iPhone Forensics Deleted Data Traces

Oxygen Forensic Suite 2012 is able to extract and show deleted data. The type and amount of data depends on the mobile device platform. Here is the list of data that is available for iphone forensics investigation.

  • Deleted SMS messages information is stored in ‘SMS.db’ or ‘SMS.sqlite’ files which can be opened with SQLite Database viewer. Double-click on a file and then click on ‘Recover deleted data’, wait until the process finishes, then click on ‘All deleted data’ and find the cell that matches ‘Messages’ row and ‘Data’ column. Deleted iMessages data is also stored in the same files.
  • Deleted calls information is stored in call_history.db file which can be opened with SQLite Database viewer in the File Browser section.
  • Deleted e-mail messages information can be viewed in ‘Envelope Index’ file (doesn’t have an extension). ‘Envelope Index’ file is available in jail-broken devices only.
  • Deleted e-mail accounts information is located in /private/var/mobile/Library/Mail folder which subfolders have the names of the deleted accounts and can be viewed in the File Browser section.
  • Deleted images information is stored *.ithmb databases for some period of time and can be viewed on the Thumbnail tab in the File Browser section.
  • Deleted contacts images can be found in AddressBookImages.sqlitedb file and opened with SQLite Database viewer in the File Browser section.
  • Traces of deleted data can be found in all SQLite databases stored in the mobile device and therefore recovered with SQLite Database viewer.

Find more details about forensic deleted data recovery in Deleted Data Traces document.

This entry was posted in Articles, Features. Bookmark the permalink.

Comments are closed.