iMessage Analysis

I’ve seen a few bits and pieces come up on the internet (in a variety of languages) on this subject.  I needed a topic for one of my research papers, so I thought I’d tackle the issue and propose (if you will) a ‘standard’ by which you can analyse iMessages from iOS5 devices. The results were very interesting.

I haven’t planned on putting up all the research, because it is of course my research, and I’d like to get it published soon.  But I wanted to give a little taster into what it is I’ve actually done…

  1. I got the sms.db from the /Library/SMS/ folder of a recovered iPhone 4s backup. I saw that some individuals had been having difficulty opening this file.  Unlike iOS4 and lower, sqlitebrowser does not support the iOS5 SMS database. I discovered you can open it using sqlite3 (tested on mac and windows), but if you want a GUI I suggest Mesa SQLite for Mac or SQL Maestro for Windows.
  2. Existing SMS and MMS analysis on the sms.db is still the same.  Additional fields have been created within the database to accommodate the new iMessage features. I will not disclose which fields these may be.
  3. It is possible to theoretically recover every deleted SMS and iMessage from the database using a specialist data carving technique made famous by Andrew Hoog.  I was even able to recover some of the media from deleted MMS’s and iMessage attachments.
  4. iMessages provide a lot more useful information with regards to read, received and sent times.

As always, I’m very happy to be contacted with any questions!

A call for opinions

As part of my MRes, I am required to write a ‘mini-project’ on any topic of my choice. Being the man I am, I have opted for “The effects of geolocation on smartphone usage” – a study into if phones logging geolocation affects its owners.

As part of the research, I have a survey. If anyone could please fill it out (it will take about 60 seconds) then I would be very grateful!

The survey can be found HERE

I will post my findings as soon as I have them. Thank you so much for your support!

iPhone encryption bypassed

ElcomSoft have released their iOS forensic toolkit which they say can decrypt the data that iOS encrypts on the device.  I am unsure how comprehensive this is, and so it is uncertain if recovery of deleted files is at all possible.  Maybe someone could clarify this for me?

It is a software solution which looks like it brute-forces it’s way to find the encryption key.  I still think it would be very interesting into finding a way to recover the encryption key from the encryption chip itself.

I’m still alive

Things have been very quiet for me as far as personal development in Digital Forensics. Although I may seem very egotistical, but I would like to congratulate myself for attaining a scholarship with Staffordshire University. As a result I am now a part-time university lecturer! My first tutorial is at 15:00 today! Good times!

My actually MRes begins on 18th October 2011, so we’ll probably be hearing a lot more from me starting then, when I’m actually researching and finding out interesting bits and bobs!

I’m always very open to research paper ideas, so if you’re reading this and have anything you or your organisation would like researching then throw it my way!

Take care!

CCTV Analysis

I have gone over research topics I could do my masters thesis on, as I am due to start my MRes (Research Masters) in September.

Looking on job websites, I found an interesting opportunity for CCTV analysts to travel around the country seizing and analysing data found on CCTV systems…

“The successful candidate will have the skillset to carry out multiplex and embedded time and data decoding, enhancement of video and audio data, comparative analysis, creating evidential compilations of clips and presenting the evidence in video and still formats for production in Court.

The candidate must also have the appropriate skills in areas of image science, the science of individualization and knowledge of photogrammetry.

Working in strict compliance with Association of Chief Police Officers (ACPO) guidelines the candidate must have the ability to be able to convert proprietary digital video to other standard formats whilst maintaining the integrity of the imagery. The candidate will be required to fully document all investigation processes, analysis and evidence produced. This will include the production of technical reports and witness statements for Court purposes.”

CCL Forensics

Personally, it sounds like an excellent job.  It calls for experienced individuals, however a question came to mind; how does one acquire experience in such a specific job without experience? I have yet to see a job which would train you in this very specific field. It was from here that I contemplated gaining the experience for myself by focusing my MRes thesis on CCTV analysis.

I feel it’s a perfect topic because there is such a large range of questions and subject areas to research.  Some of the current questions rattling in my head include;

  • How are CCTV systems configured?
  • Who are the market leaders of CCTV systems, and what file formats do they use?
  • How does one determine the footage collected is not falsified?
  • Determining correct dates to the video footage
  • How does one make digital copies of VHS video in a forensically sound manner?
This is just a taster of some of the questions I look forward to answering over the next year.  I am aware this is not a completely new field, but I have found myself generating a very keen interest in it, and the field itself is not very well documented.  And let’s not forget the potential for high-paid jobs at the end of it!
So if anyone reading this knows any of the answers, or knows of great books/websites/conferences covering this topic, please comment and let me know! You will be of a great help I assure you!

A well overdue update

So I have taken a while to update anybody with any information.

I can confirm that a recovery tool for the iPhone sms database is currently being developed by myself and a fellow Forensic Computing graduate Ryan Foster.  It should be completed soon and available for download as a beta.

Secondly, I have finally acquired the intellectual property of my dissertation, and so it is available for you to read on the Papers and Research section of this website.

Within the next year I’m hoping that I can get some freelance forensic work, and I am always happy to lend a hand to anyone that needs it, or just provide some free advice (to students and the sort).

I’ll be writing another post shortly, as I wish to talk about my MRes project idea, and see how badly people can criticise the idea.