How Forensic Tools Unearth Deleted Text Messages

Unlike work email, most mobile text messages don’t flow through the corporate network except for the rare exception when employees use a company-deployed texting app. This means text messages are a blind spot for IT — that is, impossible to monitor. Even mobile device management software from vendors such as MobileIron can’t see text messages.

[ Related: Think Deleted Text Messages Are Gone Forever? Think Again ]

However, new forensic tools and proper forensic know-how, as well as possession of the mobile device, can unearth year-old deleted text messages. MobileIron’s security guru Michael T. Raggo gives a quick rundown of the forensic tools in play and the vectors for deleted text message recovery:

There are ways of retrieving SMS messages and deleted SMS messages. There are a few vectors for accomplishing this. Katana Lantern, Oxygen Forensics, Paraben, BlackBag Technologies and others provide tools for performing the ethical hacking of the device, as well as the data carving tools for analyzing the data.

In terms of the forensic analysis vectors, there are a few. For example, physical possession of the device can allow imaging of the device that stems from initially jailbreaking the device via redsn0w/Cydia. As long as the examiner documents this, it’s still permissible in court. Once jailbroken, you can SSH (Secure Shell) into the device and perform a forensic image/copy of the device using tools like “dd”, a longtime Unix/Linux backup or imaging utility. Then that data is analyzed and carved up using many of the aforementioned commercial products. It must be noted that this is not a bit-for-bit copy as slack space and other things are not imaged.

A hybrid of the physical access is to take a powered-off iOS device and use the sequence of buttons to put it into DFU (Device Firmware Update) mode. You can then use some of the forensic tools to perform a brute-force of simple pass codes (4-digit PIN). Once the PIN is identified, this can then be used to sometimes retrieve the keys and decrypt the partition. Then perform the appropriate analysis and data carving to enumerate the SMS messages from the SMS.db file, including information about attachments such as pictures and videos.

Alternatively, you can target the iTunes backup, which could be encrypted or unencrypted. The encrypted iTunes backup can be targeted by using tools like those from Elcomsoft iPhone password cracker targeting the manifest.plist. If cracked, you can then gain access to the backup.

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com