iPhone 6, iOS 11.4....
 
Notifications
Clear all

iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS?  

  RSS
urq82
(@urq82)
New Member

A client iPhone 6 - A1586 - that hasn't been connected to a PC previously (no iTunes backup) - I have been provided unlock code and 2FA access to the AppleID / iCloud.

This is a civil client case (not LE) where the iPhone 6, 16GB, iOS 11.4.1, is believed to contain old deleted text messages (SMS). Internal memory use is almost 100%. The objective is to try to retrieve previously (ca 3 months back in time) deleted text messages. Backup on iCloud exists but storage is also maxed out - 2% free, only two generations of backup shown (recent both).

The phone was logically acquired with Magnet Acquire (latest version), resulting in a 8GB file (Apple iPhone7,2 Quick Image.zip). Also tried acquisition using Encase 8.07 and Belkasoft Acquisition Tool (less data was collected by these tools).

The files acquired are the backup files (such as 3d0d7e5fb2ce288813306e4d4636395e047a3d28 of the sms.db). These files does not seem to contain any deleted messages though (using SQL-tools to search).

Is there a working option to get hold of the sms.db under these circumstances? Is it even likely that the sms.db contains larger numbers of deleted messages (as is the objective to find)? Jailbreaking the phone is possible if it helps the case. Any method that positively would be useful to extract the sms.db? Paid service is an option if offered!

Appreciate any help on this issue! I have searched the net and this forum for options - then I decided to post this request instead!

Location is Sweden.

Quote
Posted : 29/09/2018 7:15 am
passcodeunlock
(@passcodeunlock)
Senior Member

I sent you a PM.

ReplyQuote
Posted : 29/09/2018 10:47 am
Jonny_Boy
(@jonny_boy)
New Member

@urq82 How did you get on with this phone? Any luck. I currently have a similar issue.

ReplyQuote
Posted : 31/10/2018 1:15 pm
urq82
(@urq82)
New Member

Update on this issue.

After seeking additional advice from several mobile forensics vendors I finally got hands-on advice from Elcomsoft (Thank You!).

It turns out that the only known way to - with a higher likelihood - retrieve deleted text messages in IOS 11.4.1 would be through a physical extraction. This would then include not only the active sms.db but also the important WAL file(s). And that the only method known (at this time) to obtain a physical image for the IOS version in the case is use of GrayKey services. That was not an option to my case.

If the sms.db would have been found on the iCloud backup, this would have been a vacuumed version of the database with low likelihood of containing deleted data.

One decision factor also involved in the case was that an estimated 3,000 new text messages had been sent since the time of the initial deletion. This fact also mattered in the sense that the likelihood of finding deleted text messages was reduced due to the large amount of potential over-writes in deleted space in the database.

I hope this can help others seeking solutions to similar matters. I am not an expert on this matter but I managed to get slightly wiser as a result of this!

ReplyQuote
Posted : 07/11/2018 8:35 am
passcodeunlock
(@passcodeunlock)
Senior Member

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

ReplyQuote
Posted : 07/11/2018 5:03 pm
Jonny_Boy
(@jonny_boy)
New Member

Thanks Urq for the update, much appreciated.

ReplyQuote
Posted : 07/11/2018 10:43 pm
ZeroOneZero
(@zeroonezero)
New Member

iCloud backups flush database free space?

Has anyone else noticed that recovered deleted iMessages lack content when parsed by Cellebrite?

ReplyQuote
Posted : 20/11/2018 8:27 pm
armresl
(@armresl)
Community Legend

Cellebrite doesn't handle this?
Oxygen?
Guessing you can't JB or root that particular firmware.

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

ReplyQuote
Posted : 20/11/2018 11:37 pm
Share: