I’ve seen a few bits and pieces come up on the internet (in a variety of languages) on this subject. I needed a topic for one of my research papers, so I thought I’d tackle the issue and propose (if you will) a ‘standard’ by which you can analyse iMessages from iOS5 devices. The results were very interesting.
I haven’t planned on putting up all the research, because it is of course my research, and I’d like to get it published soon. But I wanted to give a little taster into what it is I’ve actually done…
- I got the sms.db from the /Library/SMS/ folder of a recovered iPhone 4s backup. I saw that some individuals had been having difficulty opening this file. Unlike iOS4 and lower, sqlitebrowser does not support the iOS5 SMS database. I discovered you can open it using sqlite3 (tested on mac and windows), but if you want a GUI I suggest Mesa SQLite for Mac or SQL Maestro for Windows.
- Existing SMS and MMS analysis on the sms.db is still the same. Additional fields have been created within the database to accommodate the new iMessage features. I will not disclose which fields these may be.
- It is possible to theoretically recover every deleted SMS and iMessage from the database using a specialist data carving technique made famous by Andrew Hoog. I was even able to recover some of the media from deleted MMS’s and iMessage attachments.
- iMessages provide a lot more useful information with regards to read, received and sent times.
As always, I’m very happy to be contacted with any questions!
ElcomSoft have released their iOS forensic toolkit which they say can decrypt the data that iOS encrypts on the device. I am unsure how comprehensive this is, and so it is uncertain if recovery of deleted files is at all possible. Maybe someone could clarify this for me?
It is a software solution which looks like it brute-forces it’s way to find the encryption key. I still think it would be very interesting into finding a way to recover the encryption key from the encryption chip itself.
I returned from my holiday to discover people commenting on the post regarding the consolidated database. Suffice to say I’m quite happy for the attention. It turns out a tool has been developed which processes the data found in the database and places them as points on a map.
Friends and students familiar with my dissertation have believed that this is a direct copy of the tool I developed for my final year project, and I just wanted to state that although the tool is similar, they do different jobs. Yes my tool does analyse the consolidated database, but the aim of my tool is to track individual locations and piece together an individuals movements. This may be used in a forensic analysis to determine if the iPhone user was in a specific location at a specific time, where the data may be incriminating or prove the individual innocent.
Alasdair Allan and Pete Warden have developed a tool that specifically targets the consolidated database and outputs the data found in it onto a map. This data includes locations of cell towers and wifi access points. It it really impressive, and performs the task they made it for fantastically, using a very easy-to-use and beautiful user interface. Check it out here.
I would like to thank them for mentioning me in their FAQ!
Because they have alerted the world to this database, Apple have announced they will be changing iPhone functionality to reduce the amount of geolocations stored in this database. I do not know if this means they will be eradicating the file completely, or simply reducing the timeframe the locations are stored for. Naturally this affects the effectiveness of my dissertation tool. However, if they are simply just removing the data after a certain timeframe (e.g. deleting records after a week), then there may be potential for recovery (intended for my summer research).
I still intend on writing a small paper over summer describing what all the values in consolidated database mean. It is intended for forensic analysts to use as reference during an investigation, in order to determine which values can determine accurately where the device has been, and not confuse the location of a cell tower with a coordinate the phone has been.
Individuals familiar with iPhone forensic analysis will be quite familiar. As far as my research has taken me, I am able to gather previous locations of the iPhone from the database, all contained in the ‘CellLocationLocal’ table. But the database has more tables…interesting…
So I’ve been looking at the ‘WifiLocation’ and ‘CellLocation’ table, and discovered a few interesting things. Some of the results gave me locations in countries such as Turkey, which I haven’t actually ever been to. It’s common knowledge with this database that the time stamps are generated as some kind of batch method in these tables, because the time stamp value can be the same for multiple geolocations. I find this very very interesting.
To further matters, tables such as ‘CellLocationBoxes_node’ appear to store some kind of data as a hex string. Further research is needed!
My theory is, for the moment, that these values are not locations of the phone, but instead locations looked at by the device, via the Google maps app or other applications. Looks like I’ve got my second piece of research for my summer break! I’ll post my findings and see if I can finally get to the bottom of all the data stored in this database.
So, while working on my dissertation I discovered something I thought was of interest. It turns out I performed a good portion of my project thinking such things as deleted messages can’t be recovered because of the iPhone’s encryption chip leaving any raw data unreadable. I was not aware that sqlite databases do not actually remove the data from themselves, but instead must in some manner just delete the reference to the record somewhere.
Somebody has created a tool to recover this data, but is only available to beta testers. It can be found here. I’m quite fancying doing some research about this over summer and seeing if I can create my own tool. Wish me luck!
If anyone wants to get involved or at least throw me some info on this please comment or email