Articles
Forensic challenges and solutions with the new iPhone Message Deletion
Recovering deleted messages on newer iPhones has become nearly impossible. To even have a slight chance of recovering deleted messages from an iPhone you need to acquire a full file system image of the device, which isn’t always possible, and hope to recover deleted messages in the write-ahead log.
Since recovery of deleted messages is not likely, Vestige has been looking into other ways that we can turn this digital evidence into intelligence. For example, in the past we have been able to identify a conversation that once existed but has since been deleted. That analysis can provide us names in a conversation but not content. However, another recent method we have discovered is a way to determine how many messages are deleted as well as provide when a deleted message was originally sent or received.
To understand how Vestige does this analysis, a basic understanding of how iPhone’s store messages is required. All native iPhone messages: SMS, MMS, and iMessages, are stored in an SQLite database named the SMS.db. This database contains numerous tables, but for the purpose of this analysis the tables we are interested in are named message, deleted_message, and sqlite_sequence.
The message table contains a record for each message that has been sent or received by that phone (and previous phones if data is transferred by iTunes or iCloud). That record includes the metadata for the message, the body of the message and a ROWID. The ROWID is a field that each message record has and it contains a number. This number is sequential, the oldest message sent/received will have the lowest ROWID and the most recent message sent/received with have the highest ROWID.* These ROWIDs do not get recycled, once they are assigned to a record they cannot be used again even if that record is deleted. With this background information in mind, Vestige reviews the message table for missing ROWIDs. We then consider the dates for the messages before and after the missing record, and that gives us a date range for the deleted message.
| ROWID | Date |
| 1 | 5/19/2023 10:05am |
| 3 | 5/19/2023 10:10am |
| 4 | 5/19/2023 10:12am |
Table 1
In the example above, you can see that ROWID 2 is missing. This gap tells us that the message assigned ROWID of 2 was deleted. One can look at the dates for ROWID 1 and 3 and conclude that there was a message deleted and that deleted message was sent or received on 5/19/2023 between 10:05am and 10:10am.
When a message is deleted on an iPhone a record is temporarily created in the deleted_messages table. This table only contains a new ROWID field, which is sequential just like the messages table, and a GUID for the message. The record contains nothing identifiable about the deleted message and the record is not stored in this table for long. As a result, getting accurate counts of deleted messages directly from the deleted_messages table may not be prudent. For that count, we turn to the sqlite_sequence table.
The sqlite_sequence table keeps track of the last ROWID used in each table. This is the table you can use to get a count of the total number of records that have been placed in the deleted_messages table which correlates directly to the total number of deleted messages over time.
| Name | Seq |
| message | 134291 |
| deleted_messages | 14305 |
Table 2
Table 2 above shows an excerpt from an sqlite_sequence table. This table shows that the last ROWID for deleted_messages is 14305, meaning there have been 14305 messages deleted. To verify this number one can take the last ROWID for the message table, 134291, and subtract the number of rows currently in the message table, which, while not shown, is 119986. That math equates to 14,305 which matches the largest ROWID for the deleted messages table.
In conclusion, while recovering deleted messages on an iPhone isn’t likely, there are some other pieces of information that Vestige can relay to help you in your matter. Vestige has created a process to identify all missing records in the message table and determine the sent/received date range of those missing records. Vestige can also provide a count of the total deleted messages.
If you need to uncover digital evidence, Contact Vestige Today to discuss your matter or case. We’re happy to help.
*Message sync being turned on can cause messages to download out of order.