It is expected that messages will be found within third-party application files, and that will be covered heavily in Section 5 of this course. Examiners must be aware that other locations exist on Android devices that store messages. The additional paths listed may contain message of interest:

� �� USERDATA/data/com.google.android.gms/databases/icing_mmssms.db: Additional SMS/MMS

� �� USERDATA/data/com.sec.android.provider.logsprovider/databases/logs.db: Snippets from Samsung devices

RCS, or Rich Communication Services, is a newer standard for messaging that is planned to eventually replace SMS on Android devices. It has yet to be adopted by all devices, thus it�s something that will require more research as devices surface that are leveraging this functionality of messaging. The example shown in this slide is the icing_mmssms.db located at USERDATA/data/com.google.android.gms/databases/icing_mmssms.db. You must have either root access to obtain this file or full access via a physical or file system dump. This file contains both SMS and MMS sent and received from the device. A free script was developed to parse these messages, which can be found on your FOR585 VM on the Desktop in the Scripts for class directory. Magnet Forensics has a great white paper on Android messaging, which may be of interest for you to read: https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/.

A query to parse this icing_mmssms.db is available in your course notebook as well as below.

select

mmssms._id,

mmssms.msg_type,

case

when mmssms.type = 2 then "incoming"

when mmssms.type = 1 then "outgoing"

end AS "message status",

mmssms.address,

datetime(mmssms.date/1000,'UNIXEPOCH','localtime') AS "date",

mmssms.body AS "message",

mmssms_tag.tag AS "unread"

from mmssms

left join mmssms_tag on mmssms_tag._id=mmssms._id