A client comes in with a case hinging on deleted text messages. Their attorney has already told them: “The forensic expert will recover whatever was deleted.”
Now I have to have a different conversation.
I’ve been doing mobile forensics long enough to see the damage that overclaiming causes. Examiners who promise deleted message recovery and deliver nothing lose cases for their clients. Examiners who claim confident recovery of messages that were never there create the worst kind of evidence problem: fabricated certainty. And the field as a whole suffers when courts see forensic experts as salespeople rather than scientists.
So let’s talk honestly about what SQLite free pages actually are, what they actually contain, and what “deleted message recovery” really means in practice.
What Actually Happens When a Message Is Deleted
When you delete a message in iMessage, WhatsApp, or any other app using SQLite, the following happens:
The database engine marks the row as deleted. The space those bytes occupied is added to the database’s “free list” — a pool of pages marked as available for future writes. The actual bytes are not overwritten. Not yet.
This is the foundation of forensic recovery. The data remains on disk until new data needs that space and overwrites it.
But here’s the part the vendor brochures skip: the database has no obligation to wait. The moment any new database activity occurs — a new message received, an app open event logged, a sync timestamp updated — those free pages become candidates for overwriting. The heaviest SQLite databases (iMessage on an active phone, WhatsApp on a heavy user’s device) can see hundreds of write operations per day.
That means the window between “message deleted” and “message unrecoverable” can be very short. Days. Sometimes hours.
What Free Pages Actually Contain
When forensic tools analyze SQLite free pages, they’re carving raw bytes for recognizable data patterns. The recovered fragments might be:
A complete row: timestamp, sender, full message text, all fields intact.
A partial row: some fields present, others overwritten. The timestamp survived but the text is gone. The text survived but the sender is corrupted. You have something but not everything.
Unstructured fragments: sequences of bytes that partially match database record patterns but can’t be reconstructed into coherent evidence. Your tool might flag these; most shouldn’t make it into a court exhibit.
Garbage: bytes that coincidentally resemble record patterns but are actually overwritten data from a completely different record. This is why automated free-page carving requires human review. The tool will find things. Not all of them are what they appear to be.
The honest answer to “can you recover the deleted messages?” is: “It depends on when they were deleted, how much database activity occurred after deletion, and what the tool finds in the free pages. I can examine and report whatever is recoverable. I cannot promise what that will be.”
Where This Goes Wrong
I’ve seen expert reports where an examiner listed ten “recovered” messages in the free pages, five of which were clearly corrupted fragments with implausible timestamps or sender identifiers. The other five were probably real. But by including all ten and presenting them with equal confidence, the examiner handed opposing counsel a target.
In cross-examination, destroying credibility on two obviously bad fragments is enough to cast doubt on all ten.
The discipline is knowing when not to include something. If a fragment can’t be independently corroborated — if the timestamp doesn’t align with other data, if the sender identifier doesn’t match any known contact, if the text is garbled — report it as an unverifiable fragment or don’t report it at all. Partial recovery honestly characterized as partial is more valuable than full recovery overclaimed into doubt.
The WAL File Is Your Friend (Sometimes)
One genuinely useful recovery vector that doesn’t involve free pages: the SQLite Write-Ahead Log (WAL file).
SQLite databases in WAL mode write transactions to the -wal file before they’re committed to the main database. Under certain circumstances — specifically, if you’re extracting a device quickly after a deletion and the WAL hasn’t been checkpointed — the WAL file may contain a transaction record of data that was added and then deleted.
This is real. It’s not common, but it happens.
The WAL file’s usefulness is highly time-sensitive. WAL checkpointing (the process of writing WAL transactions into the main database) happens automatically. On an active device, checkpointing can occur every few minutes. If you’re examining a device more than a few hours after relevant deletions, the WAL is probably already checkpointed and the relevant transaction is now gone.
Always capture the -wal file alongside the main database. Hash it separately. Document that you examined it. If it contains useful data, that’s a legitimate recovery. If it doesn’t, say so.
Reporting Limitations Is Not Admitting Failure
There’s a culture problem in parts of the forensic industry: examiners are afraid that “I couldn’t recover X” makes them look incompetent. The opposite is true.
An examiner who says “The SQLite free pages for this database contained no recoverable message records consistent with the deleted conversation — likely due to the volume of database writes in the 72 hours between deletion and extraction” is demonstrating expertise. They know the mechanism, they know why recovery failed, and they can articulate it clearly.
An examiner who says “The messages were unrecoverable” with no explanation looks like they ran a tool and shrugged.
And an examiner who claims to have recovered messages that weren’t actually there is committing something close to fraud — and will be found out.
The certifications we work toward — CCE, CFCE, CCME — exist precisely to set standards for this kind of professional conduct. Honest reporting isn’t optional. It’s the job.
What to Tell Attorneys (Before They Tell Their Clients)
Set expectations at intake. Before anyone has been promised anything:
Tell the attorney that deleted message recovery depends on when the deletion occurred and how much subsequent device activity there was. If the phone was actively used for three months after the messages were deleted, the probability of free-page recovery is low. If you’re examining the device within days of deletion, it’s higher.
Tell them that you’ll report what’s there, not what they want to be there.
Tell them that partial recovery is possible and legitimate, but that incomplete fragments require careful characterization.
And remind them that even when full recovery isn’t possible, device examination often produces other useful evidence — conversation metadata, notification records, CDR logs, app activity patterns — that can corroborate what other witnesses say happened.
Evidence of a deleted conversation isn’t always in the deletion. Sometimes it’s in everything around it.
For mobile forensic examination where accuracy and defensible reporting are non-negotiable, contact Derick Downs at Digital Forensics Today or visit ExtractPhone.
Related reading: iPhone logical vs. full file system acquisition | WhatsApp artifact parsing across Android and iOS | Signal private database recovery: capabilities and limitations
