Forensically recovering SMS and iMessages form iOS 5 and Above.
SMS/iMessage in iOS
Appleís iOS operating system 5.0 released in 2011 introduced the new capability called iMessage. This Feature allows Apple users to exchange messages with one another similar to that of SMS without utilizing the SMS protocol to send and receive messages. Apple stores these messages along with SMS messages in a SQLite Database called sms.db witch can be recovered with a verity of methods. There is no real retention scheme other than to grow this file until it hits itís capped size and then purge deleted items. In iOS 5 this cap is set to 15mb which can hold around 75,000 messages. There is no menu built into the OS that allows automatic removal of messages after a specific period of time or any other defined rule so messages are retained until they are deleted.
Fun Facts about the SMS db
SoÖ There are a few things you should be aware of that make the sms.db a bit more useful to us than just looking at the messages on device. When a user deletes a message on device the record is not actually removed. The OS simply adds a flag to the record marking it for removal and hides it from the users on device view. The OS doesn't immediately overwrite or modify the data in any way. There is a purge routine that will run every so often but more interestingly is that this routine is at Page Level rather than at the record level. What this means is that rather than processing records for removal individually it process a full ~=4kb Page of records all at once. What makes this special is that if any item in the page has not been flagged for removal the entire page stays intact and is recoverable in the sms.db That being said this also creates a case where older deleted messages are forensically recoverable, but more recently deleted messages are not recoverable because they existed in a memory page that contains only messages flagged for deletion.
Another interesting note to mention is around the use of spotlight search. Spotlight is an iOS feature that creates and maintains a device wide index of the device for use in searching. So with this index it may be possible to access previously deleted messages or other data content utilizing keywords if the removed data had yet to be purged from the spotlight index. It should be noted however that if file level encryption is in use the data may be inaccessible because the keys used to secure that data would have been permanently discarded.
Recovery through backup utility.
The SMS.db file can easily be recovered by using any iOS supported backup utility including iTunes. It becomes slightly more difficult to recover if you do an encrypted backup however it is possible to decrypt the backup using the iphone data protection python scripts available on code.google.com however this goes beyond the scope of this article. Below are the steps required to recover the sms.db from an unencrypted backup.
1. Connect your target iOS device
2. Unlock the device and if using iOS 7.0 or above select the Trust option at the on device prompt.
3. Launch iTunes or your preferred 3rd party backup utility.
4. Create a backup of the target device.
5. On completion open the default backup location.
MAC: ~/Library/Application Support/MobileSync/Backup/
WinXP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
Win Vista, 7, 8: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
6. Locate the target device in the backup location identified by the device UDID and open itís latest backup.
7. Navigate to the HomeDomain\Library\SMS directory
8. Copy the sms.db file and the attachments folder to a new storage location for analysis.
Now all you need to do is open up the sms.db file with your preferred SQLite viewer and take a look at the records you will be able to recover all current messages as well as items marked for deletion that have not been purged by the Vacuum routine. There are tools out there that make this process easier such as using the backup explorer tool inside of the iExplorer software application. You may also be able to recover MMS objects sent by navigating through the attachments folder copied in step 8. If you wanted yo could also take this a step further an look at the draft SMS messages by copying the drafts folder and looking at the entries contained in the dictionary files. Recipient data is stored in PENDING-recipients.plist and the message content is in message.plist stored within the PENDING.Draft subfolder.
And as always I'm not responsible for what you decide to do with this info. This data is provided for those who have a curiosity towards how iOS stores and process SMS data. as well as to provide an understanding of how easy it is for an attacker to gain access to your SMS data.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 14 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.