In a case I recently worked, I came across relevant SMS messages which had been sent and received using an iPhone. Interestingly, I wasn't actually examining the iPhone, but only the subject's MacBook Pro. What I discovered and subsequently researched, is that virtually all of the iPhone's current data contents, as well as quite a bit of archival data, appear to be extractable from the .mdbackup files that are stored on the PC or Mac to which the iPhone is synched.
On Windows, .mdbackup files are stored in their user's profile folder, under ?Application Data\Apple Computer\MobileSync\Backup'. On the Mac, they're stored in the user's home directory, under ?Library/Application Support/MobileSync/Backup'. While I've only worked with the one instance on a Mac, I believe that the file format is identical between both platforms. The .mdbackup file contains, presumably among other things, one or more sqlite database files. These can be extracted using a perl script, bkupextract.pl, which I found using Gooogle.
perl -w bkupextract.pl *mdbackup
The script will list out the names of all of the sqlite databases to STDERR as it extracts them to db files in the current directory. Once they're extracted, their contents can be dumped using sqlite3. The phone's SMS message store will likely be one of the more interesting pieces of evidence, so:
echo ".dump" | sqlite3.exe sms_01.db > sms_01_dump.txt
The output of this command will look something like the following:
BEGIN TRANSACTION; CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT, UNIQUE(key)); INSERT INTO "_SqliteDatabaseProperties" VALUES('_ClientVersion', '2'); INSERT INTO "_SqliteDatabaseProperties" VALUES('_UniqueIdentifier', 'EE0A5BF3-9C22-455E-9FBC-7E733BDC6FDA'); CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER, svc_center TEXT); INSERT INTO "message" VALUES(3,<em>'phone-number</em>',<em>integer-unix-date</em>, '<em>message-text</em>',3,0,NULL); . . . DELETE FROM sqlite_sequence;INSERT INTO "sqlite_sequence" VALUES('message' ,122); COMMIT;
The dates in the file are UNIX timestamps which can be easily translated into text using various web based utilities.
If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.
John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.