iOS security model offers very are few possibilities to recover anything unless you have a backup, either local or one from the cloud. There are also tricks allowing to recover some bits and pieces even if you don’t. In this article we’ll talk about what you can and what you cannot recover in modern iOS devices.
Before we begin, I highly recommend reading our previous article aimed at demystifying bogus claims made by some unscrupulous vendors of data recovery tools: The iPhone Data Recovery Myth: What You Can and Cannot Recover. Below are the types of data you can actually recover.
Apple stores many types of user data in various databases in SQLite format. Once the user deletes a record (such as an iMessage from the Messages app, or a Safari bookmark, or a history item), that record is not wiped clean in the SQLite database immediately due to performance considerations. Instead, the SQLite engine marks the record as “deleted”, marks the page as unused, adds a reference to the so-called “freelist”. Such deleted records could be stored in SQLite “freelists” for some time, which left room for data recovery tools to attempt the recovery.
The recovery trick would only work if:
To sum it up, the SQLite trick is no longer effective for deleted iMessages, Safari bookmarks, tabs and history, or any other types of data stored in SQLite databases. Let’s forget about this trick, and move to the next one.
As we learned earlier, all even remotely recent versions of iOS effectively prevent the recovery of deleted records (be it messages, call logs or contacts) by quickly vacuuming SQLite databases. However, there is another feature of SQLite databases that may give us a chance. SQLite keeps new records in so-called Write Ahead Logs (WAL files). If such unmerged records are deleted, they are left in their respective WAL files until the moment they are merged with the main database, which means that some unmerged deleted records may still be recoverable.
This recovery trick works if:
There is one exception to #3: media files. When extracting media files (from all kinds of devices including the iPhone, iPad, Apple Watch and Apple TV models) with iOS Forensic Toolkit, you’ll also receive unmerged WAL files. This allows recovering some image metadata.
The smartest data recovery trick is not a trick at all. If you have an old backup, then you have the data. If you do have a local backup, the only question is how to access the data without restoring the entire backup onto some iOS device. There are many tools on the market, including Elcomsoft Phone Viewer, allowing to parse the content of local backups, view or extract individual files or database records (e.g. messages or log entries).
Note that you will be able to access more information if your iTunes backup was password-protected. For the purpose of data recovery, it’s already too late to configure a password, yet we recommend setting up a strong backup password for security purposes.
This trick is similar to the previous one, but not exactly the same. If you have cloud backups (I’d recommend checking if you actually do, as Apple’s free tier only includes 5GB of iCloud storage), you may have older copies of your data that you can download (with Elcomsoft Phone Breaker) and analyze (with Elcomsoft Phone Viewer). Notably, Apple keeps two last iCloud backups (used to be three), making it possible to download the oldest one.
There are other differences from local backups. For example, iCloud backups will normally not contain photos if you enable iCloud Photo Library (there is a manual override for that setting); they won’t contain some other kinds of synchronized data as well, depending on your sync settings and the version of iOS your device is running.
iCloud backups will not include any of the following:
* In fact, the keychain is still there, but it is encrypted using a device-specific key. You won’t be able to access keychain items from iCloud backups unless you restore onto exactly the same device.
** Messages are not included if (and only if) the iCloud syncing of those categories is not enabled in device settings. Photos have a manual override, allowing you to keep both synced and backup versions (naturally, doubling the storage requirements).
iPhones can synchronize many types of data to iCloud. The sync is supposed to happen in real-time, or very close to it. Anything you delete from the iPhone shall be also deleted from the cloud, but… there is always a ‘but’. If your iPhone was not online between the time you deleted a synchronizable item and the time you attempted the recovery, you have a very good chance to get that item back. In addition, there might be sync delays that would allow the recovery even after some time have passed. I personally wouldn’t count on it, but there is a chance. You can try Elcomsoft Phone Breaker to see what might be available.
There are also exceptions. Some categories (Photos and Notes for sure, but there may be others) remain available in iCloud for a long time (usually around 2 or 3 weeks) after they’ve been removed from the “deleted” folder. A few years back, Apple would even keep such files indefinitely. You can read more about synchronized data in iCloud Backups, Synced Data and End-to-End Encryption.
If I have access to the file system, can I carve the free space to look up for deleted data? Unfortunately, you cannot. Since iOS 4, Apple encrypts the file system, and since iOS 8 the encryption keys are based on the user’s passcode. In layman’s terms, the files on the user partition (such as the images, SQLite databases and such) are encrypted. Moreover; each file is encrypted with an individual key, which will be erased immediately after you delete the file.
IMAGE dpkeys.png
In layman’s terms, the iOS file system (Apple uses APFS across devices; some older pre-iOS 10.3 devices using HFS+) has the following properties:
Once you delete a file, iOS also erases the corresponding File key from the file’s metadata. As a result, even if you were to read the data blocks previously occupied by the deleted file, you would be unable to decrypt it without the File key.
If you reset your device to factory defaults (the “Erase all data” option), the Effaceable Storage is erased, which destroys the common key. This alone would render the data undecryptable and inaccessible, even if the NAND storage was not erased.
As you can see, undeleting files the way you can do it for rotating hard drives installed in a computer is simply not an option. There are no data recovery tools that can recover user files deleted from the iPhone.
Of course, this is a simplified scheme that does not take into account the differences between AFU and BFU mode and the fact that some files (very few except the main OS) are not encrypted.
In this article, we described the available option allowing you to recover data deleted from the iPhone. Unsurprisingly, you get the best backups when restoring from a backup (whether a local or cloud copy). In rare cases there is a small chance of getting limited success by downloading synchronized data from iCloud in the hope the iPhone did not sync the deletion. SQLite write-ahead logs (WAL) are only practically usable for media files metadata, which has extremely limited value to anyone except the forensic crowd. Low-level techniques are limited to the extent of being useless.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.