Facebook Messenger ...
 
Notifications
Clear all

Facebook Messenger messages on mobile - threads_db2

7 Posts
3 Users
0 Likes
2,124 Views
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Hello,
I separated file that contains facebook messenger messages - threads_db2 from the rooted Smasung Galaxy S6 Edge phone. When i open this file in notepad I can find the messeges inside all the other unimportant mess within this file.
But when I use Magnet IEF, Magnet Axiom, Firefox Addon SQlite Manager and even the App called Andriller (which should decode this file and show me messages) i dont see any messages !

For example in SQlite Manager - Text Column is empty ! Why ?

https://ibb.co/chcXoa
Could anyone please help me with this (

 
Posted : 13/09/2017 7:44 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I suspect that the records you can't find are deleted - SQLite manager won't find these Magnets tools should find them. I know little about Andriller.

My software of course should recover the deleted records

https://sandersonforensics.com/forum/content.php?198-Forensic-Browser-for-SQLite

As to why the text field is blank. It's hard to say just looking at a subset of the data but threads_db2 databases I have seen where there is an attachment (as seems the be the case with most of your examples) don't usually have text associated with them.

Meesges with type -1 could be system messages and also don't seem to have text associated with them.

 
Posted : 13/09/2017 9:27 pm
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Thanks for reply..
I dont know if I understand you correctly…

When I open facebook messenger app on the phone (offline) I see the messages.
Then when I open threads_db2 file inside com.facebok.orca i can find exact the same messages which I see on the phone.

But when i use magnet IEF or Magnet Axiom or the tools I mentioned first to analyze that file or whole com.facebook.orca folder, I can see some facebook stuff as a result but not these messages.

Maybe I can sent this file to someone who have experience with this to check this ) ?

 
Posted : 14/09/2017 6:02 am
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

I solved the problem.
Case closed )
sorry about the confusion

 
Posted : 15/09/2017 8:53 am
(@merriora)
Posts: 44
Eminent Member
 

I solved the problem.
Case closed )
sorry about the confusion

Would you be willing to share the issue?

Others may run into the same problem.

 
Posted : 15/09/2017 1:45 pm
(@thomass30)
Posts: 110
Estimable Member
Topic starter
 

Sure…

I think it was somehow my fault…
I did physical image of the rooted phone once again….
And this time the file threads_db2 was different size.. (larger)

IEF found the messages with no problem ..

I cant explain how it is possible the file was different size this time.. 😯
Supposed I did something wrong the first time roll

 
Posted : 15/09/2017 2:39 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

The threads_db2 database uses a rollback journal that keeps a copy of any pages that will be changed during the current transaction. If the transaction fails the content of the journal are written back to the database and the DB truncated if required.

It is possible that when you copied the DB it was mid transaction and then when you opened FB on the phone SQLite saw the journal was live and restored the pages.

 
Posted : 15/09/2017 7:49 pm
Share: