Tuesday, January 25, 2011

EnScripts (EnPacks) to Carve iPhone SMS Messages

These are tools to find SMS Messages from physical (carve) or logical files, recovered from an iPhone (DOWNLOAD).

This tool is really meant to find unallocated SMS Messages in a Raw disk recovery of the user disk partition as extracted by tools (http://oreilly.com/catalog/9780596153595)like the one created by Johnathon Zdziarski. (http://www.zdziarski.com/blog/?page_id=503).

If you obtain a logical copy of the files from the iPhone then you can use this tool to parse some of the information out of the SMS.db.

I created following two Enscripts to carve out SMS Messages:

1. iPhone SMS Remnant - Search by Telephone Number.EnPack is a Enscript that will prompt you for a telephone number to specifically search.

When you run the script you have to “Blue Check” all files you want to scan.

Output is to Console, Search Hits tab and Bookmark Tab. The Bookmark Tab Comment Section contains the following Information

2. iPhone SMS Remnant - Find All.EnPack is an Enscript that will attempt to find all the SMS Messages regardless of the telephone number. (After you find you "target" telephone number I recommend you use the iPhone SMS Remnant - Search by Telephone Number because it appears to find some additional remnants that this Enscript might miss.) You don't have to use the entire number you can also use just a area code ("414)or an area code + prefix(414935). Do not use and salad (spaces,dashes or wildcard characters).

My Research:
This was tested against an iPhone Version Model MB704 – Revision 3.1.3(7E18).

Test SMS.db(s) was SQLite format 3.

Sometimes the hits were like "+14145551212" and sometime they were "4145551212"

When creating these ENSCRIPTS I used a "Default Bookmark folder" so if you run these Enscript more then once each in your case, without changing the bookmark folder name, it will just OVERWRITE the previous search WITHOUT notice.

A majority of the "False Positives" appear to Call History Remnants.

To Do: This tool would be easy to change/update to find call history in allocated (call_history.db) and unallocated space.