Information Technology Reference
In-Depth Information
For our example, we will recover deleted SMSes from an Android device. Recovering de-
leted SMSes from an Android phone is quite often requested as part of forensic analysis
on a device mainly because text messages contain data, which can reveal a lot of informa-
tion. There are different ways to recover deleted text messages on an Android device.
First, we need to understand where the messages are being stored on the device. In
the Android device where user data is stored. Here is a quick recap of this:
• Every application stores its data under the
/data/data
folder (again, this re-
quires root access to acquire data)
• The files under the location
/data/data/
com.android.providers.telephony/databases
contain details
about SMS/MMS
Under the preceding mentioned location, text messages are stored in a SQLite database
file, which is named
mmssms.db
. Deleted text messages can be recovered by examining
this file. Here are the steps to recover deleted SMSes using the
mmssms.db
file:
1. On the Android device, enable the USB debugging mode and connect the device
to the forensic workstation. Using the adb command-line tool, extract the
data-
bases
folder present under the location
/data/data/
by issuing the adb pull
command:
C:\android-sdk-windows\platform-tools>adb.exe pull
/data/data/com.android.providers.telephony/databases
C:\temp
pull: building file list...
pull: /data/data/com.android.providers.telephony/
databases/mmssms.db-journal -> C:\temp/
mmssms.db-journal
pull: /data/data/com.android.providers.telephony/
databases/telephony.db-journal -> C:\temp/
telephony.db-journal
pull: /data/data/com.android.providers.telephony/
databases/mmssms.db -> C:\temp/mmssms.db
pull: /data/data/com.android.providers.telephony/
databases/telephony.db -> C:\temp/telephony.db
4 files pulled. 0 files skipped.
53 KB/s (160848 bytes in 2.958s)
