±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32774
New Yesterday: 3 Visitors: 213

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Facebook Messenger messages on mobile - threads_db2

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Facebook Messenger messages on mobile - threads_db2

Post Posted: Wed Sep 13, 2017 1:44 pm

Hello,
I separated file that contains facebook messenger messages - threads_db2 from the rooted Smasung Galaxy S6 Edge phone. When i open this file in notepad I can find the messeges inside all the other unimportant mess within this file.
But when I use Magnet IEF, Magnet Axiom, Firefox Addon SQlite Manager and even the App called Andriller (which should decode this file and show me messages) i dont see any messages !

For example in SQlite Manager - Text Column is empty ! Why ?

ibb.co/chcXoa
Could anyone please help me with this Sad  

Thomass30
Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Wed Sep 13, 2017 3:27 pm

I suspect that the records you can't find are deleted - SQLite manager won't find these Magnets tools should find them. I know little about Andriller.

My software of course should recover the deleted records:

sandersonforensics.com...for-SQLite

As to why the text field is blank. It's hard to say just looking at a subset of the data but threads_db2 databases I have seen where there is an attachment (as seems the be the case with most of your examples) don't usually have text associated with them.

Meesges with type -1 could be system messages and also don't seem to have text associated with them.


_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Thu Sep 14, 2017 12:02 am

Thanks for reply..
I dont know if I understand you correctly...

When I open facebook messenger app on the phone (offline) I see the messages.
Then when I open threads_db2 file inside com.facebok.orca i can find exact the same messages which I see on the phone.

But when i use magnet IEF or Magnet Axiom or the tools I mentioned first to analyze that file or whole com.facebook.orca folder, I can see some facebook stuff as a result but not these messages.

Maybe I can sent this file to someone who have experience with this to check this Smile ?  

Thomass30
Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Fri Sep 15, 2017 2:53 am

I solved the problem.
Case closed Smile
sorry about the confusion  

Thomass30
Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Fri Sep 15, 2017 7:45 am

- Thomass30
I solved the problem.
Case closed Smile
sorry about the confusion


Would you be willing to share the issue?

Others may run into the same problem.  

Merriora
Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Fri Sep 15, 2017 8:39 am

Sure...

I think it was somehow my fault...
I did physical image of the rooted phone once again....
And this time the file threads_db2 was different size.. (larger)

IEF found the messages with no problem ..

I cant explain how it is possible the file was different size this time.. Shocked
Supposed I did something wrong the first time Rolling Eyes  

Thomass30
Member
 
 
  

Re: Facebook Messenger messages on mobile - threads_db2

Post Posted: Fri Sep 15, 2017 1:49 pm

The threads_db2 database uses a rollback journal that keeps a copy of any pages that will be changed during the current transaction. If the transaction fails the content of the journal are written back to the database and the DB truncated if required.

It is possible that when you copied the DB it was mid transaction and then when you opened FB on the phone SQLite saw the journal was live and restored the pages.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 

PaulSanderson
Senior Member
 
 

Page 1 of 1