UFED PA reporting t...
 
Notifications
Clear all

UFED PA reporting timestamps from 2069  

  RSS
Adam10541
(@adam10541)
Senior Member

I've come across something weird with an iphone 7 extraction. Using UFED PA 6.3.12.34, I acquired an advanced logical download of an iPhone 7, A1778, MDL MN8X2, iOS ver 11.0.1.

The download went as normal and all looked good until I started looking closer at the data. For some reasons the SMS, MMS and Chats are all showing the same date/time stamp 19/01/2069 1347 hrs.

All other files (call logs etc) are reporting correct normal timestamps, this is only occuring with the message data. There are no whatsapp or any third party messaging apps so I can't compare that to see if this is iOS related.

The phone itself had the correct time/date at time of examination and was not connected to any network (flight mode).

I'm going to attempt another look at the phone to see if this was a one off glitch, but was wondering if anyone else has seen this before or has any idea what's going on.

Quote
Posted : 13/11/2017 3:56 am
RonS
 RonS
(@rons)
Active Member

Open the extraction again in UFED 6.4 and it is solved there.

RonS

ReplyQuote
Posted : 13/11/2017 1:16 pm
AdamS
(@adams)
New Member

Thanks Ron will do.

ReplyQuote
Posted : 14/11/2017 4:46 am
Adam10541
(@adam10541)
Senior Member

Oops, forgot about that old account )

Thanks Ron

ReplyQuote
Posted : 14/11/2017 4:49 am
athulin
(@athulin)
Community Legend

Open the extraction again in UFED 6.4 and it is solved there.

Looks like it may be the "SMS, iMessages and MMS records are missing the UTC value for devices running iOS 11.0.1." issue mentioned as fixed in the 6.4 release notes, or something very closely related.

ReplyQuote
Posted : 14/11/2017 5:10 pm
mcman
(@mcman)
Active Member

If you want more detail, Heather did a great blog post on the iOS 11 timestamps here
http//smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/

Jamie

ReplyQuote
Posted : 14/11/2017 5:18 pm
athulin
(@athulin)
Community Legend

If you want more detail, …

Perfect – thanks!

ReplyQuote
Posted : 14/11/2017 5:44 pm
jlewis
(@jlewis)
New Member

We're seeing the 2069 timestamp with the logical extraction using 4PC (Method 1 and Method 2 reported the dates/times fine). We're told we have to do an update and then re-image. Any ideas? Last thing we have to do is go back to the source device since it was already returned.

ReplyQuote
Posted : 21/11/2017 2:04 am
Logan
(@logan)
Member

Is parsing the records manually from the respective databases not an option?

ReplyQuote
Posted : 21/11/2017 4:20 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Ask Cellebrite's tech support, but it would seem likely that once you updated PA to the current version, you will be able to re-process the iTunes mobile backup you already created and then have the correct format dates appear.

One possible option is to use the $99 single phone license of MOBILedit Forensic Express on the iTunes mobile backup you already created http//www.mobiledit.com/online-store/forensic-express

ReplyQuote
Posted : 21/11/2017 4:55 pm
Share: