Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc.
iOS Forensics General info
Another interesting background information we need to remember is the fade-out effect on iOS. Every time a user presses the Home button or receives a call while using an application, iOS will make a “snapshots” of the current screen in order to be able to do the fade-out effect transition between the two screens. Such snapshots are stored in the following locations:
If you receive a call while writing a super secret encrypted message, you can easily imagine what the content of the snapshot will be ;).
The main database is ChatStorage.sqlite, where it is saved the actual content of the messages exchanged. Among the tables of interest, one of the most important is ZWAMESSAGE, which contains, among others, the messages exchanged, their timestamp, the name of the user involved in the chat. Other tables worth to be analyzed are ZWACHATSESSION, ZWAGROUPMEMBER, ZWAGROUPINFO and ZWAMEDIAITEM, which stores references to the multimedia files exchanged, indication of the users involved, timestamps, and the path where the file has been stored.
Last but not least, the “Snapshot feature”: Whatsapp does store screen snapshots, in clear.
Other than the (expected) behavior already found in Whatsapp, which means that deleted records are not immediately purged out of the database and therefore can be recovered, Telegram messages from secret chats are stored in clear in the messages_v29 table, like all the other messages.
As said, not too many information available but you may still find some useful traces available.
Aug 11th 2016
|Thread locked Subscribe||
Aug 11th 2016
6 years ago