Does anyone on this forum is at least familiar with this topic, and knows what I'm talking about ?
Really! I'm not looking for a step-by-step guidance for dummies on how to do it, I'm just asking for a hint where to look…
I realise you will just come back with an angry man reply but I would suggest you reread your posts thus far and you may realise that individuals on here may not wish to waste their valuable time and energy helping you. Just a thought but the keyboard warrior stance doesn't generally make people want to help.
Good luck with your research.
Presumably, you know at least some of the content of this contact. Do some keyword searches based on this - given you are in Poland codepages might be an issue, and also search in unicode.
If you get nothing from this, then you are probably just out of luck.
And also, like many have said, insulting people makes them less likely to want to help you. Be nice to people, and they will be nice to you. Simple philosophy really.
twisted You should have backed up your device!!!!!!! A simple restore would have got you your number back that you deleted over 2 weeks ago!!!!!! twisted
First of all I didn't insult anyone. Are you really surprised with my reaction ? When I see another "FORENSICS" forum that 1 person out of 20 at least understands what I'm talking about ? This topic is a result of at least 10 other forensic forums failures…where I was nice!
So what I'm trying trying to express here is big disappointment. I'm not a programmer, and I was still able to do more thx to my own research, than most of ppl who call themselves "experts" on messageboards. So why in the world are these forums created for ? Why these ppl even sit here ? To educate others on how to behave ? )
Look at this discussion I'm trying to make a technical conversation. Instead I get posts of some bored people who sit here God knows why and post answers like "Hmmm I don't know how to help you, but even If I did I wouldn't cuz u not nice" rofl….
Every forum has it's own rules. In many respected ones that I know ppl get warnings for posting dumb OT
If this is the way you like it than fine I can get used to it )
So In the end I was expecting exactly what I got, there were 2 ppl who were actually interested in this "forensic problem" others were just spamming. Remember if you are smart then u can learn something from each case no matter if someone is nice or not, perhaps you'll also have same issue in future and my problem will help you in your work…. It's not like we're getting married, so try to be professional and focus on facts and what the topic is about.
But oh well, it's better to sit here and produce irrelevant posts so u get faster a "Senior member" next to ur nickname. yeah.. that's impressive !
In regards to what you said I tried searching many files via HEX editor but it's not possible to check all from \Windows it'll just take too long . So I'm trying to find out which folders may have also something to do with text messages. I already checked \Windows\Messaging
You have already gotten some nice tips in this topic, but unfortunately, as said before, you may be out of luck. In this field, sometimes you just have to accept that the data you're hoping to find is gone. The fact that you were able to recover files from four years ago doesn't automatically mean that it's possible to find something from two weeks ago.
To get a better understanding of what to expect, you should read more about how data is written to disk. Remember, if you're smart you can learn something from this.
Good luck, I hope you find your contact.
Ok, so I have no idea what you quoted me on - as it was blank.
In terms of the people who join message boards (including this one) unfortunately there is no way to vet that anyone really knows what they are talking about. But, in general terms, don't be sarcastic and rude to people. You ask us to 'try to be professional' - well I would say that if you extended the same courtesy to everyone else here, you would get a better response.
Back to the topic at hand. If you deleted the contact, it likely won't be stored as a resident file anymore, so searching through any allocated files is completely pointless. The searches you want to do should be across this entire filesystem, and focusing on the unallocated areas. This also assumes that the contacts are stored as individual files.
Its probably more likely that the contacts are in a database. In general terms, when a record is deleted from a database, it moves into the slack of the database itself. Most of these databases then perform regular cleanup/compressions to get rid of the erroneous data. Once thats happened then you have almost no chance of recovery.
Try to identify how regular contacts are stored. Do some testing. Create a contact and image to see where it is. Delete it and see what happens. If someone can't give you the answers these are your options. I have a feeling you won't be able to recover this file - through no fault of our expertise.
You will need to do two steps.
Image the device
Carve for the database
Step one will require a tool, like I mentioned before. You can try MobileEdit! which is free to download.
The image should be a raw or dd image. This will allow searching with some sort of a windows based grep tool. Any tool that can search raw data will work.
Once you have the image of the original phone, you will be able to locate the storage file that is used for the contacts.
You may be able to recover deleted versions of that contact database, or the database may still contain the records you deleted.
Thereafter the reconstruction of the records may be possible.
In regards to what you said I tried searching many files via HEX editor but it's not possible to check all from \Windows it'll just take too long . So I'm trying to find out which folders may have also something to do with text messages. I already checked \Windows\Messaging
Don't search the files individually. Point a searching tool (here's a totally free one that I like https://
Also, you mention that you "dumped the ROM"? As in you have a full image of the data? Search in there using the search term too.
As already noted, you should consider Windows codepages and Unicode in your search queries (Windows tends to be Little Endian UTF-16 rather than UTF-8).
If you still get nothing, then it could be that the data has been overwritten and is gone - is your phone's storage particularly full with other data? If so, the time before the data will be overwritten will be much shorter.
So good luck, but you might not be able to find the contact because it's not there.
A non-forensic oriented tool that has given me some good results in the past is BINTEXT
http//
jaclaz