We were forced to restart due to complications with data being sent and received on the iPhone 3GS through Wickr. Additionally, Wickr data was complicated due to its third party cloud storage applications such as Dropbox, Google Drive and Box.
For the process of acquiring data, we started by sending only Wickr based application data, excluding Dropbox, Google Drive and Box cloud data. We sent messages and images to and from the iPhone 3GS (Wickr ID: MickyM) and the iPhone 5 (Wickr ID: CrazyTown65) using Wickr message services with the default destruction time set to 5:00 hours. For the process of examination, we acquired the iPhone 3GS and the iPhone 5 using the UFED Physical and began reanalysis. Due to the updated version of the iPhone 5, we could not extract the physical image of the device. When we restarted our process, we had to reset the iPhone 5. At this point, the iPhone 5 was updated to iOS 6.1.4, which could not be jailbroken at the time of our analysis. When we analyzed the file system acquisition of the iPhone 5, we found that the Wickrlocal.sqlite database file was missing. We were able to locate the file when we began this project, but after restoring the phone we were unable to see the database file. We acquired a filesystem extraction of the iPhone 5 three different times, but we still couldn’t find the Wickrlocal.sqlite database file, so we stopped our research on the iPhone 5 and focused solely on the iPhone 3GS.
After retrieving a filesystem and physical extraction of the 3GS using the UFED Physical Analyzer, we exported the filesystem from the UFED Physical Analyzer to FTK (Forensic Toolkit) 4.1.0 for further analysis. After acquiring the iPhone 3GS file system, and carving for data in FTK 4.1.0, we found information pertaining to the files and messages sent through and received on the iPhone 3GS.
From the previous analyses, which you can find on our blog, we were able to determine the wickrLocal.sqlite database file data stored on the iPhone 3GS under Data\mobile\applications\Documents was encrypted and could not be recovered in plain text through the Forensic Toolkit or the UFED Touch Pro Hardware (shown below).