UFED PA reporting t...
 
Notifications
Clear all

UFED PA reporting timestamps from 2069

10 Posts
8 Users
0 Likes
1,567 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I've come across something weird with an iphone 7 extraction. Using UFED PA 6.3.12.34, I acquired an advanced logical download of an iPhone 7, A1778, MDL MN8X2, iOS ver 11.0.1.

The download went as normal and all looked good until I started looking closer at the data. For some reasons the SMS, MMS and Chats are all showing the same date/time stamp 19/01/2069 1347 hrs.

All other files (call logs etc) are reporting correct normal timestamps, this is only occuring with the message data. There are no whatsapp or any third party messaging apps so I can't compare that to see if this is iOS related.

The phone itself had the correct time/date at time of examination and was not connected to any network (flight mode).

I'm going to attempt another look at the phone to see if this was a one off glitch, but was wondering if anyone else has seen this before or has any idea what's going on.

 
Posted : 13/11/2017 3:56 am
 RonS
(@rons)
Posts: 358
Reputable Member
 

Open the extraction again in UFED 6.4 and it is solved there.

RonS

 
Posted : 13/11/2017 1:16 pm
(@adams)
Posts: 2
New Member
 

Thanks Ron will do.

 
Posted : 14/11/2017 4:46 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Oops, forgot about that old account )

Thanks Ron

 
Posted : 14/11/2017 4:49 am
(@athulin)
Posts: 1156
Noble Member
 

Open the extraction again in UFED 6.4 and it is solved there.

Looks like it may be the "SMS, iMessages and MMS records are missing the UTC value for devices running iOS 11.0.1." issue mentioned as fixed in the 6.4 release notes, or something very closely related.

 
Posted : 14/11/2017 5:10 pm
(@mcman)
Posts: 189
Estimable Member
 

If you want more detail, Heather did a great blog post on the iOS 11 timestamps here
http//smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/

Jamie

 
Posted : 14/11/2017 5:18 pm
(@athulin)
Posts: 1156
Noble Member
 

If you want more detail, …

Perfect – thanks!

 
Posted : 14/11/2017 5:44 pm
(@jlewis)
Posts: 1
New Member
 

We're seeing the 2069 timestamp with the logical extraction using 4PC (Method 1 and Method 2 reported the dates/times fine). We're told we have to do an update and then re-image. Any ideas? Last thing we have to do is go back to the source device since it was already returned.

 
Posted : 21/11/2017 2:04 am
Logan
(@logan)
Posts: 66
Trusted Member
 

Is parsing the records manually from the respective databases not an option?

 
Posted : 21/11/2017 4:20 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Ask Cellebrite's tech support, but it would seem likely that once you updated PA to the current version, you will be able to re-process the iTunes mobile backup you already created and then have the correct format dates appear.

One possible option is to use the $99 single phone license of MOBILedit Forensic Express on the iTunes mobile backup you already created http//www.mobiledit.com/online-store/forensic-express

 
Posted : 21/11/2017 4:55 pm
Share: