±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35765
New Yesterday: 3 Visitors: 108

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

deleted facebbok messages ( facebook messenger ) !!

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 17:32

- arcaine2
- qassam22222
i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!


You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.


works Very Happy , thank u very much ... but i need to understand why this happen ?? why i should dump dm-0 to get data in clear ?
and let's back to our topic i search in threads_db2 for deleted conversions i did not find them :(is there any solution to find any proof ??  
 
  

arcaine2
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 18:30

- qassam22222

why i should dump dm-0 to get data in clear ?


Because phone decrypts /dev/block/mmcblk0p49 (in your case) while booting and uses /dev/block/dm-0 as a device that is then mounted as /data/. This is common for pretty much all Android based phones using FDE.

You can clearly see it in your mounts list:


/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)
 

Last edited by arcaine2 on Jun 15, 19 09:46; edited 1 time in total
 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 18:41

okay thank u my brother Smile , so is there any chance to restore deleted facebook chat ?? they are not in threads_db2  
 
  

UnallocatedClusters
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 14, 19 23:30

Hello,

Q: Is it possible to write a GREP script to "carve" the image for all sqlite databases files including WAL files?


Q: Is this what you mean by "try finding at sector level the previous versions of the threads_db2 database as well."

Q: Does Android OS have the equivalent of Windows volume shadow copies or some type of restore points which one could roll back to in hopes of restoring earlier versions of sqlite files etc.?  
 
  

qassam22222
Senior Member
 

Re: deleted facebbok messages ( facebook messenger ) !!

Post Posted: Jun 28, 19 22:55

- UnallocatedClusters
Hello,

Q: Is it possible to write a GREP script to "carve" the image for all sqlite databases files including WAL files?


Q: Is this what you mean by "try finding at sector level the previous versions of the threads_db2 database as well."

Q: Does Android OS have the equivalent of Windows volume shadow copies or some type of restore points which one could roll back to in hopes of restoring earlier versions of sqlite files etc.?


sorry i have been working in other 2 cases ... i will start program the python script tonight
i did not understand ur second Q

Q3 : id did not find anything about os restoring point's ... etc  
 

Page 2 of 2
Page Previous  1, 2