Android uses SQLite files to store most data. Data related to text messages, emails, and certain app data is stored in SQLite files. SQLite databases can store deleted data within the database itself. Files marked for deletion by the user no longer appear in the active SQLite database files. Therefore, it is possible to recover the deleted data, such as text messages and contacts. There are two areas within a SQLite page that can contain deleted data—unallocated blocks and free blocks.

Most of the commercial tools that recover deleted data scan the unallocated blocks and free blocks of the SQLite pages. Parsing the deleted data can be done using the available forensic tools, such as Oxygen Forensics SQLite Viewer. The trial version of the SQLite Viewer can be used for this purpose; however, there are certain limitations on the amount of data that you can recover. You can write your own script to parse the files for deleted content, and for this, you need to have a good understanding of the SQLite file format. The http://www.sqlite.org/fileformat.html page is a good place to start. If you do not want to reinvent the wheel and want to reuse the existing scripts, you can try the available open source Python scripts (http://az4n6.blogspot.in/2013/11/python-parser-to-recover-deleted-sqlite.html) to parse the SQLite files for deleted records.

For our example, we will recover deleted SMSes from an Android device. Recovering deleted SMSs from an Android phone is quite often requested as part of the forensic analysis of a device, mainly because text messages contain data, which can reveal a lot of information. There are different ways to recover deleted text messages on an Android device. First, we need to understand where the messages are being stored on the device. In Chapter 9, Android Data Extraction Techniques, we explained the important locations on the Android device where user data is stored. Here is a quick recap of this:

• Every application stores its data under the /data/data folder (again, this requires root access to acquire data).
• The files under the location, /data/data/com.android.providers.telephony/databases, contain details about the SMS/MMS.

Under the mentioned locations, text messages are stored in an SQLite database file, which is named mmssms.db. Deleted text messages can be recovered by examining this file. Here are the steps to recover deleted SMSes using the mmssms.db file:

1. On the Android device, enable the USB debugging mode and connect the device to the forensic workstation. Using the adb command-line tool, extract the databases folder present at /data/data/ by issuing the following command:

adb.exe pull /data/data/com.android.providers.telephony/databases C:	emp

The output can be seen as follows:

2. Click on the table named sms and observe the current message under the Tables data tab in the tool.

3. One way to view the deleted data is by clicking on the Blocks containing deleted data tab, as shown in the following screenshot:

Similarly, other data residing on Android devices that is stored in SQLite files can be recovered by parsing for deleted content. When the preceding method doesn't provide access to the deleted data, you should look at the file in raw hex file for data marked as deleted, which can be manually carved and reported.