iMessage Analysis

I’ve seen a few bits and pieces come up on the internet (in a variety of languages) on this subject.  I needed a topic for one of my research papers, so I thought I’d tackle the issue and propose (if you will) a ‘standard’ by which you can analyse iMessages from iOS5 devices. The results were very interesting.

I haven’t planned on putting up all the research, because it is of course my research, and I’d like to get it published soon.  But I wanted to give a little taster into what it is I’ve actually done…

  1. I got the sms.db from the /Library/SMS/ folder of a recovered iPhone 4s backup. I saw that some individuals had been having difficulty opening this file.  Unlike iOS4 and lower, sqlitebrowser does not support the iOS5 SMS database. I discovered you can open it using sqlite3 (tested on mac and windows), but if you want a GUI I suggest Mesa SQLite for Mac or SQL Maestro for Windows.
  2. Existing SMS and MMS analysis on the sms.db is still the same.  Additional fields have been created within the database to accommodate the new iMessage features. I will not disclose which fields these may be.
  3. It is possible to theoretically recover every deleted SMS and iMessage from the database using a specialist data carving technique made famous by Andrew Hoog.  I was even able to recover some of the media from deleted MMS’s and iMessage attachments.
  4. iMessages provide a lot more useful information with regards to read, received and sent times.

As always, I’m very happy to be contacted with any questions!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s