This case study highlights the professional recovery of deleted mobile communications from a SQLite sms.db file. By utilizing low-level RAW data carving and field identifier matching, the AS Data Recovery team successfully retrieved critical deleted messages for a high-level corporate executive.

Client & Data Information

• Client Name: Confidential (Group CEO)
• Data Type: SQLite Database (sms.db)
• Data Capacity: 456 KB
• Primary Issue: Intentional or Accidental Deletion of SMS Records

Incident Summary

The client required the urgent extraction of deleted SMS history from a mobile device database file. In mobile forensics, when a message is deleted, the record is often marked as “free” within the SQLite database rather than being immediately overwritten. The client requested the maximum possible retrieval of these hidden records to recover essential business communications.

Technical Analysis

Upon receiving the sms.db file, our forensic engineers conducted a deep-level analysis of the SQLite structure:

• Active Records: Initial scanning identified 1,600 valid, non-deleted SMS messages currently visible in the database.
• Deleted Record Fragments: Deep-sector analysis revealed approximately 1,000 deleted message fragments residing in the database’s “Unallocated Space” and “Free List” pages.
• Recovery Feasibility: Using our proprietary RAW Data Extraction Tool, we identified specific field identifiers (timestamps, sender IDs, and message bodies) that allowed for the reconstruction of the deleted entries.

Recovery Solution

The recovery strategy utilized Advanced SQLite Record Carving. By bypassing the standard database engine—which ignores deleted markers—our team scanned the raw hex code of the file to match specific SMS data patterns. This allowed us to “carve” the deleted records back into a readable format without damaging the integrity of the existing messages.

Recovery Process

• Forensic Database Imaging: Creating a bit-for-bit copy of the sms.db file to ensure the original evidence remains untouched.
• Field Identifier Matching: Configuring our RAW tool to recognize the specific schema patterns of the Android/iOS SMS database.
• Unallocated Space Extraction: Scanning the free pages of the SQLite file to locate and extract 1,000+ deleted message strings.
• Data Compilation & Cleaning: Merging the 1,600 active messages with the 1,000 recovered deleted records into a unified, searchable report.
• Final Verification: The client reviewed the extracted data and confirmed the presence of the critical deleted information.

Recovery Results

• Recovery Integrity: 100% of salvageable deleted fragments recovered.
• Total Records Retrieved: 2,600+ SMS Messages (1,600 Active + 1,000 Deleted).
• System Status: Data delivered in a clear, readable format for immediate use.
• Total Recovery Time: 30 Minutes

Expert Reminder from AS Data Recovery: To maximize the chances of mobile data recovery, stop using the device immediately after a deletion occurs to prevent new data from overwriting the deleted blocks. Contact AS Data Recovery professionals immediately for expert SQLite and mobile forensic services. We guarantee precision and confidentiality for all sensitive corporate data.