dig out deledted ch...
 
Notifications
Clear all

dig out deledted chat messages

11 Posts
5 Users
0 Likes
669 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

One of my friends asked me to do a favor for her. She said her friend deleted some important chat messages by “accident”, and her friend want to recover those deleted messages as soon as possible…

I took a look at this android phone. My God, lots of instant messaging app on it. Let’s see what Top commercial forensic tools(Like Uxxx or Xxx) could do about those IMs. Somehow a little disappointed about those tools, they could not even notice some IMs exist in that phone(not mention about hidden chat messages encrypted). I do understand they only support popular IMs, so I have to investigate it on my own.

Fortunately I dig those important chat messages out. You guys could take a look at my blog to see what I've done for her.
http//www.cnblogs.com/pieces0310/p/4457359.html

 
Posted : 26/04/2015 7:11 am
(@droopy)
Posts: 136
Estimable Member
 

You could recover most IM deleted messages using special tool.

It will help a lot of you put more information for WHICH IM messenger you are talking about as there are plenty of them now.

regards

 
Posted : 27/04/2015 6:13 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

It's true there are plenty of IMs now. Those IMs I talked about are Juiker, Cubbie, Bee Talk, QQ. Also some IMs have special Hidden Chat mode which chat messages are encrypted. I'd appreciate your proving us any information you have about how to recover deleted chat messages in IM. Furthermore to decrypt those hidden chats.

Thanks for any information you have.

 
Posted : 27/04/2015 7:00 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

It seems as though you went straight to hex without trying to decode the SQLite database(s). Granted, some apps will maintain encrypted data inside the DB, but you probably want to start with SQLite.

 
Posted : 27/04/2015 10:10 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

You are correct Scott - the screen shot is from an SQLite database. The table has 10 columns

7 text columns followed by 3 integer columns

for the two record/row headers that are present the record structure seems to be the same i.e. the text fields for both rows are of length 34, 34, 42, 26, 26, 11, 34

 
Posted : 27/04/2015 11:01 pm
(@droopy)
Posts: 136
Estimable Member
 

Yes, most databases could be read by hexeditor and you could find some messages. Thats like telegram pseudo encrypted texts are in plain text there.
There are other tools, try to upload the databases somewhere and we could help

regards.

 
Posted : 28/04/2015 1:30 am
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

As you could see in my blog, I did a physical extraction from a hTC phone(Android 4.0.4) and use WinHex to search keywords.

Now I'll export some IM DBs from the image file and upload into Dropbox. Put the download link here. You guys could take a look and see what you could do about those DBs which chat messages are encrypted.

Thanks a lot.

 
Posted : 28/04/2015 7:48 am
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi,

Here is a popular IM whose name is "Line", the conversation is between Line ID gorvq7222 and rick02170310.

They entered hidden chat mode and had some private conversation. The Database file is as below Dropbox download link.

https://www.dropbox.com/s/8x1eu05v4o0upko/naver_line.zip?dl=0

Hope you could decrypt the hidden chat messages. I'd appreciate your providing me any information you have. Thanks a lot.

 
Posted : 01/05/2015 2:52 pm
(@topsirloin)
Posts: 45
Eminent Member
 

I could be wrong, but I don't believe there is any chat content to decrypt? There seems to be some base64 encoded content in a channels table. There is also quite a few contacts in a contacts table.

I ran IEF against it, as it can parse LINE data. It parsed out the chats before they went into private mode, but thats it.

Just read a bit online about this software, and they advertise that the messages are deleted immediately, similar to snapchat. Could it be this data just isn't on the phone anymore?

 
Posted : 01/05/2015 11:26 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi,

As you could see in my blog, I did a physical extraction from a hTC phone(Android 4.0.4) and use WinHex to search keywords.

Now I'll export some IM DBs from the image file and upload into Dropbox. Put the download link here. You guys could take a look and see what you could do about those DBs which chat messages are encrypted.

Thanks a lot.

I am not sure what you are trying to achieve here - the DB has a number of messages and as mentioned above there appears to be a point that the chats entered hidden mode. However as these chats involve you and they were all created today it seems they are unrelated to your original post.

Anyway as this seems just to be a contrived test rather than a real problem I can't spend much time playing with it. The screenshot below shows what my software found.

 
Posted : 02/05/2015 3:06 am
Page 1 / 2
Share: