deleted facebbok me...
 
Notifications
Clear all

deleted facebbok messages ( facebook messenger ) !!  

  RSS
qassam22222
(@qassam22222)
Active Member

hello all …
i got a new case and i rooted the phone successfully it's mi redmi4 … but how i can find the deleted facebook messages??

Quote
Posted : 12/06/2019 5:44 pm
Thomass30
(@thomass30)
Active Member

Look at threads_db2 database

ReplyQuote
Posted : 13/06/2019 7:24 am
qassam22222
(@qassam22222)
Active Member

Look at threads_db2 database

Does they show deleted entries or just existing ones !

ReplyQuote
Posted : 13/06/2019 10:39 am
passcodeunlock
(@passcodeunlock)
Senior Member

The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.

ReplyQuote
Posted : 13/06/2019 11:12 am
qassam22222
(@qassam22222)
Active Member

The db holds everything, if it wasn't vacuumed, you can find the messages with active and deleted flags as well. If it was vacuumed, the deleted are gone forever, so try finding at sector level the previous versions of the threads_db2 database as well.

Ok i will check and let u now , thank u

ReplyQuote
Posted : 13/06/2019 3:04 pm
qassam22222
(@qassam22222)
Active Member

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

rootfs on / type rootfs (ro,seclabel,size=1330828k,nr_inodes=332707)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1436904k,nr_inodes=359226,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,relatime,mode=600)
none on /dev/memcg type cgroup (rw,relatime,memory)
none on /dev/cpuctl type cgroup (rw,relatime,cpu)
none on /dev/cpuset type cgroup (rw,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
proc on /proc type proc (rw,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
none on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=750,gid=1000)
none on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
none on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
none on /acct type cgroup (rw,relatime,cpuacct)
tmpfs on /mnt type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7)
none on /config type configfs (rw,relatime)
/dev/block/mmcblk0p24 on /system type ext4 (rw,seclabel,noatime,discard,data=ordered)
/dev/block/mmcblk0p48 on /cust type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p26 on /persist type ext4 (rw,seclabel,nosuid,nodev,relatime,discard,noauto_da_alloc,data=ordered)
/dev/block/mmcblk0p25 on /cache type ext4 (rw,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p12 on /dsp type ext4 (ro,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p1 on /firmware type vfat (ro,context=uobject_rfirmware_files0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)
/dev/block/loop0 on /su type ext4 (rw,seclabel,noatime,data=ordered)
tmpfs on /storage type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6)
tmpfs on /storage/self type tmpfs (rw,seclabel,relatime,size=1436904k,nr_inodes=359226,mode=755,gid=1000)

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

ReplyQuote
Posted : 14/06/2019 11:03 am
arcaine2
(@arcaine2)
Active Member

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.

ReplyQuote
Posted : 14/06/2019 5:20 pm
qassam22222
(@qassam22222)
Active Member

i did not find deleted msg's in the facebook db !!
and when i try to make a dd image it's encrypted i dont know why !! i already have the phone pin code and it's already rooted !! why the image is encrypted ??

is this happen because userdata Partition not mounted !!

the userdata in encrypted !! i try to mount it by
mount -o rw /dev/block/mmcblk0pXX /data/local/tmp/qan
it's gives no error but when i go to /data/local/tmp/qan it's empty !!

You dumped /dev/block/mmcblk0 so it's normal that it contain encrypted stuff. Since you mentioned that you have root on that Redmi 4, try dumping /dev/block/dm-0 as well (while the phone is fully booted into Andriod) and you'll have a decrypted userdata partition image to work on.

works D , thank u very much … but i need to understand why this happen ?? why i should dump dm-0 to get data in clear ?
and let's back to our topic i search in threads_db2 for deleted conversions i did not find them (is there any solution to find any proof ??

ReplyQuote
Posted : 14/06/2019 6:32 pm
arcaine2
(@arcaine2)
Active Member

why i should dump dm-0 to get data in clear ?

Because phone decrypts /dev/block/mmcblk0p49 (in your case) while booting and uses /dev/block/dm-0 as a device that is then mounted as /data/. This is common for pretty much all Android based phones using FDE.

You can clearly see it in your mounts list

/dev/block/dm-0 on /data type ext4 (rw,seclabel,nosuid,nodev,relatime,nobarrier,noauto_da_alloc,data=ordered)

ReplyQuote
Posted : 14/06/2019 7:30 pm
qassam22222
(@qassam22222)
Active Member

okay thank u my brother ) , so is there any chance to restore deleted facebook chat ?? they are not in threads_db2

ReplyQuote
Posted : 14/06/2019 7:41 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Hello,

Q Is it possible to write a GREP script to "carve" the image for all sqlite databases files including WAL files?

Q Is this what you mean by "try finding at sector level the previous versions of the threads_db2 database as well."

Q Does Android OS have the equivalent of Windows volume shadow copies or some type of restore points which one could roll back to in hopes of restoring earlier versions of sqlite files etc.?

ReplyQuote
Posted : 15/06/2019 12:30 am
qassam22222
(@qassam22222)
Active Member

Hello,

Q Is it possible to write a GREP script to "carve" the image for all sqlite databases files including WAL files?

Q Is this what you mean by "try finding at sector level the previous versions of the threads_db2 database as well."

Q Does Android OS have the equivalent of Windows volume shadow copies or some type of restore points which one could roll back to in hopes of restoring earlier versions of sqlite files etc.?

sorry i have been working in other 2 cases … i will start program the python script tonight
i did not understand ur second Q

Q3 id did not find anything about os restoring point's … etc

ReplyQuote
Posted : 28/06/2019 11:55 pm
Share: