Recent discussions regarding the SMS message retention policies of Danish Politicians’ sparked by a controversial decision by Prime Minister Mette Frederiksen to cull Denmark’s fur farm mink has led to an interest in the technical possibilities of recovering deleted iMessages from Apple iPhones.
Prime Minister Frederiksen had activated an iPhone feature where messages, SMS and iMessage, were deleted if they became older than 30 days. The question about the chances of recovering the deleted messages piqued my interest resulting in following short technical article.
However, certain basic information should be defined first:
This test was done on an iPhone 6S(A1688) with iOS 12.1.4(Released 7/2-2019. This is a somewhat older version; however online searches show that not much has changed regarding these functions in the later versions of iOS.
As per the statement of Statens IT, the SMS/iMessage application has not been containerized/walled by "Mobil IT-Arbejdsplads (MIA)". The default configuration of the SMS/iMessage application is therefore relevant.
Potential iCloud syncs or local backups are not considered in this article.
Breaking in and looking around
As iPhones only allow very limited access to the internals of iOS, a jailbreak must be performed to gain access to the device and its filesystem. In this case I have used [Checkra1n](https://checkra.in/) to gain the necessary access via SSH.
Navigating the filesystem to files of interest allows us to extract the following files:
1. /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist
1. Contains the users settings for the SMS/iMessage application in a "plist"-syntax.
2. /var/mobile/Libraryu/SMS/sms.db, /var/mobile/Libraryu/SMS/sms.db-shm, /var/mobile/Libraryu/SMS/sms.db-wal
1. Contains the Sent, Received, Synced, etc. messages for the SMS/iMessage application. The fileformat is in the commonly used SQLite3 format.
The above listed files can be extracted to another host simply by using scp.
Autodeleting messages?
This configuration is set on the phone by configuring the setting at: Settings -> Messages -> "Keep Messages". By changing this setting a entry called "KeepMessageForDays" is set in the "com.apple.MobileSMS.plist" file. The entry doesn't exist in the file per default. If the setting is set to either "1 Year" or "30 Days" and then reverted back to "Forever" the entry will persist, however the integer would be set to "0"(days).
There exists no entry in the plist-file noting when the "Keep Messages" have been configured. Last modified timestamp of the plist-file could indicate this, however that would require that no following changes were made to the file, which is highly unlikely.
Assumption: To my knowledge, there exists no way to see when the "Keep Messages" setting has been configured.
Recovering messages
Both SMS and iMessages are stored in the "sms.db" SQLite3 database file. This is a commonly used format for storing local application data. Sending both a SMS and an iMessage to my test phone and extracting the database file showed the following entries:
These were saved in the "message" table of the database.
If we deleted the messages, both entries would disappear from the database. Per default for the SQLite3 format, the actual metadata is still intact in the file. In order to actually purge the data from the SQLite3 file, features as "secure_delete" must be utilized. Since iOS 12 the actual purge of data has been default.
If we open a SQLite3 file(left) with a message and the same SQLite3 file(right) with the same message deleted, we can confirm the actual purge of the message data at the same byte offset. No other changes were made to the file:
Other ways
Are there any other way to recover deleted messages? Well, if a complete image of the phone’s filesystem is acquired, a raw data search may yield pieces of messages that could be used in an investigation.
Below I have listed some less likely or unlikely scenarios where relevant data might be recovered.
1. In the event the SQLite3 database is corrupted during a write process, the system might create a new SQLite3 database file and discard the old one without overwriting it in the filesystem?
2. Other applications may have permission to read and write to the SQLite3 database file. This might result in a partial copy of the messages stored elsewhere in the filesystem.
3. If the iPhone is still running an iOS version before 12, the purge of deleted SQLite3 entries might never have happened?
4. The filesystem might contain artifacts from messages in slack-space or related filesystem spaces. However, this is less likely on solid state memory than on spinning disc hard drives.
Conclusion
While nothing is certain, my conclusion is that the likelihood of recovering the deleted iPhone messages is very small.