Wednesday, October 28, 2015

Apple iOS: Recently Deleted images

Apple iOS 8 introduced a new feature called Recently Deleted album that temporarily displays images that have been removed by the user from the Photos app.

From a forensics perspective, once deleted these images still reside in their original path but they are marked as trashed within a SQLite database called Photos.sqlite.

ZGENERICASSET is the table containing this information.

Deleted images have the ZTRASHEDSTATE field set to "1". We can use the following query to extract and convert what we need:

SELECT ZHEIGHT,ZWIDTH,ZADDEDDATE,strftime('%Y-%m-%d %H:%M', datetime(ZADDEDDATE+978307200, 'unixepoch', 'localtime')) AS ZADDEDDATE_LT,ZDATECREATED,strftime('%Y-%m-%d %H:%M', datetime(ZDATECREATED+978307200, 'unixepoch', 'localtime')) AS ZDATECREATED_LT,ZTRASHEDDATE,strftime('%Y-%m-%d %H:%M', datetime(ZTRASHEDDATE+978307200, 'unixepoch', 'localtime')) AS ZTRASHEDDATE_LT,ZTRASHEDSTATE,ZDIRECTORY,ZFILENAME FROM ZGENERICASSET WHERE ZTRASHEDSTATE=1 ORDER BY ZTRASHEDDATE

Here's the result:

[UPDATE 02/10/2017]: This post has been cited as a source in the "Application data analysis" section of Learning iOS Forensics, 2nd ed. (p.286).