Scroll Top

As Digital Forensics Investigators, Can We Recover Deleted Text Messages?

Recovering Deleted Text Messages

Mobile phones are the hub of our modern lives—nearly all our daily communication takes place on our phones, from email and voice calls to text messaging. We think nothing of accessing our banking information, medical records, and other sensitive information directly from our mobile devices. This makes our phones a potential goldmine of discoverable information. 

You may think that a simple question like “can you recover deleted text messages from a phone?” would have a simple answer. However, the answer is not clear-cut—it greatly depends on various factors such as the model of the phone, the operating system, the messaging technology used, and the length of time since the texts were deleted.

Perhaps we have been influenced too much by shows like CSI that allow its hackers to instantly crack any encryption they encounter, a virtually impossible feat, even for the FBI. We tend to believe that the right person can infiltrate any system with a concentrated flurry of typing, but that’s simply not the case. Because of the sensitivity of the information flowing through modern cell phones, device manufacturers have made it a point to harden these devices, locking down all stored information and making it nearly impossible to access internal data, even with proper credentials. Device manufacturers are taking user data security and privacy very seriously, as they should. 

Back to the question: can you recover deleted text messages?
Had this question been posed to us five years ago, we would likely have said, “no problem.” It wasn’t that long ago that investigators had access to system-level files along with the internal databases that store information such as text messages, emails, geolocation data, and more.

While we employ powerful forensics tools that allow us to examine a wide variety of digital devices, the environment in which we work has changed significantly. Today, we are often times limited to retrieving isolated pools of information, without any system-level files, from recent models of mobile phones. 

If you were to bring us an iPhone 14 today, and only this phone, and asked us to retrieve messages that were intentionally deleted two months ago, the likelihood of success would hover slightly above 0%. However, that doesn’t mean that all is lost —there are a handful of exploits that we can use that will grant us access to system-level files on older models of iPhones and many current Android devices. Additionally, digital forensic professionals have many avenues to find electronically stored information, and the phone is just one place to look. 

There are different types of text messages.
This is probably a good time to highlight the fact that many different types of text messages are being used today.

SMS: The simplest form of text messaging is SMS, a text-only format with a 160-character limit. These texts are sent solely through cellular networks.

MMS: MMS is the multimedia version of texting that allows for embedded media and a 1,600-character limit. This is the technology that most people use daily.

iMessage: iMessage is Apple’s proprietary messaging solution for Apple devices. Instead of using cellular networks, text messages travel via the Internet. Only when a message must travel to a non-Apple device will the message be routed to cellular networks.

3rd party messaging apps: There has been a giant surge in the popularity of 3rd party messaging solutions because they offer unparalleled security features, such as end-to-end encryption, encryption at rest, and self-destructing messages. So-called “ephemeral” messages securely delete themselves upon viewing or after a set time. Messaging technologies purposely built for secrecy will be the most problematic, if not impossible, for forensic investigators to capture.

Can’t we just get messages from phone carriers?
Again, this is complicated and depends on each carrier, but the answer is generally no. In most cases, carriers will only retain a text message for a few hours up to a few days, if at all. They can provide metadata surrounding the text message, such as sender and recipient information, along with timestamps of the communication, but not the message itself. If you want this metadata, you will need a subpoena.

So, how do we find deleted text messages?
Our first step is to examine the phone itself. We’ll make a forensic copy of the device, drawing as much information from the phone as our tools and techniques allow. In the case of an iPhone, we have a reasonably good chance of retrieving deleted messages if we investigate a model before Model X.

If that doesn’t work, we might look to the other parties that received the messages. By their very nature, text messages are shared communications. That means that if a text was sent, it would have been received by one or more parties. We can expand our investigation to include other devices included in the text conversation.

How else might we find deleted text messages?

Via message synchronization:
Text messages are often synchronized with multiple devices, especially within the Apple ecosystem. If you have a MacBook or an iPad, you are likely retrieving messages on multiple devices. Deleted messages may still be present on other devices.

From device backups:
Many iPhone users synchronize their data and store backups in Apple’s iCloud. This is a good place to look. Even better for forensic examiners would be an iTunes-based backup stored on a user’s computer, particularly if they retain multiple historical backups.

From computer backups:
If a user makes regular backups of a hard drive through Apple’s Time Machine or other archiving software, and they access text messages on their computer, there is a good chance past messages can be retrieved.

One last note: law enforcement has an ace up their sleeve
Law enforcement agencies have a unique forensics tool that commercial businesses do not have access to; it’s called Grey Key. It allows law enforcement to crack the password for specific models of iOS and Android phones and subsequently retrieve a system-level image of that device. For this reason, law enforcement has a significant advantage when trying to uncover lost or deleted data from a suspect’s phone.

So, as you can see, retrieving deleted messages from a mobile phone is complicated. It is always critical to contact a digital forensics professional if you have any questions about preserving and collecting text messages for a legal matter. Despite the many roadblocks that can impede the collection of live or deleted text messages, no one is better qualified to find a viable solution utilizing multiple methods, some of which were outlined in this post.