Minkgate and the probability of restoring deleted SMS

One of the big talking points in danish politics and media has lately revolved around a trail where the deletion and recovery of deleted SMS/iMessages located on politicians and officials mobilephones became important. As the trail progressed it became clear, that some of the involved parts had activated an iPhone feature where messages, SMS and iMessage, were deleted if they became older than 30 days.

The question about the chances of recreating the messages piqued my intererest resulting in the below short technical article.

As there is a wealth of unknown factors in the ongoing trail, this article should more be seen as a generic description and guide about the possibility of recovering or not recovering messages on iPhones.

However certain basic information should be defined first:

  • This test was done on a iPhone 6S(A1688) with iOS 12.1.4(Released 7/2-2019. This is a somewhat older version, however online searches shows that not much has changed regarding these functions in the later versions of iOS.
  • As per the statement of Statens IT, the SMS/iMessage application has not been containerized/walled by "Mobil It-Arbejdsplads(MIA)". The default configuration of the SMS/iMessage application is therefore relevant.
  • There may exists iCloud syncs or local backups. These are out of scope for this article.

Breaking in and looking around

As iPhones only allow very limited access to the internals of iOS, a jailbreak must be performed to gain access to the device. In this case I have used Checkra1n to gain the nessesary access via SSH.

SSH access to filesystem
SSH access to filesystem

Navigating the filesystem to files of interest allows us to extract the following files:
1. /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist
1. Contains the users settings for the SMS/iMessage application in a "plist"-syntax.
2. /var/mobile/Libraryu/SMS/sms.db, /var/mobile/Libraryu/SMS/sms.db-shm, /var/mobile/Libraryu/SMS/sms.db-wal
1. Contains the Sent, Received, Synced, etc. messages for the SMS/iMessage application. The fileformat is in the commonly used SQLite3 format.

The above listed files can be extracted to a nother host simply by using scp.

Autodeleting messages?

This configuration is set on the phone by configuring the setting at: Settings -> Messages -> "Keep Messages" . By changing this setting a entry called "KeepMessageForDays" is set in the "com.apple.MobileSMS.plist" file. The entry doesn't exists in the file per default. If the setting is set to either "1 Year" or "30 Days" and then reverted back to "Forever" the entry will persist, however the integer would be set to "0"(days).

plist entry
plist entry

There exists no entry in the plist-file noting when the "Keep Messages" have been configured. Last modified timestamp of the plist-file could indicated this, however that would require that no following changes were made to the file, which is highly unlikely.

Assumption: There exists by my knowlegde no way to see when the "Keep Messages" setting has been configured.

Recovering messages

Both SMS and iMessages are stored in the "sms.db" SQLite3 database file. This is a commonly used format for storing local application data. Sending both a SMS and a iMessage to my test phone and extracting the database file showed the following entries:

Message entries
Message entries

These were saved in the "message" table of the database.

If we deleted the messages, both entries would dissapear from the database. Per default for the SQLite3 format, the actual metadata is still intact in the file. In order to actual purge the data from the SQLite3 file, such features as "secure_delete" must be utilized. Since iOS 12 the actual purge of data has been default.

If we open a SQLite3 file(left) with a message and the same SQLite3 file(right) with the same message deleted, we can confirm the actual purge of the message data at the same byte offset. No other changes were made to the file:

Hexview Comparison
Hexview Comparison

Other ways

So is there no way to recover deleted messages from an iPhone? No. Yes. Maybe! Filesystems and software can sometimes act weird. So if a complete image of the phones filesystem is acquired, a raw data search may yield pieces of messages that could be used in an investigation.

Below I have listed some, lets just say, less likely scenarios where relevant data might be recovered. Some of the scenarios may very well be impossible and theories that smarter people than me could disqualify easily.
1. In the event the SQLite3 database is corrupted during a write process, the system might create a new SQLite3 database file and discard the old one without overwriting it in the filesystem?
2. Other application may have permission to read and write to the SQLite3 database file. This might result in a partial copy of the messages stored elsewhere in the filesystem?
3. If the iPhone is still running an iOS version before 12, the purge of deleted SQLite3 entries might never have happened?
4. Other ways? Maybe!

Conclusion

Nothing is certain, and smarter people might very well completely debunk what I have written above. But my assumption is, that by deleting SMS/iMessage entries on an iPhone, the likelyhood of recovering the deleted messages are very small. And then we haven't even talked about the possibility of what a factory reset might do to leftover data. If further data is recovered during the trail, the actual "how" may never be disclosed. It might just be the discovery of a long lost local iPhone backup on a forgotten harddrive.