SMS/iMessage Database (sms.db)

Location

Description

Core SQLite database storing all SMS, MMS, and iMessage conversations on the device. Contains the message table with full message text, timestamps (date, date_read, date_delivered), sender/recipient handles, group chat associations, and message type indicators distinguishing between SMS and iMessage. Attachments are referenced by filename and stored separately in the SMS/Attachments/ directory.

Forensic Value

The sms.db database is one of the highest-value communication artifacts on iOS, providing a complete record of text-based conversations including deleted messages that may remain in unallocated database pages until overwritten. Timestamps for sent, delivered, and read states enable precise communication timeline reconstruction. The handle table cross-references phone numbers and Apple IDs to specific conversations, linking device owners to communication partners. iMessage conversations are end-to-end encrypted in transit but stored in plaintext in this database once decrypted on the device.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 meat.py -i -o /forensics/output/ -t backup

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References