hi @cheeky4n6monkey I've just modified your fbmsg-extractor.py to work with latest threads_db2 & contacts_db2 for mobile forensics education purpose. Please forgive me if there is any violation towards your creation. I'm newbie in python and not so familiar with github fork so I create new issue please review my modification.

The readable timestamp conversion fails on some video entries. Tested with an S6 android 5.1.1. The timestamps for videos are stored the same as the image entries. There are no extra zeros at the end of the time stamp. Instead of dividing by 1000 to eliminate the extra numbers, why not take a substring of the variable "timestring". This way the "if" statement is removed completely. (No need to check for difference between video and pictures)

suggested code would be

timestring = datetime.datetime.utcfromtimestamp(int(timestamp[0:10])).strftime("%Y-%m-%dT%H-%M-%S)

replace if statement with that code. Tested and works great!

Please merge your scripts into the more-popular LEAPP series of projects of abrignoni. Those tools are the most mature series of FOSS data analysis from device dumps available.

When I try to execute imgcache-parse-mod.py or imgcache-parse.py I have this issue :

E:\404\Test\4n6-scripts-master\4n6-scripts-master\Android>python imgcache-parse-mod.py -f 86546165715873655.0 -o output.html -p Running imgcache-parse-mod.py v2016-08-03

Traceback (most recent call last): File "E:\404\Test\4n6-scripts-master\4n6-scripts-master\Android\imgcache-parse-mod.py", line 126, in <module> hits = all_indices(filestring, substring1, []) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

File "E:\404\Test\4n6-scripts-master\4n6-scripts-master\Android\imgcache-parse-mod.py", line 66, in all_indices i = bigstring.find(substring, offset) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: argument should be integer or bytes-like object, not 'str'

Any idea ?

in utilities/google-ei-time.py, line 116 can be replaced with:
timestamp = int.from_bytes( decoded[ : 4], byteorder='little')
which seems a bit more pythonic to me

Running lmg-drop.py removes all files from within an engagement directory, but the directory itself remains.