- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic examination of Android messaging β the AOSP mmssms.db Telephony provider, Google Messages bugle_db, RCS chats, MMS attachments, and deleted-message recovery from SQLite WAL and unallocated pages.
Quick Answer. On stock Android, SMS and MMS live in the Telephony provider database at /data/data/com.android.providers.telephony/databases/mmssms.db with tables sms, pdu (MMS), part (MMS attachments), addr, and threads. Google Messages stores modern chats β including RCS β in /data/data/com.google.android.apps.messaging/databases/bugle_db. Samsung Messages uses com.samsung.android.messaging. Deleted messages routinely persist in SQLite -wal/-journal sidecars, freelist pages, and any prior Google One / Samsung Smart Switch / adb backup made before deletion.
| Table | Contents | Forensic value |
|---|---|---|
| sms | thread_id, address, person, date, date_sent, protocol, read, type (1=inbox/2=sent/3=draft/4=outbox/5=failed/6=queued), body, service_center, seen | Message content, direction, timestamps, delivery state |
| pdu | MMS envelope: msg_id, thread_id, date, m_type, m_size, sub, ct_t, retr_st, resp_txt | MMS metadata; body lives in part |
| part | mid, ct (content type), name, chset, cd, cid, cl, ctt_s, ctt_t, _data, text | MMS attachments and text parts; _data points to /data/user_de/0/com.android.providers.telephony/app_parts/ |
| addr | msg_id, address, type (137=from/151=to/130=cc/129=bcc), charset | MMS recipient list per message |
| threads | recipient_ids, message_count, snippet, date, read, type | Conversation summary and last-read state |
| canonical_addresses | address (E.164 phone number or email) | Deduplicated participant identities |
Google Messages replaces the AOSP UI on most devices and stores its own copy at /data/data/com.google.android.apps.messaging/databases/bugle_db. Key tables include messages, parts, conversations, participants, and rcs_message_metadata. RCS chats (Jibe/Google’s RCS backend) are stored here rather than in mmssms.db. RCS carries message_status, delivery receipts, typing indicators, and end-to-end-encrypted content flags β bugle_db preserves E2EE flags but not plaintext for E2EE messages if the key is server-held.
Android SQLite databases use the same WAL / rollback-journal design as any SQLite store. Deletion recovery paths, in order of yield:
mmssms.db-wal, bugle_db-wal) β uncheckpointed transactions frequently retain deleted rows.app_parts/ files may survive after the DB row is deleted..bak containers include the message provider.notification_log in /data/system_ce/0/ preserves message previews.WhatsApp, Signal, Telegram, Facebook Messenger, WeChat, Snapchat, Instagram Direct, and Discord each keep their own container under /data/data/<pkg>/. WhatsApp stores messages in msgstore.db and backups in /sdcard/WhatsApp/Databases/ as msgstore.db.crypt14/15 keyed to the account. Signal uses SQLCipher (signal.db) with a key in the Keystore/Keymaster. Telegram uses a custom binary store at cache4.db. Full detail lives on Android Application Data Forensics.
All Telephony provider timestamps are milliseconds since 1970-01-01 UTC (Java System.currentTimeMillis()). We normalize to UTC and to the device local time at the moment of each event using /data/system/settings.db or settings_system.xml time-zone entries and Android logcat time-zone changes.
Elite Digital Forensics is an independent, defense-aligned Android forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Android Forensics hub for the full analytical framework we bring to every matter.
Sometimes. Google One SMS backups and vendor backup images (Samsung Smart Switch, MIUI cloud) contain the provider database; a physical acquisition of an unlocked device via adb backup or manufacturer service tools also reaches it on many models. Full raw-partition acquisition typically requires bootloader unlock or a supported chip-off/JTAG method.
One-to-one RCS chats in Google Messages between Google Messages users have been E2EE since 2021, extended to group chats in 2023. The plaintext exists only on-device; bugle_db retains it locally along with an is_e2ee flag.
The AOSP Telephony provider is used by both, so mmssms.db exists on both. Samsung Messages also maintains its own database at /data/data/com.samsung.android.messaging/databases/. Both are examined.
US carriers retain content for only 3β5 days at most; message metadata (date/time/parties) is retained longer (typically 12β18 months). On-device forensics is almost always the more evidentiary source.
Tell us about the device, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant