VMA.db - what infor...
 
Notifications
Clear all

VMA.db - what information does this file contain?

6 Posts
4 Users
0 Likes
1,240 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Colleagues,

I am analyzing a Samsung phone (specifications below)

Selected Manufacturer Samsung CDMA
Selected Model SM-G920V Galaxy S6
Detected Manufacturer Verizon
Detected Model SM-G920V
Revision 6.0.1 MMB29K G920VVRU4CPK2

I used Cellebrite v.5.3.0.731 to create both logical and file system extractions.

1) VMA.db - what information about text messages, if any, does this file contain?

A. I am trying to identify or recover deleted text messages from this phone and identified a file called "vma.db", which is located at

/apps/com.verizon.messaging.vzmsgs/db/vma.db

B. Within "vma.db" is a table called "vma_sync_mapping". The "vma_sync_mapping" tab has columns named (amongst others)

time_created
time_updated
messageid
timeofmessage

C. Verizon Text Messages

The only location Cellebrite has found text messages is in a "messages.db" file located

/apps/com.verizon.messaging.vzmsgs/db/message.db

2. Analysis

So, I am wondering if the "vma.db" file contains references to all text messages received and sent by this phone, but "messages.db" contains the actual undeleted text messages???

Thanks for your help.

 
Posted : 31/01/2017 1:46 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

It's not usual to have related data stored in separate databases but it is not unknown either.

Are there any fields in the two DB's that look like they might be related? It is straight forward to attach a second database and perform queries across all related tables.

If you would like a fully fucntional demo of my Forensic Browser for SQLite to look further at this then please lte me know.

 
Posted : 31/01/2017 3:39 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Paul,

Thanks for your quick response.

I actually own a copy of your excellent software.

I ran SQLite Forensic Recovery on the message.db file and was able to a deleted message.

I will email you separately for help on connecting vma.db and the message.db files.

Thanks!!!

Larry

 
Posted : 31/01/2017 4:06 am
(@ltmorales)
Posts: 4
New Member
 

It sounds like this db belongs to Verizon Messages, an application to sync messages over several devices.
https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs&hl=en

According to their website they store messages for 10 days so you could also ask for them if you don't find any deleted in the db.
https://community.verizonwireless.com/thread/215693

 
Posted : 31/01/2017 3:16 pm
(@thefuf)
Posts: 262
Reputable Member
 

It might be easier to reverse engineer the APK file. What columns exist in the message.db?

 
Posted : 31/01/2017 4:50 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Holy mackerel -

With Paul's help and guidance, the Sanderson Forensics SQLite Forensic Browser tool (http//sandersonforensics.com/forum/content.php?195-Forensic-Toolkit-for-SQLite) was able to recover 4,085 text messages (including 1,858 deleted text messages).

Cellebrite was able to recover 2,227 text messages and NO deleted text messages; we collected both a logical and file system extraction from the phone.

I have alerted the rest of my forensic practice that we must run the Sanderson Forensics tool to validate our other tools' results on every case.

 
Posted : 31/01/2017 9:40 pm
Share: