It is expected that messages will be found within third-party application files, and that will be covered heavily in Section 5 of this course. Examiners must be aware that other locations exist on Android devices that store messages. The additional paths listed may contain message of interest:

  •  USERDATA/data/com.google.android.gms/databases/icing_mmssms.db: Additional SMS/MMS

  •  USERDATA/data/com.sec.android.provider.logsprovider/databases/logs.db: Snippets from Samsung devices

RCS, or Rich Communication Services, is a newer standard for messaging that is planned to eventually replace SMS on Android devices. It has yet to be adopted by all devices, thus it’s something that will require more research as devices surface that are leveraging this functionality of messaging. The example shown in this slide is the icing_mmssms.db located at USERDATA/data/com.google.android.gms/databases/icing_mmssms.db. You must have either root access to obtain this file or full access via a physical or file system dump. This file contains both SMS and MMS sent and received from the device. A free script was developed to parse these messages, which can be found on your FOR585 VM on the Desktop in the Scripts for class directory. Magnet Forensics has a great white paper on Android messaging, which may be of interest for you to read: https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/.

A query to parse this icing_mmssms.db is available in your course notebook as well as below.

select

mmssms._id,

mmssms.msg_type,

case

when mmssms.type = 2 then "incoming"

when mmssms.type = 1 then "outgoing"

end AS "message status",

mmssms.address,

datetime(mmssms.date/1000,'UNIXEPOCH','localtime') AS "date",

mmssms.body AS "message",

mmssms_tag.tag AS "unread"

from mmssms

left join mmssms_tag on mmssms_tag._id=mmssms._id