SMS/iMessage Database (sms.db)

iosCommunicationDevice ExtractionCloud Admin Portal

Location

HomeDomain/Library/SMS/sms.db

Description

Core SQLite database storing all SMS, MMS, and iMessage conversations on the device. Contains the message table with full message text, timestamps (date, date_read, date_delivered), sender/recipient handles, group chat associations, and message type indicators distinguishing between SMS and iMessage. Attachments are referenced by filename and stored separately in the SMS/Attachments/ directory.

Forensic Value

The sms.db database is one of the highest-value communication artifacts on iOS, providing a complete record of text-based conversations including deleted messages that may remain in unallocated database pages until overwritten. Timestamps for sent, delivered, and read states enable precise communication timeline reconstruction. The handle table cross-references phone numbers and Apple IDs to specific conversations, linking device owners to communication partners. iMessage conversations are end-to-end encrypted in transit but stored in plaintext in this database once decrypted on the device.

Tools Required

Cellebrite UFEDiLEAPPMagnet AXIOMBelkasoftDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud