Recover Deleted Messages — Forensic Recovery for SMS, WhatsApp, Signal & iMessage
Deleted does not mean destroyed. We carve SQLite write-ahead logs, parse unallocated APFS extents, and reconstruct conversations from cloud backups other tools never touch.
Why Deleted Messages Are Almost Always Recoverable
When you tap 'delete' on a chat, the message does not vanish from storage. It is unlinked from the user-visible view but the underlying bytes remain — sometimes for months — in three places: the SQLite write-ahead log, the freelist of the database file itself, and the unallocated regions of the storage device's flash. A skilled forensic team with the right tools can usually recover content from at least one of those layers.
Modern messaging apps — iMessage, WhatsApp, Signal, Telegram, SMS/MMS — all use SQLite under the hood. SQLite uses a write-ahead log (WAL) by default, meaning that the actual deletion of a row does not happen at the moment you swipe; it happens during the next checkpoint, which can be hours or days later. Until then the deleted row sits intact in the WAL file, ready to be read by anyone with file-level access to the device.
Even after the checkpoint, the row's bytes persist in the SQLite file's freelist until the database compacts or is vacuumed — operations that messaging apps almost never perform. We routinely recover months-old WhatsApp messages from a freelist on a phone whose user swears they deleted everything 'a year ago'.
Below the SQLite layer, APFS on iOS and ext4/F2FS on Android maintain their own copy-on-write or journal structures. An overwritten file's previous extents may still be addressable on flash for as long as the controller has not garbage-collected them — and modern UFS storage delays garbage collection aggressively to spare write cycles. Combined, these three layers mean recovery rates above 80% within the first 30 days, and 40–60% within the first year.
- Layer 1 — SQLite WAL: highest recovery rate, best for messages deleted within days
- Layer 2 — SQLite freelist: medium rate, best for messages deleted within months
- Layer 3 — Unallocated flash: lowest rate, sometimes recovers years-old fragments
- Layer 4 — Cloud backup history: complementary, recovers anything in iCloud/Google Drive snapshots
Our Forensic Message Recovery Methodology
Recovery is platform- and app-specific. The same overarching workflow applies to all of them — preserve, acquire, parse, validate — but the tooling at each step differs.
Preserve. The first action on any recovery case is to take the device out of normal use. Airplane mode, power off if possible, and ship in a Faraday bag. Every additional minute of normal use means more SQLite checkpoints, more flash garbage collection, and lower recovery odds.
Acquire. On iOS we prefer an encrypted iTunes/Finder backup as a baseline, then a checkm8 full filesystem dump on supported hardware (A8–A11). On Android we go ADB → Qualcomm EDL → SP Flash readback depending on the chipset. For cloud-resident content we pull the iCloud or Google Drive WhatsApp backup with the user's credentials and decryption key.
Parse. iLEAPP and ALEAPP are the open-source backbones for parsing the dozens of databases involved. We supplement with custom parsers for the WAL files (where most apps don't ship a parser of their own) and with proprietary tools for the iMessage attachments folder, Signal's encrypted SQLCipher store, and Telegram's local cache.
Validate. Every recovered message is cross-referenced against at least two independent sources — for example, an iMessage recovered from chat.db's WAL is verified against the corresponding entry in sms.db on the recipient's device, or against the iCloud Messages snapshot. Single-source recoveries are flagged in the report as 'unverified' and not used as evidence.
# WAL-aware SQLite read — DO NOT just open the .db file $ cp chat.db chat.db.bak $ cp chat.db-wal chat.db-wal.bak $ sqlite3 chat.db.bak 'PRAGMA journal_mode=DELETE;' $ sqlite3 chat.db.bak 'SELECT datetime(date/1000000000+978307200,"unixepoch"), text FROM message WHERE text NOT NULL ORDER BY date DESC;' # Carve deleted rows from the freelist with undark $ undark -i chat.db.bak --freelist > recovered_messages.txt # WhatsApp specific — decrypt msgstore.db.crypt15 with the 64-byte key $ ./wa-crypt-tools decrypt15 -k key.bin msgstore.db.crypt15 msgstore.db $ sqlite3 msgstore.db 'SELECT datetime(timestamp/1000,"unixepoch"), key_remote_jid, data FROM messages WHERE data IS NOT NULL;'
Platform & App Specifics
Each app stores messages differently and each platform makes different forensic compromises. Knowing which is which determines what is recoverable.
iMessage / SMS on iOS: stored in /private/var/mobile/Library/SMS/sms.db with attachments in /private/var/mobile/Library/SMS/Attachments/. The WAL file (sms.db-wal) is the primary recovery target. Attachments deleted from a chat persist in the Attachments folder for variable periods because iOS uses lazy deletion on user-data files.
