hello all I work with police in case they sized android phone for suspect the phone is not protected and not erased but they think he made an uninstall for some apps like WhatsApp and viber …
so is there anyway to know which apps was uninstalled from the phone ??
and what about physical dump can I recover uninstalled apps databases from it ??
It depends on the phone, on UFED4PC (Cellebrite Software) some Android phones can be physically extracted, in which a lot of data is brought back, from my experience, Physical / Dump extractions do a great job bringing back applications that have been deleted.
Also if your model is not available for Physical Extraction in UFED 4PC you can always use eMMC iSP (Direct) using for example Z3x Easy/VR-Table to get full dump from it in RAW format and parse/analyze full dump including Unallocated Space too using PA
i already do that i rotted my device and then dump the Physical via netcat + dd to my PC but i don't have any of this pro. forensic products can anyone help me i will upload the Physica dump and send it
please it's urgent
any help please ??
If you are working with a seized phone for the police you might want to reconsider uploading it and sending it to strangers online?
You could upload the dump in a computer forensic program and carve for databases, or manually look for them with a hex reader, depending on how large the dump is and how much time you have to spend. There are free carving programs for you if money is an issue.
There is also the option to request a trial version of a mobile forensic tool like UFED, XRY or Oxygen if you don't already have these.
If you are working with a seized phone for the police you might want to reconsider uploading it and sending it to strangers online?
You could upload the dump in a computer forensic program and carve for databases, or manually look for them with a hex reader, depending on how large the dump is and how much time you have to spend. There are free carving programs for you if money is an issue.
There is also the option to request a trial version of a mobile forensic tool like UFED, XRY or Oxygen if you don't already have these.
it's just a case related to bother some one on facebook nothing danger …
but recover the conv. it's important for me so that's why im here and requst help
by the way how to look in unallocated space in hex ?? is there any full details tutorial ?
i need to solve this case please !!
the suspect has been deleted the facebook masseneger com.facebook.orca !!
I just found this com.facebook.katana but I can't find message database threads_db2
on data/data/com.facebook.katana/databases/threads_db2
screen shoot 
when I used autopsy and made a little search on threads_db2 I get this result 
the database name founded in 2 unallocated spaces databases !! now what to do I don't know how to extract them from unallocated spaces !! and can I do this with belkasoft free trial ?? or any free tool
the threads_db2 files contain on text messages. The messages aren't encrypted. You should recover deleted SQLite files and use a SQLite Viewer for recovering the messages. It is hard manually work.