SQLite databases store the deleted records within the database itself, so it is possible to recover deleted data, such as contacts, SMS messages, calendars, notes, email, voicemail, and more by parsing the corresponding SQLite database. If an SQLite database is vacuumed or defragmented, the likelihood of recovering the deleted data is minimal. The amount of cleanup that these databases require relies heavily on the iOS version, the device, and the user's settings on the device.
A SQLite database file comprises one or more fixed-size pages, which are used just once. SQLite uses a B-tree layout of pages to store indices and table content. Detailed information on the B-tree layout can be found at https://github.com/NotionalLabs/SQLiteZer/blob/master/_resources/Sqlite_carving_extractAndroidData.pdf.
Commercial forensic tools provide support to recover deleted data from SQLite database files, but they don't always recover all of the data, nor do they support extracting data from all databases on an iOS device. It is recommended that each database containing key artifacts be examined for deleted data. The key artifacts or databases already discussed in this book should be examined using free parsers, hex viewers, or even your forensic tool to determine whether the user deleted artifacts that are relevant to the investigation.
To carve an SQLite database, you can examine the data in raw hex or use sqliteparse.py, a free Python script developed by Mari DeGrazia. The Python script can be downloaded from https://github.com/mdegrazia/SQlite-Deleted-Records-Parser.
The following example recovers the deleted records from the notes.sqlitedb file and dumps the output to the output.txt file. This script should work on all database files recovered from iOS devices. To validate your findings from running the script, simply examine the database in a hex viewer to ensure nothing is overlooked. The code can be seen here:
$python sqliteparse.py -f notes.sqlitedb -r -o output.txt
In addition to this, performing a strings dump of the database file can also reveal deleted records that may have been missed, as shown in the following command:
$strings notes.sqlitedb
Another open-source tool you can use to recover deleted SQLite records is Undark. You can download it here: http://pldaniels.com/undark/. To use the tool, run the following command:
./undark -i sms.db > sms_database.csv
It's important to note that Undark does not differentiate between current and deleted data, so you will get the whole set of data, both actual and deleted.