±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 0 Visitors: 155

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

iPhone5 sms.db deleted field

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

redcat
Senior Member
 

iPhone5 sms.db deleted field

Post Posted: Jun 05, 17 15:52

Hello, hopefully a quick question for somebody in the know. I am trying to establish what field UFED and XRY are using to show that a quantity of SMS are deleted. I am looking at the sms.db and although I can see the messages in question, I cannot for the life of me work out the how or why they are being parsed as deleted by the tools...

Many thanks for any useful suggestions where to look.  
 
  

PaulSanderson
Senior Member
 

Re: iPhone5 sms.db deleted field

Post Posted: Jun 05, 17 18:04

Hi Redcat

There is no field in the SQLite database that flags a record as deleted. Either the record is a live record in the database or it is a record that is not live.

I use the live/not live distinction on purpose as you can recover records from the SQLite database and, in the case of sms.db, the associated WAL that are essentially just old copies of a currently live record. So although they are recovered records they should not be flagged as deleted.

They can also be copies of currently live records that are partially overwritten.

The WAL, and sometimes the DB itself, can hold copies of deleted records. The WAL can hold mutiple copies of previous states of the DB. I have blogged on a few occasions about this.

This article coverers deleted records in general and how, sometimes, you can determine when a record was deleted.

sandersonforensics.com...-in-SQLite

This one covers the SMS.db specifically and shows how you can sometimes identify who the contact is associated with a specific deleted message - due to the table reationships this is not always that easy.

sandersonforensics.com...three-ways

This article covers the triggers and foreign key constraints on the sms.db that determine what additonal changes happen automatically to the db when a record, thread or contact is deleted.

sandersonforensics.com...MS-message

I hope you find them interesting.

There is a a link to request a fully functional demo of my software on the blogs.

Paul
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

redcat
Senior Member
 

Re: iPhone5 sms.db deleted field

Post Posted: Jun 05, 17 19:36

Thank you Paul for your comprehensive reply, this is just what I needed.  
 

Page 1 of 1