Certain sqlite dbs seem encrypted when downloaded. How can i view them? about inflatabledonkey HOT 9 CLOSED

Hi. I've edited out your personal information. In future you can email me sensitive information rather than posting it in public. I've downloaded the backup so please change your password.

Also snapshot meta-data can leak additional information which is not present in the backups. In this case it references an IT company that I assume you're affiliated with.

I've had a brief look at the backup. Let me know if I've skipped/ misunderstood anything.

• There is no file corruption that I can discern. The files were retrieved in AES CBC mode.

• The sms.db opens without issue. The first message begins with "Discover Twitter!"

• The CallHistoryDB folder files open without issue. CallHistory.storedata and CallHistoryTemp.storedata are SQLite files. Many calls reference country code PK.

• The CallHistoryTransactions folder has a single transaction.log. It's my first time seeing it's file structure. It's a chunked sequence of NSKeyedArchives:

CHUNK LENGTH: 429
NSDICTIONARY
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>$top</key>
	<dict>
		<key>root</key>
		<string>01</string>
	</dict>
	<key>$objects</key>
	<array>
		<string>$null</string>
		<dict>
			<key>record</key>
			<string>02</string>
			<key>type</key>
			<integer>0</integer>
			<key>$class</key>
			<string>03</string>
		</dict>
		<data>
			BASE 64 DATA REMOVED
		</data>
		<dict>
			<key>$classes</key>
			<array>
				<string>Transaction</string>
				<string>NSObject</string>
			</array>
			<key>$classname</key>
			<string>Transaction</string>
		</dict>
	</array>
	<key>$version</key>
	<integer>100000</integer>
	<key>$archiver</key>
	<string>NSKeyedArchiver</string>
</dict>
</plist>

• The data field is another Base64 encoded NSKeyedArchive:

{
	"$top" =
		{
			"root" = "01";
		};
	"$objects" =
		("$null",
			{
				"isoCountryCode" = "REMOVED";
				"read" = YES;
				"duration" = 0.0;
				"devicePhoneId" = "00";
				"callerId" = "03";
				"bytesOfDataUsed" = "00";
				"uniqueId" = "02";
				"handleType" = 2;
				"unreadCount" = 0;
				"callStatus" = 16;
				"callerIdLocation" = "00";
				"callCategory" = 1;
				"callType" = 1;
				"callerIdAvailability" = 0;
				"serviceRadar" = "07";
				"mobileNetworkCode" = "00";
				"$class" = "08";
				"mobileCountryCode" = "00";
				"date" = "04";
			},
 "REMOVED", "NUMBER REMOVED",
			{
				"$class" = "05";
				"NS.time" = DATE REMOVED;
			},
			{
				"$classes" =
					("NSDate", "NSObject");
				"$classname" = "NSDate";
			},
 "pk", "com.apple.Telephony",
			{
				"$classes" =
					("CHRecentCall", "CHSynchronizable", "NSObject");
				"$classname" = "CHRecentCall";
			}
);
	"$version" = 100000;
	"$archiver" = "NSKeyedArchiver";
}

Again I've only looked at the data briefly, but in summary there is no obvious file corruption/ encryption in the data I examined. This is a digital forensics issue. It should be possible to write a script/ tool to recover call history data based on the above information. Unfortunately it's not something I'll likely have time to do.

from inflatabledonkey.

Thank you so much for the great help. I tried a different sqlite utility and was able to open the database. It seems there was some issue with the utility that i was using before.

from inflatabledonkey.

Hi. I don't own any iOS devices at present so it's difficult for me to help. I have no access to iOS 10 backups. You can try downloading with both decryption modes in turn to see if that helps: --mode XTS / --mode CBC.

Are things like photos in the media domain also corrupted? If not the chances are it's a digital forensics issue and not a corrupted file issue.

See issues #18 #32 and #37

from inflatabledonkey.

I tried both the modes without any luck for SMS and callhistory dbs. Everytime, the download completes without any problem. There are other dbs that have the same issue.

Yes, I can see photos in camera roll domain, wallpapers etc and some of the other sqlite dbs open properly. Can it be the case that the above mentioned dbs have some kind of password/key protection and require a passphrase to view them? If yes, can i find the keys/passwords somewhere in the downloaded backup?

from inflatabledonkey.

If you can use this apple id/pwd, removed and try to download the backup, may be you can get a clue of the problem. There is only one backup in it which is for ios 10.1.1

db is HomeDomain/Library/SMS/sms.db.

Thankyou

Edited by Horrorho: removed details.

from inflatabledonkey.

Excellent, I'm glad you have it working now.

from inflatabledonkey.

hey what sqlite db utility did you end up using? to view the sms

from inflatabledonkey.

@FelixLarrivee On Linux/ Ubuntu sqliteman works well. I'm using the official repo version '1.2.2'. It's available on OSX but I've not played with it.

from inflatabledonkey.

Closing ticket as resolved and no further input.

from inflatabledonkey.