Hi all,
Bit of a tricky one. I have an android tablet where I need to extract chats from the app 'Instamessage' which I believe is an Instagram Messenger app. I have tried the device in XRY and UFED4PC but they do not carve out Instamessage.
I have attempted to look for a database to scour that relates to the app, but from what I can see there isn't one on the device (are messages not stored locally at all?)
As a final step, the tablet uses the Rockchip processor, so I used the rkflashtool in order to do a memory dump of
a) the whole device
and
b) the userdata area
To run through IEF, but again, no Instagram related data was extracted.
Has anyone had any experience with Instamessage forensics or could point me in the right direction? Thanks )
I do not have experience with that app, but you might try something…
1. Take an image of another Android device you have laying around.
2. Install instamessage and generate some activity.
3. Take another image of the same device and compare them.
You'll be able to see if any additional files or directories were created and then examine those files for instamessage activity.
I seriously doubt any commercial tool is going to decode the database of an obscure app. If the database exists in the image, you'll need to view it with a generic SQLite viewer (assuming it's an SQLite database).
How are you creating the image? Is it possible the data from this app isn't even making it into the image? I've seen this happen often with iOS apps where the developer has chosen to not expose app data to the backup process. Something similar is likely possible with Android. You'll be able to tell if this is the case if examine a differential image of your own device.
