I’m the IT guy at my company and I just deleted a 3GB “Msgstore db Crypt” file from the CEO’s smartphone.
So I have to recover as many files as possible as quickly as possible.
Your question is too vague (what’s the device make/model, android version, application, etc.), so I can only answer generally.
Autopsy cannot extract contents of Android storage devices. If you can extract a physical volume from an android device with another tool, Autopsy can read many file systems commonly in use and carve from unallocated space. However, modern Android devices use encryption and extracting decrypted volumes isn’t possible, though copying logical files can be.
Your question seems to contemplate recovering a deleted database. This is not likely possible if the Android device is modern and uses a modern Android version (generally 7+) with encryption (default on 8+).
There are caveats to almost all of what I’ve said, but like I stated in the beginning, this is a general response.
Thanks for your response!
I have a Zenfone 4 with Android 8.
With factory settings.
I used it exclusively for whatsapp, but when I installed Whatsapp Businnes by accident all my old Whatsapp folders were deleted.
Photos, audios, media, etc.
Backups did not work.
So I would like to try to recover as many files as possible, if possible with the same names and location.
To recover a deleted (previously existing) file (don’t confuse this for a deleted record in an existing database file), you need access to physical storage. By software, this means a rooted device. By hardware, this means removing the storage chip or connecting to it through a technique as In-Service-Programming (sort of like hot-wiring a car). This allows you to copy allocated (existing files) and unallocated (previously used and unused storage) blocks.
But don’t get too excited. With Android 8, you are almost always dealing with encryption, either file-based or full-disk. This means content of deleted files can’t be decrypted because the encryption keys are lost or are inaccessible. Because of encryption, modern recovery methods focus on finding ways to copy full file systems from booted and unlocked devices (Why booted and unlocked? Because the storage is decrypted in that state). Recovering deleted files is a thing of the past.
Your phone was released with Android 7.1 and encryption was hit and miss with that generation of Android OS–some vendors enabled it by default while other’s left it as a user option. It is possible that your storage is not encrypted.
However, even if encryption isn’t a factor, recovering a complete, well populated database like WhatsApp is unlikely due to fragmentation. NAND flash memory is made up of pages, and every change to a page, e.g., to commit a message to a database table, requires that the page be read into RAM, altered, and written to a new page. The old page is the flagged as “dirty” and eventually zero’d and flagged for reuse in a process known as garbage collection. Because of the files systems in use on Android, you can’t simply read the file system structures to find the addresses of previously existing files (such file system metadata is wiped when the file is deleted). Thus, you are left with file carving, and there is no carving technique that can recover a complete, fragmented SQLite database. So, while individual database pages might be recoverable and useful for forensic analysis, they aren’t useful for restoring you WhatsApp application to it’s pre-deletion, working condition.
Your experience with Android Backup is not atypical. Android Backup doesn’t backup all files on an Android Device. Instead, it stores those files flagged for backup by the operating system and those allowed by software developers. WhatsApp developers can simply choose not to allow the chat database to be included in a backup, and this may be a legitimate security choice, even if you now find it inconvenient.
None of this solves your problem, other than to say you are unlikely to restore WhatsApp messages to your phone. My hope was that this response would help you and others similarly trying to recover data from Android devices understand the dynamics involved.
So is it possible or not?
I answered you as you have observed by your quote. It’s the best I can give with the information I have.
I’m sorry but I didn’t understand what you said. Was your answer YES or NO?