topsirloin wrote:
I figured I would resurrect an old thread rather than create a new one.
I've been dealing with quite a few iPhone's lately belonging to very active imessage users dealing with 10s of thousands of messages. I've been tasked with reporting on a few individual chat threads that deal with quite a bit of deleted information. I'm finding that with both Cellebrite & XRY are reporting on deleted messages where the opposite handset's phone number is missing from the report. When you break the chats up in a timeline format, you can make sense of it, as long as the user of the phone isn't chatting with multiple people at a time.
So I dig into the sms.db file, and what I'm guessing is happening, is the link between the thread ID, and the individual messages are lost. (perhaps connected via the chat_message_join table?)
Does the DB shred this info when the message is deleted? More and more iPhones are coming in like this, making it very difficult to report on imessage chats.
The SMS database on iOS is now "done properly", in that it's pretty well normalised, unfortunately, that causes some additional issues when you're recovering the deleted data.
The "normal" way to find participants is from the message via the chat_message_join, then on to the chat_handle_join and finally to the handle. This is, despite the complexity a fairly good idea from a database design standpoint - it allows a nice, normalised way to have multiple people in a conversation and reduces duplication of data. Unfortunately, those relationships are deleted by triggers in the database when the related message is deleted. From a recovery of deleted data point of view, the chances of getting all of those relationships intact is kinda low, and the very small, generic looking records in the two "join" tables are nightmarish to recover without getting lots of false hits.
Luckily there's still also a 2 table one-to-many relationship with most messages between the "handle_id" column in the "message" table and the "ROWID" column in the "handle" table - if you have, or can recover the corresponding records in the "handle" table you can link messages back to a handle - I don't think XRY and Cellebrite do this though.
If you have a tool to recover deleted records you could rebuild the database and query it directly. I haven't yet used Paul's tool, but it does look to have some pretty neat features and it may well do the job. We use Epilog to do this work here and it's a fairly routine task (full disclosure - I wrote Epilog, but we have found it does work well for this particular job).
↧