Home > Forum – viaForensics

Forum

You must be logged in to post Login Register

Search 
Search Forums:


 




Home Forums iPhone Forensics Email DB

Email DB
Page:   1  
UserPost

3:32 am
March 11, 2009


minpostbox03

Member

posts 3
1

I'm currently examining an iPhone and want to extract all Emails in the Email database Envelope Index.

I'm using the following sql query to extract all Email:


select rowid, sender, subject _to, cc, date_sent, date_received, mailbox, remote_mailbox, original_mailbox, read, deleted, data FROM messages, message_data where message_data.message_id = messages.ROWID;


I have experimented using different output .modes such as csv, html and so on but havent been able to create a good looking report where the emails could be easily read.


Anyone that has experience of creating an Email report from the Envelope Index db ?

Which queries/tools did you use, Andrew when evaluating the Zdziarski's method in the White Paper ?


- Anders

10:31 pm
March 11, 2009


ahoog

Admin

Chicago, IL

posts 10
2

I'm a big fan of SQLite Browser.  It's open source and cross-platform…available at:

http://sqlitebrowser.sourceforge.net/

You can do the following (info taken direct from their website):

    * Create and compact database files
    * Create, define, modify and delete tables
    * Create, define and delete indexes
    * Browse, edit, add and delete records
    * Search records
    * Import and export records as text
    * Import and export tables from/to CSV files
    * Import and export databases from/to SQL dump files
    * Issue SQL queries and inspect the results
    * Examine a log of all SQL commands issued by the application

However, what is mising is the ability to find deleted records.  What you may already know is that deleted records in SQLite databases are sometimes still present.  However, I have yet to find a tool that easily pulls the information. 

I still use tools such as strings, grep and hex editors to locate the information.  If I ever have time, I was going to experiment a bit and see how SQLite marks records deleted.  If someone can develop a tool to extract deleted records, it would be a huge help for people.

-Andrew

6:56 am
March 18, 2009


minpostbox03

Member

posts 3
3

Thanks for the reply Andrew,

I am using sqliter browser and also the plugin for Firefox (https://addons.mozilla.org/en-US/firefox/addon/5817).

My problem is that it is quite difficult to create a nice looking report that contains all useful fields including the actual body of the mail.


We have now tried to read the dd file in Accessdata FTK 2 and all Emails (not deletd) are actually parsed out of the db and the Email view in FTK 2 will show them all in a very nice looking view. :-)


- Anders
Page:   1  
Topic RSS 
Search 

About the viaForensics forum

Most Users Ever Online:

21


Currently Online:

1 Guest

Forum Stats:

Groups: 1

Forums: 2

Topics: 6

Posts: 17

Membership:

There are 265 Members

There has been 1 Guest

There is 1 Admin

There are 0 Moderators

Top Posters:

CHickman – 3

minpostbox03 – 3

cristyb7 – 1

joeka – 1

cwee005 – 0

tbridges – 0

Administrators: ahoog (10 Posts)