Sent messages on an Android phone may no longer be present in the MMSSMS database due to various reasons, including their having been manually deleted. Our goal was to come up with a way to find deleted and non-deleted messages sent on an Android phone without loading the database and read them into a table.
To begin, we took a physical image of a Samsung Galaxy S5 using Cellebrite UFED Touch 2. Next, we uploaded the DumpData .bin file into Encase 8.0.4 and began Keyword searches for known messages. We then created a Grep expression that consisted of a pattern that would correctly mark MMSSMS messages.
Android messages are stored into a database with multiple message copies stored in journals or unallocated memory. Because of this, once we created the correct Grep expression, we were able to find deleted messages that were removed from the database but still existed in unallocated memory–both from unallocated pages within the database and from unallocated space within the image. Cellebrite Physical Analyzer V. 220.127.116.114 was unable to locate some of these messages. We then incorporated the Grep expression into an Enscript and parsed the hits into a readable table.