Essentially I'm looking for someone to fact check my answer on this. I was recently asked by an attorney whether we could recover deleted text messages from an iPhone.
Obviously, the answer is not straightforward and depends on a number of variables. Here is what I was planning to say. I just want to make sure I'm as accurate as possible. Please correct me if I'm wrong or if there is something I'm not aware of:
Q:
Can you recover deleted text messages from an iPhone.
A:
It depends on a variety of factors such as device model, iOS version, device update occurrences and recovery method.
For iOS 8 - iOS 11, this MAY be possible IF you have a FFS extraction (and access to a tool that provides that, Cellebrite, GK, etc.) and IF the SQLite DB hasn't been vacuumed. So, it would depend on how long ago the message was deleted.
For iOS 12 - iOS 16, we are pretty much SOL on recovering deleted texts off of the device.
With the advent of iOS 16, you have a 30 day window to recover deleted texts.
It MIGHT be possible to recover with an iCloud backup or an iTunes backup IF the individual did indeed backup their device.
I'm trying not to overcomplicate things for this person, but please let me know if I missed something. I also recently read that there MIGHT be a copy of deleted texts in the Biome directory IF you have a FFS from and IF "Learn from this app" setting is turned on and depending on the iOS.
- Any phone with iOS 13.7 or older does not have the file location.
- Any phone with iOS 14.0 or later does have the file location.
Sorry for all the "IF"s.
Not sure if it's worth mentioning that last part, but just wanted to get any thoughts on this, if I'm missing something or if I'm completely off base. Any feedback appreciated.
Thanks
"With the advent of iOS 16, you have a 30 day window to recover deleted texts."
Please provide a link to your source for this information. I am not disputing it but want to learn more.
No problem! Appreciate the response.
In reading about iOS16, Apple seems to be touting this quite a bit:
https://www.apple.com/ios/ios-16/features/
https://support.apple.com/en-us/HT213105
I don't have any forensic articles to support that, just what Apple reports on iOS 16's features.Â
So, I suppose I can't concretely say that. Even though that seems to be a new feature, I'm unsure if they can be forensically recovered.
I do have a brand new iPhone running 16.2 that I plan to test this with and will see what happens.
Â
Â
Additionally, I've been doing some more reading regarding the sms.db and associated WAL. It seems that we can identify missing records and gaps within messages/conversations but are not necessarily able to recover the message content/text. Does this seem correct?