Unlike work email, most mobile text messages don’t flow through the corporate network except for the rare exception when employees use a
company-deployed texting app. This means text messages are a blind spot for IT — that is, impossible to monitor. Even mobile device management
software from vendors such as MobileIron can’t see text messages.
forensic tools and proper forensic know-how, as well as possession of the mobile device, can unearth year-old deleted text messages. MobileIron’s
security guru Michael T. Raggo gives a quick rundown of the forensic tools in play and the vectors for deleted text message recovery:
There are ways of retrieving SMS messages and deleted SMS messages. There are a few vectors for accomplishing this. Katana
Lantern, Oxygen Forensics, Paraben, BlackBag Technologies and others provide tools for performing the ethical hacking of the device, as well as
the data carving tools for analyzing the data.
In terms of the forensic analysis vectors, there are a few. For example, physical possession of the device can allow imaging of
the device that stems from initially jailbreaking the device via redsn0w/Cydia. As long as the examiner documents this, it’s still permissible in
court. Once jailbroken, you can SSH (Secure Shell) into the device and perform a forensic image/copy of the device using tools like “dd”, a longtime
Unix/Linux backup or imaging utility. Then that data is analyzed and carved up using many of the aforementioned commercial products. It must be
noted that this is not a bit-for-bit copy as slack space and other things are not imaged.
A hybrid of the physical access is to take a powered-off iOS device and use the sequence of buttons to put it into DFU (Device
Firmware Update) mode. You can then use some of the forensic tools to perform a brute-force of simple pass codes (4-digit PIN). Once the PIN is
identified, this can then be used to sometimes retrieve the keys and decrypt the partition. Then perform the appropriate analysis and data carving
to enumerate the SMS messages from the SMS.db file, including information about attachments such as pictures and videos.
Alternatively, you can target the iTunes backup, which could be encrypted or unencrypted. The encrypted iTunes backup can be
targeted by using tools like those from Elcomsoft iPhone password cracker targeting the manifest.plist. If cracked, you can then gain access to the
Tom Kaneshige has been covering business and technology in Silicon Valley for two decades. As senior online writer at CIO.com, Tom covers Silicon Valley culture, BYOD and consumer tech in the enterprise.