±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35745
New Yesterday: 5 Visitors: 186

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

deleted facebbok messages ( facebook messenger ) !!

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

qassam22222
Senior Member
 

deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 12, 19 16:44

hello all ...
i got a new case and i rooted the phone successfully it's mi redmi4 ... but how i can find the deleted facebook messages??  
 
  

Thomass30
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 13, 19 06:24

Look at threads_db2 database  
 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 13, 19 09:39

- Thomass30
Look at threads_db2 database

Does they show deleted entries or just existing ones !  
 
  

passcodeunlock
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 13, 19 10:12

The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 13, 19 14:04

- passcodeunlock
The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.

Ok i will check and let u now , thank u  
 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 10:03

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

rootfs on / type rootfs (ro,seclabel,size=1330828k,nr_inodes=332707)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1436904k,nr_inodes=359226,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
none on /dev/memcg type cgroup (rw,relatime,memory)
none on /dev/cpuctl type cgroup (rw,relatime,cpu)
none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
none on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=750,gid=1000)
none on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
none on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
none on /acct type cgroup (rw,relatime,cpuacct)
tmpfs on /mnt type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7)
none on /config type configfs (rw,relatime)
/dev/block/mmcblk0p24 on /system type ext4 (rw,seclabel,noatime,discard,data=ordered)
/dev/block/mmcblk0p48 on /cust type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p26 on /persist type ext4 (rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk0p25 on /cache type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p12 on /dsp type ext4 (ro,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p1 on /firmware type vfat (ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)
/dev/block/loop0 on /su type ext4 (rw,seclabel,noatime,data=ordered)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
tmpfs on /storage/self type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)





the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!  
 
  

arcaine2
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 16:20

- qassam22222
i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!


You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.  
 

Page 1 of 2
Page 1, 2  Next