iPhone5 sms.db deleted field
Hello, hopefully a quick question for somebody in the know. I am trying to establish what field UFED and XRY are using to show that a quantity of SMS are deleted. I am looking at the sms.db and although I can see the messages in question, I cannot for the life of me work out the how or why they are being parsed as deleted by the tools…
Many thanks for any useful suggestions where to look.
There is no field in the SQLite database that flags a record as deleted. Either the record is a live record in the database or it is a record that is not live.
I use the live/not live distinction on purpose as you can recover records from the SQLite database and, in the case of sms.db, the associated WAL that are essentially just old copies of a currently live record. So although they are recovered records they should not be flagged as deleted.
They can also be copies of currently live records that are partially overwritten.
The WAL, and sometimes the DB itself, can hold copies of deleted records. The WAL can hold mutiple copies of previous states of the DB. I have blogged on a few occasions about this.
This article coverers deleted records in general and how, sometimes, you can determine when a record was deleted.
This one covers the SMS.db specifically and shows how you can sometimes identify who the contact is associated with a specific deleted message - due to the table reationships this is not always that easy.
This article covers the triggers and foreign key constraints on the sms.db that determine what additonal changes happen automatically to the db when a record, thread or contact is deleted.
I hope you find them interesting.
There is a a link to request a fully functional demo of my software on the blogs.
Thank you Paul for your comprehensive reply, this is just what I needed.