SMS/MMS Database (mmssms.db)

Location

Description

SQLite database storing all SMS and MMS messages on the device. Each record contains the sender and recipient phone numbers, message body, timestamp (date column in epoch milliseconds), read status, and thread ID grouping conversations. MMS entries include references to associated media parts stored in the same provider directory.

Forensic Value

SMS/MMS messages are a primary communication artifact for establishing suspect contact patterns, verifying alibis, and recovering deleted conversations. The date and date_sent columns provide both local receipt and network send timestamps, enabling precise timeline correlation. Deleted messages may remain recoverable from unallocated database pages or the WAL (write-ahead log) file until a vacuum operation occurs. Thread IDs link individual messages into full conversation reconstructions.

Tools Required

Collection Commands

adb pull /data/data/com.android.providers.telephony/databases/mmssms.db /forensics/output/

python3 aleapp.py -t tar -i /path/to/extraction -o /forensics/output/

adb backup -noapk com.android.providers.telephony -f sms_backup.ab

Collection Constraints

• •Availability depends on Android version, OEM build, encryption state, privilege level, and whether the collection was logical, rooted, or full-filesystem. OEM-specific builds may move or rename stores.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References