deleted facebbok me...
 
Notifications
Clear all

deleted facebbok messages ( facebook messenger ) !!

12 Posts
5 Users
0 Likes
1,772 Views
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

hello all …
i got a new case and i rooted the phone successfully it's mi redmi4 … but how i can find the deleted facebook messages??

 
Posted : 12/06/2019 4:44 pm
(@thomass30)
Posts: 110
Estimable Member
 

Look at threads_db2 database

 
Posted : 13/06/2019 6:24 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

Look at threads_db2 database

Does they show deleted entries or just existing ones !

 
Posted : 13/06/2019 9:39 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.

 
Posted : 13/06/2019 10:12 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.

Ok i will check and let u now , thank u

 
Posted : 13/06/2019 2:04 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

rootfs on / type rootfs (ro,seclabel,size=1330828k,nr_inodes=332707)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1436904k,nr_inodes=359226,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
none on /dev/memcg type cgroup (rw,relatime,memory)
none on /dev/cpuctl type cgroup (rw,relatime,cpu)
none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
none on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=750,gid=1000)
none on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
none on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
none on /acct type cgroup (rw,relatime,cpuacct)
tmpfs on /mnt type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7)
none on /config type configfs (rw,relatime)
/dev/block/mmcblk0p24 on /system type ext4 (rw,seclabel,noatime,discard,data=ordered)
/dev/block/mmcblk0p48 on /cust type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p26 on /persist type ext4 (rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk0p25 on /cache type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p12 on /dsp type ext4 (ro,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p1 on /firmware type vfat (ro,context=uobject_rfirmware_files0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)
/dev/block/loop0 on /su type ext4 (rw,seclabel,noatime,data=ordered)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
tmpfs on /storage/self type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

 
Posted : 14/06/2019 10:03 am
(@arcaine2)
Posts: 235
Estimable Member
 

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.

 
Posted : 14/06/2019 4:20 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.

works D , thank u very much … but i need to understand why this happen ?? why i should dump dm-0 to get data in clear ?
and let's back to our topic i search in threads_db2 for deleted conversions i did not find them (is there any solution to find any proof ??

 
Posted : 14/06/2019 5:32 pm
(@arcaine2)
Posts: 235
Estimable Member
 

why i should dump dm-0 to get data in clear ?

Because phone decrypts /dev/block/mmcblk0p49 (in your case) while booting and uses /dev/block/dm-0 as a device that is then mounted as /data/. This is common for pretty much all Android based phones using FDE.

You can clearly see it in your mounts list

/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)

 
Posted : 14/06/2019 6:30 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

okay thank u my brother ) , so is there any chance to restore deleted facebook chat ?? they are not in threads_db2

 
Posted : 14/06/2019 6:41 pm
Page 1 / 2
Share: