Hello,
I have conducted an analysis of an Iphone 4 with IOS 7.1.2. I understand the difficulty in recovering deleted, or viewed snapchat evidence on IOS. However, the subject installed an application called snapspy, which is purported to copy received snapchat messages. I am able to access the storage directory and see the file data contained within it.
All data has standard .jpg and .mp4 file extensions. Both Mobiledit, and the windows picture viewers describe the images as being corrupted, or broken. I conducted a google search, and but found nothing related to this particular instance. My question is if the images require decryption, per another post on this forum. Any assistance would be greatly appreciated.
Have you looked at the files with a hex editor? JPG has a very specific header (FF D8). This should tell you if the file is encrypted or otherwise modified.
Good afternoon!
I've been spending a significant amount of time investigating the file structure using WinHex with the goal of pulling the pictures and videos of an expired (>24 hours) personal story. I found in the file tree a folder that corresponded with the times the photos and videos were taken over the 24 hour period within the folder \Library\Caches\SCMediaCache.
I've looked for all the standard file headers, used the recovery by file type option, even gone into the files and tried carving out various sections. To provide an example, one of the file names is 3fa004e6adabe10e3e892500 and the size is 3,384 KB. So two questions here
#1. Does anyone know what is the actual folder/files where the personal stories are located? (considering I am wrong in my assumption)
#2. Considering that \Library\Caches\SCMediaCache is the correct location for the story files, any idea on file carving, searching, Hex editing, etc. process that would allow us to pull the image/video from the file?
Thank you!