WhatsApp on Android: the local msgstore.db lives in /data/data/com.whatsapp/databases/, with periodic encrypted backups (msgstore.db.crypt15) in /sdcard/WhatsApp/Databases/. The crypt15 backups are recoverable via the 64-byte key derived from the user's account, which we can extract from a rooted or EDL'd device. On iOS, WhatsApp keeps its database inside the app's container, decryptable from an encrypted iTunes backup.
WhatsApp cloud backups: iCloud and Google Drive backups are end-to-end encrypted only if the user explicitly enabled the feature with a 64-character password. If they didn't, we can pull and parse them with the cloud account credentials alone. This is, for many cases, the easiest recovery path.
Signal: by far the hardest. The local database is SQLCipher-encrypted with a key stored in the Android Keystore or iOS Secure Enclave, and Signal does not retain server-side copies. Recovery is possible only with a live device whose keystore can be unlocked, and even then deleted-message recovery is bounded by Signal's disappearing-messages settings.
Telegram: cloud-first. Most chats live on Telegram's servers and are recoverable via active session re-auth, not forensic carving. Secret Chats are device-local and follow the same SQLite WAL pattern as iMessage.
Hands-On Tutorial: Recovering Your Own Deleted Messages
If the messages you want back are recent (less than a week old) and you are comfortable with command-line tools, you can attempt the recovery yourself before engaging us. The instructions below recover deleted iMessages from a Mac that has Messages in iCloud enabled.
- Quit the Messages app on your Mac
- Make a backup copy of ~/Library/Messages/chat.db AND ~/Library/Messages/chat.db-wal
- Open Terminal and install the sqlite-utils Python package
- Run a query against the WAL-merged database to dump every readable message
- Filter by date or contact to locate the deletion window
- If the messages aren't there, the WAL has already checkpointed — proceed to undark for freelist carving
- If undark also returns nothing, the rows have been overwritten and forensic acquisition of the iPhone itself is the next step
# DIY iMessage recovery on macOS — run from Terminal
$ pkill -f Messages
$ cp ~/Library/Messages/chat.db ~/Desktop/chat.db.bak
$ cp ~/Library/Messages/chat.db-wal ~/Desktop/chat.db-wal.bak 2>/dev/null
$ pip3 install sqlite-utils
$ sqlite-utils ~/Desktop/chat.db.bak "SELECT datetime(message.date/1000000000 + strftime('%s','2001-01-01'),'unixepoch','localtime') AS ts, handle.id AS contact, message.text FROM message LEFT JOIN handle ON message.handle_id = handle.ROWID WHERE text IS NOT NULL ORDER BY ts DESC LIMIT 200" --csv > recent_messages.csv
# If the message you want isn't there, try freelist carving
$ brew install undark
$ undark -i ~/Desktop/chat.db.bak --freelist | grep -i 'keyword you remember'Evidentiary Use & Chain of Custody
Recovered messages are frequently used in divorce, custody, employment and criminal proceedings. For that to hold up, the chain of custody must be unbroken from the moment the device leaves the user's hand.
We document every step. SHA-256 hashes are computed on every artefact at acquisition and re-verified at parsing. The forensic workstation is logged before and after every action. The final deliverable is a PDF report containing the recovered content, the methodology used, the hash chain, and a sworn statement from the analyst that can be produced in court if required.
Where the matter is likely to escalate to litigation, we strongly recommend engaging us before any DIY recovery attempt. Once a non-forensic copy of the database has been opened in standard SQLite tools, the chain of custody is technically broken and opposing counsel can challenge admissibility. We can usually still recover the content, but the legal weight is reduced.
Frequently Asked Questions
Related Recovery Services
$ Open a secure channel. PGP preferred. Pre-engagement NDA available on request. Ready to proceed?
[ INITIATE SECURE CONTACT ]