Every digital forensics examiner knows that images stored in a mobile device’s memory could contain case related information. Unfortunatelly, during lots of digital forensic examinations we see that such images are usually deleted by device’s users. If we are talking about traditional computer forensics, the solution is quite straightforward – we image the hard drive and then use our favorite data recovery utilities or corresponding modules of forensic suites. Of course, there are issues even here, especially when we are talking about SSDs.
But what about mobile devices and especially iOS devices? Recovering deleted data from such devices is extremely challenging. There is still no way to jailbreak an iOS device running version 9.2, so it’s not possible to perform a physical extraction.
Using logical extraction methods, we can recover deleted SQLite database records. But what about images?
Hopefully, there is a way to recover deleted images from iOS devices. The solution is – iThmb files.
In an iTunes backup, these files are stored under CameraRollDomain\Media\PhotoData\Thumbnails (fig. 1).
Figure 1. The .ithmb files located under CameraRollDomain\Media\PhotoData\Thumbnails
These files contain thumbnails for all images including the deleted ones. So, we have found the place, where the deleted iOS images are stored, but there is another question. How can we extract them?
And again there is a solution. To export found deleted images, a digital forensics examiner can use iThmb Converter (fig. 2).
Figure 2. An iThmb file opened in iThmb Converter
This tool is quite easy to use: just export iThmb files from your iTunes backup (of course, you can use any available type of data extraction) and open containing folder in iThmb Converter. Then just choose the images you need and export them to the folder you like.
You can download iThmb Converter here.
About the author:
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Comments are closed.