Tuesday, January 25, 2011

EnScripts (EnPacks) to Carve iPhone SMS Messages

These are tools to find SMS Messages from physical (carve) or logical files, recovered from an iPhone (DOWNLOAD).

This tool is really meant to find unallocated SMS Messages in a Raw disk recovery of the user disk partition as extracted by tools (http://oreilly.com/catalog/9780596153595)like the one created by Johnathon Zdziarski. (http://www.zdziarski.com/blog/?page_id=503).

If you obtain a logical copy of the files from the iPhone then you can use this tool to parse some of the information out of the SMS.db.

I created following two Enscripts to carve out SMS Messages:

1. iPhone SMS Remnant - Search by Telephone Number.EnPack is a Enscript that will prompt you for a telephone number to specifically search.

When you run the script you have to “Blue Check” all files you want to scan.

Output is to Console, Search Hits tab and Bookmark Tab. The Bookmark Tab Comment Section contains the following Information

2. iPhone SMS Remnant - Find All.EnPack is an Enscript that will attempt to find all the SMS Messages regardless of the telephone number. (After you find you "target" telephone number I recommend you use the iPhone SMS Remnant - Search by Telephone Number because it appears to find some additional remnants that this Enscript might miss.) You don't have to use the entire number you can also use just a area code ("414)or an area code + prefix(414935). Do not use and salad (spaces,dashes or wildcard characters).


My Research:
This was tested against an iPhone Version Model MB704 – Revision 3.1.3(7E18).

Test SMS.db(s) was SQLite format 3.

Sometimes the hits were like "+14145551212" and sometime they were "4145551212"

When creating these ENSCRIPTS I used a "Default Bookmark folder" so if you run these Enscript more then once each in your case, without changing the bookmark folder name, it will just OVERWRITE the previous search WITHOUT notice.

A majority of the "False Positives" appear to Call History Remnants.

To Do: This tool would be easy to change/update to find call history in allocated (call_history.db) and unallocated space.

10 comments:

Anonymous said...

-enpack find all does not work for me on a sms.db file in encase 6.18;

-search by telephone number does work - sort of - parsing of date/tiime values is inaccurate, along with some extra artifacts added just after the phone number....

any way to resolve these issues?

shafik - shafghp@gmail.com

ForensicZone said...

If you have a sms.db you can use sqlite viewer (http://sqlitebrowser.sourceforge.net/)to view the database. I don't know how to troubleshoot your problem without having your specific sms.db. I have not seen these problems before. What version of iPhone OS is the data from?

Anonymous said...

hello richard,

thanks for replying,

iphone 3gs with ios 4.1.x

i know i can use an sqlite viewer for the sqlite db files, which i do as a matter of practice. but i want to get at the deleted or dereferenced artifacts, which cannot be obtained or viewed through an sqlite client.

in the current case im working on i know there are confirmed deleted records in both the sms and call history db files

if you would like we could carry on this collaboration over email if you would like to spend the time to look at the db files. just to make you aware i have solicited lance mueller's help with this as well and have sent him the files along with all the decoding documentation.

I will also provide you with all the decoding research i have done and the other third party sources papers that assisted me with the decoding if you like.

Anonymous said...

Hmmm, how do I add a .dmg file into EnCase? EnCase don't support .dmg files.

/Rob

Ryan said...

does this work with Encase 4.2?

thanks!

Ruby Claire said...

YEah its working with Encase 4.2

furniture said...

Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle


karimunjawa
and furniture jepara
or mebel jepara
and tenun

Syaiful tenun said...

article from a very amazing, Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle


pemesana furniture jepara |
rute expedisi furniture |
warna furniture jepara |
produk furniture jepara |
furniture jepara |
toko furniture jepara |
toko mebel jepara |

kamar set mewah |
kamar set minimalis |
kamar anak hello kitty |
gebyok pelaminan |
meja kantor jati |
kamar set minimalis |
meja makan jati |
kursi tamu mewah |
kursi tamu mewah |
set kursi tamu |
meja makan jati |
set meja makan |
lemari jati mewah |
almari pakaian |
lemari pakaian 4 pintu |
almari hias ukir jati |
almari hias ukir |
ayunan jati |
ayunan jati jepara |
kursi bale bale |

Syaiful wisata said...

Thank you for presenting artikle
tour karimunjawa 2 hari 1 malam
tour karimunjawa 3 hari 2 malam
tour karimunjawa 4 hari 3 malam
honeymoon karimunjawa
paket resort karimunjawa
paket resort karimunjawa

tour karimunjawa 2 hari 1 malam
tour karimunjawa 3 hari 2 malam
tour karimunjawa 4 hari 3 malam
honeymoon karimunjawa

tour karimunjawa 2 hari 1 malam
tour karimunjawa 3 hari 2 malam
tour karimunjawa 4 hari 3 malam
paket resort karimunjawa
honeymoon karimunjawa

tour karimunjawa 2 hari 1 malam
tour karimunjawa 3 hari 2 malam
tour karimunjawa 4 hari 3 malam
honeymoon karimunjawa
paket murah karimunjawa

tour karimunjawa 2 hari 1 malam
tour karimunjawa 3 hari 2 malam
tour karimunjawa 4 hari 3 malam
honeymoon karimunjawa
paket resort karimunjawa
paket resort karimunjawa

wisata tahun baru karimunjawa
wisata tahun baru karimunjawa
wisata tahun baru karimunjawa
wisata tahun baru karimunjawa

sohail sheikh said...

i read a lot of stuff and i found that the way of writing to clearifing that exactly want to say was very good so i am impressed and ilike to come again in future.. Bulk SMS in Pune