But what if you have the feeling that there are more SMS-messages to be found in the iPhone, but the tools you use (if you have any) can't get them out.
In an ongoing investigation we had such a thing, that made us look deeper into the raw data.
To find the end of SMS-messages, we used:
\x00\x6E\x6C\x01
better but with more false positives, (but also more good sms-messages:)
\x00\x6E\x6C\x01|\x00
As \x6E\x6C is the hexadecimal valeu for nl and this iPhone was an iPhone from the Netherlands,
it might be that the hex-valeu differ from country to country. We havent checked that.
In our case we found 122 messages instead of the 14 which where earlier found with the tools, ment for extractinig SMS out of data.
For a way to get a DD of your "Jailbroken" iPhone, take a look at:
http://modmyi.com/forums/file-mods/237321-how-iphone-data-recovery.html
For non-jailbroken iPhones you either have to jailbreak them or contact a specialist to make an image with specialised tools like the Cellebrite UFED.
Geen opmerkingen:
Een reactie posten