XRY Logical Downloads of the IPhone

Playing around with XRY the other day, I downloaded my iPhone. I had created a profile to only load in SMS because I was primarlily interested in looking at deleted SMS contained in the live database (i.e. SMS record slots inside the database that had been flagged as available but still containing the old data) with XACT.

After loading the file into XACT, I did a findstrings search inside the SMS database and did indeed discover deleted SMS (These were SMS messages I knew were on the phone and deleted just prior to my taking the read of the handset).These were unparsed of course but it was encouraging to see the ASCII text.

I then exported the SMS.DB from XACT and loaded it into Text Pad and looked for the deleted messages. I found them as seen in the below screen capture

deletedsms

Interesting…as I play more with XACT and the iPhone, I’ll post more tips and tricks!

Advertisements

5 comments

  1. marlene bell

    I was able to access deleted texts by opening the sms.db file with TextEdit. Again, it was unparsed and had no date information but certainly very helpful nonetheless.

    Do you know of any Mac software for forensics that can override iTunes to retrieve all the data off of an old iphone?

    Also, does XACT come in Mac version?

    Thanks.
    Marlene

  2. Shirley

    I found the same deleted text data but within the XACT binary dump of a 3GS iphone. It did not appear to be within any type of db file either, but rather in what I assume is unallocated space, as there was other fragmented pieces of data around it, such as phone numbers, dates and times, and plist files. The other odd thing was that there appeared to be multiple copies/duplicates of the same data in different offsets of the disk image. Some were exact duplicates while other instances of the “same” data had only parts of it.

    Has anyone managed to find a tool which parses out the text data into a prettier format?

    Also, if anyone knows what the 11-digit number string is that appears prior to the text data, that would be quite useful. My guess is perhaps it is an identifier for each conversation thread, or potentially an association id for each contact? Being such a long number eliminates it as a unix or other timestamp – is my guess anyway.

    Cheers

    Shirley

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s