A client recently asked me to analyze a mobile phone forensically to prove that a specific text message was not sent from the phone. This message is the focal point of a very public civil lawsuit.
I explained that what I could do is examine the phone and see if I could find traces of the message on the phone, yet there were various factors that could explain why a message that was once on a phone may not be able to be recovered forensically. Without having yet imaged the phone, it was unclear if a full file system extraction (FFS) could be made of the device or if we would have to settle for a logical image.
A FFS extraction is considered the best as it includes the most complete set of files and databases. In contrast, a logical extraction of the phone might only include messages that have not been deleted[1]. Of course, this all depends on the age of the phone hardware and the version of Android or iOS running on the phone.
Even with a FFS extraction, I was concerned that the SQLite database that contains the message could have been "vacuumed" of any deleted data. When records in an SQLite database are deleted, at first, they are simply marked as deleted but the vacuum (or auto vacuum) process rebuilds and compacts the database without the deleted data [2, 3]. I explained there was no way to tell without performing the examination, and we need to be careful to remember that absence of evidence is not evidence of absence [4]. I said that even if I did not find the message on the phone, I would not be able to state with absolute certainty that the message was never on the phone--just that there was no evidence found that it was on the phone.
Thinking about the problem differently, I suggested requesting the Call Detail Records [5] from the phone carrier. This information would allow us to focus on the interactions between the parties in the lawsuit. After all, one possible explanation was that the message was spoofed [6]. Proving that the message originated from a location other than the phone can be an effective alternate strategy. I have supported multiple cases where a third party used short messaging service (SMS) spoofing to inflame a volatile personality to retaliate against an unwitting victim.
If you need the clear truth about a case involving mobile forensics or caller ID spoofing, contact us at Lucid Truth Technologies. We are here to help you.
[2] https://www.sqlitetutorial.net/sqlite-vacuum/
[3] https://belkasoft.com/sqlite-forensics-with-belkasoft-x
[4] https://en.wikipedia.org/wiki/Evidence_of_absence
[5] https://www.androidheadlines.com/2021/05/everything-you-wanted-to-know-call-detail-records.html
