By default, built-in technology carving for deleted data in SQLite databases is turned on in BlackLight. Apple operating systems (iOS and macOS) use SQLite databases to store data. As Apple does not reveal in detail how their operating systems work, BlackBag relies on testing and reverse engineering to figure things out. What we have learned is the operating system (OS) moves records around the SQLite databases where data is stored. We have seen this with sms.db, CallHistory.storedata, Safari's History.db, AddressBook.sqlitedb and other SQLite databases on Apple devices.
Though we don’t know exactly why the records are moved, it is possible the OS moves records around to balance out the data for efficiency. As the OS moves records within the SQLite databases, deleted records are created. When BlackLight carves for deleted data in SQLite databases, these deleted records are carved along with the records deleted by the device user. For the OS moved records, the same data appears multiple times. BlackLight shows the active record and the record from its original location if the data in that location was not overwritten.
The current record location is actively tracked in the SQLite database tables and can be viewed in the table. The original record, not being actively tracked in the SQLite database tables, cannot be seen by viewing the table. These records can be seen in HEX view. To confirm this, pick a unique word from a message and conduct a keyword [Find]search within the Hextab; the right side displays the raw ascii text.
For supported iOS artifacts stored in SQLite databases (i.e. text messages, phone calls, contacts, etc.), BlackLight parses the active records and any deleted recovered records from the SQLite databases storing these artifacts. The artifacts are then displayed in BlackLight in the associated area of the ‘Communication’ view. Carved data recovered is displayed in red italicized text. The carved data will include data deleted by the user of the device, as well as records moved by the OS that have not been overwritten. For records the OS has moved, BlackLight parses the current or active record and the record from the original location; duplicates are not removed. The active record is displayed in black text. The duplicate record, carved from the original location, is displayed in red italicized text to indicate it is a deleted and recovered record. To filter out the deleted records so only the active messages show in ‘Communication’ view, ‘Messages’ subview, go to How to filter out deleted messages and only display active text messages for instructions.
The 'Recover Deleted SQLite Records' feature in BlackLight can also be turned off. In macOS go to the[BlackLight]menu and select the [Preferences]submenu option. In Windows go to the [Edit]menu and select the [Options]submenu option. In the [Preferences]window select the options tab and uncheck the Recover Deleted SQLite Records checkbox(see screen shot below).
NOTE ABOUT iOS 12: In recent testing of iOS 12.1, the OS does not leave as many deleted records in the SQLite database as in previous iOS versions. Whether iOS 12 deletes the records or the user deletes the records from a SQLite database, most of the deleted data is being "cleaned up" by the OS and not recoverable.