Notifications
Clear all
General (Technical, Procedural, Software, Hardware etc.)
2
Posts
1
Users
0
Reactions
1,057
Views
Topic starter
11/07/2023 3:23 am
I have some conflicting information and was wondering if someone could help me walk through it. I am trying to put together a solid timeline for what seems to have happened:
android 9 os. Moto z3
- i have the filepath.db -- tons of artifacts there. No issue.
- I am trying to understand something though. I believe I have a date that the phone was wiped (annoying 🙁) based on the "hello" screenshot and some wifi network screenshots. However there are a ton of applications still listed in filepath.db
- if someone wiped it, why would there still be apps in the filepath.db (unless the suspected person used it again but why -- i know we are not psychologists here 😄 )
- is there a way to get the installed dates? I did do an adb system dump and there are artifacts when permissions were granted post the wipe date but I cant seem to find any information about the apps that are in filepath.db
- if someone wiped it, why would there still be apps in the filepath.db (unless the suspected person used it again but why -- i know we are not psychologists here 😄 )
used encase & emi
thank you for any help or pointers I am missing
Joe
Topic starter
13/07/2023 5:21 am
This filepath.db shows up in an encase index search, specifically under the filetransfer2.adb directory. Inside there, is a raw directory.
to me, this means the filepath.db MIGHT have been recovered. I am having a hard time proving it though as there are no install dates and the phone was wiped. I say this because that apk is standard on a motorola and just wondering if maybe when it re-installed the filetransfer apk/wiped, it didnt delete the old filepath.db.
I do have an exact model of the phone I got from ebay so I am going to test the theory out
Anyone ever ran into a similar situation?