iOS Data Analysis and Recovery - Practical Mobile Forensics

Information Technology Reference

In-Depth Information

Tip

Make sure you are using Python 2.7 to run the Python scripts.

Call history

Phone or FaceTime calls placed, missed, and received by the user are logged in the call

history, along with other metadata such as call duration, date/time, and more. This could

be of interest to an examiner. The call history database is a WirelessDomain file and

can be found at /private/var/wireless/Library/CallHistory/

call_history.db . The database contains a maximum of 100 calls listed as active

messages. Any calls placed, missed, or received above 100 will be stored in the database

and the oldest record will be removed. However, this data will remain in the SQLite free

pages and can be recovered through manual hex examination.

The Call table in the call_history.db file contains the call history. Each record in

the call table indicates the phone number of a remote party, a UNIX timestamp of when

the call was initiated, the duration of the call in seconds, a status flag to identify whether

the call was an outgoing call (flag 5 ), incoming call (flag 4 ), blocked call (flag 8 ), or

FaceTime call (flag 16 ), an identifier that is associated with the address book contacts

( -1 for unknown contact), the mobile county code (MCC), and the mobile network code

(MNC). You can find a list of MCC/MNC codes at http://en.wikipedia.org/wiki/

Mobile_country_code .

FaceTime status flags may vary depending on the method used to initiate the call. For ex-

ample, data plans utilize different flags than Wi-Fi calls. If the status flag starts with a 2 , it

is likely to be a Wi-Fi initiated call. If it starts with a 1 , as defined earlier, it represents a

FaceTime call initiated with a data plan on the device. There are several status flags avail-

able for FaceTime calls and these vary between iOS devices.

You can run the following commands to dump the call history into a CSV file named

callhistory.csv :

$sqlite3 call_history.db

SQLite version 3.7.12 2012-04-03 19:43:07

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

sqlite>.mode csv

sqlite>.output callhistory.csv

Search WWH ::

Custom Search

Home