also be obtained. This is due to the fact it is possible to recover deleted data from the relevant SQLite db files which are extracted. This can be done by using Physical Analyzer or/and various other software including Oxygen.

Regarding Elcomsoft iOS Toolkit, read this to understand support for iPhone 5 running iOS 7 physical support

http//www.elcomsoft.com/PR/eift_140130_en.pdf

Thank you. It seems Oxygen has performed as well as any thing else. I've got the SQlite db files. I thought it was possible to obtain more, but after reading through the Elcomsoft article you provided, it seems that I shouldn't expect much more.

I was disappointed with the amount of sms recovered through Oxygen.

Did MPE+ provide you with any results? Unfortunately, it is not a preferred tool so I cannot really comment much on it. It may well be that the deleted SMS have since been overwritten or/and the creation of a new SMS.db has occurred, as the old version has become unstable. This could be why not many entries were recovered.

Alternatively, if you search this forum there are plenty of threads that discuss recovery of deleted data from these sorts of db files. Including Sanderson Forensics software and even IEF which I have used numerous times.

Did MPE+ provide you with any results? Unfortunately, it is not a preferred tool so I cannot really comment much on it. It may well be that the deleted SMS have since been overwritten or/and the creation of a new SMS.db has occurred, as the old version has become unstable. This could be why not many entries were recovered.

Alternatively, if you search this forum there are plenty of threads that discuss recovery of deleted data from these sorts of db files. Including Sanderson Forensics software and even IEF which I have used numerous times.

MPE prompts for dfu mode. It is the latest version. While researching I read about physical acquisition files. Perhaps I might be missing those.

I do have IEF. Should I run the db through that?

It might just be as simple as the fact that the deleted SMS have since been overwritten or/and the creation of a new SMS.db has occurred. I would still give IEF a shot though, export the 'sms.db' file and use the iOS File Dump option on IEF. Alternatively, you may have to invest in software specifically designed for recovering deleted data from SQLite db files.

I will try that. Thank you for your time and input! I'll let you know how it goes either way.

Including Sanderson Forensics software and even IEF which I have used numerous times.

It might just be as simple as the fact that the deleted SMS have since been overwritten or/and the creation of a new SMS.db has occurred. I would still give IEF a shot though, export the 'sms.db' file and use the iOS File Dump option on IEF. Alternatively, you may have to invest in software specifically designed for recovering deleted data from SQLite db files.

I have only just seen this - thanks for the mention )

If you would like a fully functional trial of SQLite Forensic Toolkit then please let me know. As well as the sms.db file you may well find either an sms.db-wal or sms.db-journal file either of which could have data of interest including deleted data - SQLite Forensic Explorer can help with these.

I would also want to run SQlite Recovery (also part of the toolkit) across a complete dump of the device using a signature for sms.db and see whether this brings back any records.

More info here http//sandersonforensics.com/forum/content.php?113-Software or drop me an email paul@sandersonforensics.com