Last week, I was asked to acquire the text messages from an iPhone and to pull out only the messages that were to/from a particular party in a particular date range. This took a little research to pull off so I'm posting this to share the steps we took. I hope that this will be useful to others doing forensic investigations or e-discovery.
The first phone we needed to pull messages from was an iPhone. To start with, we backed up the phone to the user's computer via iTunes. On Mac OS X, the backups are stored in ~/Library/Application Suppport/MobileSync/Backup/{UDID}. The individual backup files have no extension and the names of the files are the SHA-1 hashes of the original file path and name from the phone. In this particular instance, the name of the database containing the SMS messages was 3d0d7e5fb2ce288813306e4d4636395e047a3d28, the same name cited in other articles. Be careful, however, as this name can change. If your backup does not contain this file name, a quick grep for 'chat_handle_join' (or any other tell-tale sign) should show you the correct sms.db file.
Subscribe to:
Posts (Atom)
Adversaries keep getting faster
According to CrowdStrike’s 2025 Global Threat Report, the average breakout time, the window between an adversary gaining initial access and ...
-
Most cryptographic algorithms deal with numbers that are 128 bits or larger. A 128-bit number has 2 128 possible values, but how big ...
-
Last week, I was asked to acquire the text messages from an iPhone and to pull out only the messages that were to/from a particular party in...