iPhone 6, iOS 11.4....
 
Notifications
Clear all

iPhone 6, iOS 11.4.1, unlocked, acquire deleted text/SMS?

urq82
(@urq82)
New Member

A client iPhone 6 - A1586 - that hasn't been connected to a PC previously (no iTunes backup) - I have been provided unlock code and 2FA access to the AppleID / iCloud.

This is a civil client case (not LE) where the iPhone 6, 16GB, iOS 11.4.1, is believed to contain old deleted text messages (SMS). Internal memory use is almost 100%. The objective is to try to retrieve previously (ca 3 months back in time) deleted text messages. Backup on iCloud exists but storage is also maxed out - 2% free, only two generations of backup shown (recent both).

The phone was logically acquired with Magnet Acquire (latest version), resulting in a 8GB file (Apple iPhone7,2 Quick Image.zip). Also tried acquisition using Encase 8.07 and Belkasoft Acquisition Tool (less data was collected by these tools).

The files acquired are the backup files (such as 3d0d7e5fb2ce288813306e4d4636395e047a3d28 of the sms.db). These files does not seem to contain any deleted messages though (using SQL-tools to search).

Is there a working option to get hold of the sms.db under these circumstances? Is it even likely that the sms.db contains larger numbers of deleted messages (as is the objective to find)? Jailbreaking the phone is possible if it helps the case. Any method that positively would be useful to extract the sms.db? Paid service is an option if offered!

Appreciate any help on this issue! I have searched the net and this forum for options - then I decided to post this request instead!

Location is Sweden.

Quote
Topic starter Posted : 29/09/2018 7:15 am
passcodeunlock
(@passcodeunlock)
Senior Member

I sent you a PM.

ReplyQuote
Posted : 29/09/2018 10:47 am
Jonny_Boy
(@jonny_boy)
New Member

@urq82 How did you get on with this phone? Any luck. I currently have a similar issue.

ReplyQuote
Posted : 31/10/2018 1:15 pm
urq82
(@urq82)
New Member

Update on this issue.

After seeking additional advice from several mobile forensics vendors I finally got hands-on advice from Elcomsoft (Thank You!).

It turns out that the only known way to - with a higher likelihood - retrieve deleted text messages in IOS 11.4.1 would be through a physical extraction. This would then include not only the active sms.db but also the important WAL file(s). And that the only method known (at this time) to obtain a physical image for the IOS version in the case is use of GrayKey services. That was not an option to my case.

If the sms.db would have been found on the iCloud backup, this would have been a vacuumed version of the database with low likelihood of containing deleted data.

One decision factor also involved in the case was that an estimated 3,000 new text messages had been sent since the time of the initial deletion. This fact also mattered in the sense that the likelihood of finding deleted text messages was reduced due to the large amount of potential over-writes in deleted space in the database.

I hope this can help others seeking solutions to similar matters. I am not an expert on this matter but I managed to get slightly wiser as a result of this!

ReplyQuote
Topic starter Posted : 07/11/2018 8:35 am
passcodeunlock
(@passcodeunlock)
Senior Member

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

ReplyQuote
Posted : 07/11/2018 5:03 pm
Jonny_Boy
(@jonny_boy)
New Member

Thanks Urq for the update, much appreciated.

ReplyQuote
Posted : 07/11/2018 10:43 pm
ZeroOneZero
(@zeroonezero)
New Member

iCloud backups flush database free space?

Has anyone else noticed that recovered deleted iMessages lack content when parsed by Cellebrite?

ReplyQuote
Posted : 20/11/2018 8:27 pm
armresl
(@armresl)
Community Legend

Cellebrite doesn't handle this?
Oxygen?
Guessing you can't JB or root that particular firmware.

I wrote you earlier that you would need a decrypted dump for this (generically named physical acquisition).

Besides GrayKey, other solutions do exist for this. The only problem usually is the price of such an acquisition, which, let's face the truth, was your problem as well.

The potential overwrites in deleted space in the database make some sense, still dropping any further analysis based on theory is anyhow stupid, because considering a timeline the overwrites are not linear, also at some point you might have multiple versions of the db and wal files in the physical acquisition.

ReplyQuote
Posted : 20/11/2018 11:37 pm
NylaRose
(@nylarose)
New Member

Physical extraction can solve this problem, but you must look for a reliable local data recovery service. My suggestion is to use the data recovery function of RecoveryTool Fix Recovery or the data recovery software of Wondershart. This will save you a lot of time. Taking into account the iPhone internal memory usage rate is almost 100%. You need to make a decision as soon as possible.

ReplyQuote
Posted : 11/10/2021 8:01 am
jadams951
(@jadams951)
New Member

I can tell you that Gray Key will only get you a file system extraction.  Since the A4 chip, in the iPhone 4, physical acquisitions have not been possible.  If I'm wrong please let me know.  My experience of getting deleted messages in iPhones is not that great.  

ReplyQuote
Posted : 12/10/2021 12:40 am
springal
(@springal)
New Member

You may havn't seen this message:

https://www.forensicfocus.com/forums/mobile-forensics/full-file-system-extraction-for-ios-devices/#post-6605369

In addition to Grakey and Cellebrite, there is indeed the perfect solution for jailbreak-free elevated privilege extraction, which is currently supported up to iOS 15.x for iPhone 13.

This post was modified 1 week ago by springal
ReplyQuote
Posted : 14/10/2021 9:21 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member
Posted by: @zeroonezero

iCloud backups flush database free space?

Has anyone else noticed that recovered deleted iMessages lack content when parsed by Cellebrite?

Our experience has been that Cellebrite does recover deleted messages in which only  the message sender and message sent date can be parsed and that upon further analysis of the corresponding portion of the SMS.db file, there is no "body" content to be parsed nor recovered.

Cellebrite Physical Analyzer allows one to view the SMS.db file in hexadecimal and corresponding text.  Whenever we see Cellebrite recover only partial text messages of interest, we use PA to analyze the portion of the SMS.db file in the hex/text view to confirm that there was no text message body to be parsed. 

I highly recommend this course which covers SQLite database analysis in depth:  Cellebrite Learning Center: Cellebrite Advanced Smartphone Analysis (CASA) Course

DISCLAIMER:  I do not work for Cellebrite but do use Cellebrite in my practice.

ReplyQuote
Posted : 14/10/2021 7:21 pm
Share: