iMessage Analysis

I’ve seen a few bits and pieces come up on the internet (in a variety of languages) on this subject.  I needed a topic for one of my research papers, so I thought I’d tackle the issue and propose (if you will) a ‘standard’ by which you can analyse iMessages from iOS5 devices. The results were very interesting.

I haven’t planned on putting up all the research, because it is of course my research, and I’d like to get it published soon.  But I wanted to give a little taster into what it is I’ve actually done…

  1. I got the sms.db from the /Library/SMS/ folder of a recovered iPhone 4s backup. I saw that some individuals had been having difficulty opening this file.  Unlike iOS4 and lower, sqlitebrowser does not support the iOS5 SMS database. I discovered you can open it using sqlite3 (tested on mac and windows), but if you want a GUI I suggest Mesa SQLite for Mac or SQL Maestro for Windows.
  2. Existing SMS and MMS analysis on the sms.db is still the same.  Additional fields have been created within the database to accommodate the new iMessage features. I will not disclose which fields these may be.
  3. It is possible to theoretically recover every deleted SMS and iMessage from the database using a specialist data carving technique made famous by Andrew Hoog.  I was even able to recover some of the media from deleted MMS’s and iMessage attachments.
  4. iMessages provide a lot more useful information with regards to read, received and sent times.

As always, I’m very happy to be contacted with any questions!


iPhone encryption bypassed

ElcomSoft have released their iOS forensic toolkit which they say can decrypt the data that iOS encrypts on the device.  I am unsure how comprehensive this is, and so it is uncertain if recovery of deleted files is at all possible.  Maybe someone could clarify this for me?

It is a software solution which looks like it brute-forces it’s way to find the encryption key.  I still think it would be very interesting into finding a way to recover the encryption key from the encryption chip itself.

I’m still alive

Things have been very quiet for me as far as personal development in Digital Forensics. Although I may seem very egotistical, but I would like to congratulate myself for attaining a scholarship with Staffordshire University. As a result I am now a part-time university lecturer! My first tutorial is at 15:00 today! Good times!

My actually MRes begins on 18th October 2011, so we’ll probably be hearing a lot more from me starting then, when I’m actually researching and finding out interesting bits and bobs!

I’m always very open to research paper ideas, so if you’re reading this and have anything you or your organisation would like researching then throw it my way!

Take care!

CCTV Analysis

I have gone over research topics I could do my masters thesis on, as I am due to start my MRes (Research Masters) in September.

Looking on job websites, I found an interesting opportunity for CCTV analysts to travel around the country seizing and analysing data found on CCTV systems…

“The successful candidate will have the skillset to carry out multiplex and embedded time and data decoding, enhancement of video and audio data, comparative analysis, creating evidential compilations of clips and presenting the evidence in video and still formats for production in Court.

The candidate must also have the appropriate skills in areas of image science, the science of individualization and knowledge of photogrammetry.

Working in strict compliance with Association of Chief Police Officers (ACPO) guidelines the candidate must have the ability to be able to convert proprietary digital video to other standard formats whilst maintaining the integrity of the imagery. The candidate will be required to fully document all investigation processes, analysis and evidence produced. This will include the production of technical reports and witness statements for Court purposes.”

CCL Forensics

Personally, it sounds like an excellent job.  It calls for experienced individuals, however a question came to mind; how does one acquire experience in such a specific job without experience? I have yet to see a job which would train you in this very specific field. It was from here that I contemplated gaining the experience for myself by focusing my MRes thesis on CCTV analysis.

I feel it’s a perfect topic because there is such a large range of questions and subject areas to research.  Some of the current questions rattling in my head include;

  • How are CCTV systems configured?
  • Who are the market leaders of CCTV systems, and what file formats do they use?
  • How does one determine the footage collected is not falsified?
  • Determining correct dates to the video footage
  • How does one make digital copies of VHS video in a forensically sound manner?
This is just a taster of some of the questions I look forward to answering over the next year.  I am aware this is not a completely new field, but I have found myself generating a very keen interest in it, and the field itself is not very well documented.  And let’s not forget the potential for high-paid jobs at the end of it!
So if anyone reading this knows any of the answers, or knows of great books/websites/conferences covering this topic, please comment and let me know! You will be of a great help I assure you!

The world becomes aware..

I returned from my holiday to discover people commenting on the post regarding the consolidated database. Suffice to say I’m quite happy for the attention.  It turns out a tool has been developed which processes the data found in the database and places them as points on a map.

Friends and students familiar with my dissertation have believed that this is a direct copy of the tool I developed for my final year project, and I just wanted to state that although the tool is similar, they do different jobs.  Yes my tool does analyse the consolidated database, but the aim of my tool is to track individual locations and piece together an individuals movements.  This may be used in a forensic analysis to determine if the iPhone user was in a specific location at a specific time, where the data may be incriminating or prove the individual innocent.

Alasdair Allan and Pete Warden have developed a tool that specifically targets the consolidated database and outputs the data found in it onto a map.  This data includes locations of cell towers and wifi access points.  It it really impressive, and performs the task they made it for fantastically, using a very easy-to-use and beautiful user interface. Check it out here.

I would like to thank them for mentioning me in their FAQ!

Because they have alerted the world to this database, Apple have announced they will be changing iPhone functionality to reduce the amount of geolocations stored in this database.  I do not know if this means they will be eradicating the file completely, or simply reducing the timeframe the locations are stored for.  Naturally this affects the effectiveness of my dissertation tool.  However, if they are simply just removing the data after a certain timeframe (e.g. deleting records after a week), then there may be potential for recovery (intended for my summer research).

I still intend on writing a small paper over summer describing what all the values in consolidated database mean. It is intended for forensic analysts to use as reference during an investigation, in order to determine which values can determine accurately where the device has been, and not confuse the location of a cell tower with a coordinate the phone has been.