Fake iPhone SMS Detection

TL;DR

Detecting a faked iPhone SMS log is difficult but possible. Look for inconsistencies in timestamps, file system metadata, database structure anomalies, and discrepancies between the logs and carrier records. Forensic tools are often required for thorough analysis.

How to Detect a Faked iPhone SMS Log

1. Understand the Data Sources
• SMS Database: iPhones store messages in an SQLite database, typically located at /private/var/mobile/Library/SMS/sms.db (location may vary slightly with iOS versions).
• File System Metadata: Timestamps associated with the database file itself can provide clues.
• Backup Files: iCloud or iTunes backups contain copies of the SMS database. Comparing these to the current device data is crucial.
• Carrier Records: Obtain call and message logs from the mobile carrier (requires legal authorization in most cases).
2. Check Timestamp Consistency
• Messages should generally be stored in chronological order based on their send/receive timestamps.
• Look for messages with dates or times that are out of sequence. A simple SQL query can help:

  SELECT datetime(date) FROM sms WHERE thread_id = 'thread_id' ORDER BY date;

  Replace thread_id with the ID of a specific conversation.

• Pay attention to messages that have timestamps very close together, especially if they are from different senders.
3. Examine File System Metadata
• Use forensic tools (see Step 7) to view the creation, modification, and access times of the sms.db file.
• If the database file’s last modified date is recent but the message content appears older, it’s a red flag.
4. Inspect Database Structure
• The SMS database has a specific schema (table structure). Alterations to this schema can indicate tampering.

  SELECT sql FROM sqlite_master WHERE type='table' AND name='sms';

  This query shows the table definition. Unexpected changes suggest manipulation.

• Check for unusual or unexpected data types in columns (e.g., a text field containing numeric values).
5. Look for Duplicate Message IDs
• Each message should have a unique ID within the database. Duplicates are highly suspicious.

  SELECT COUNT(*) FROM sms WHERE id = 'message_id';

  Replace message_id with a specific message ID. A count greater than 1 indicates a duplicate.

6. Compare Logs to Backups
• Restore the SMS database from an older backup (e.g., iCloud or iTunes).
• Compare the restored database with the current database using forensic tools. Differences in message content, timestamps, or sender/recipient information are indicators of tampering.
7. Verify Against Carrier Records
• Obtain a detailed call and message log from the user’s mobile carrier.
• Compare the dates, times, senders, and recipients in the iPhone SMS logs to the carrier records. Discrepancies suggest that the logs have been altered. This is often the most definitive test but requires legal process.
8. Use Forensic Tools
• Magnet AXIOM: Comprehensive digital forensics platform with SMS analysis capabilities.
• Cellebrite UFED: Another leading forensic tool for mobile device extraction and analysis.
• SQLite Browser: Useful for manually inspecting the sms.db file (requires some database knowledge). Available free online.