±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35880
New Yesterday: 1 Visitors: 198

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows Mobile software

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

minime2k9
Senior Member
 

Windows Mobile software

Post Posted: Nov 25, 15 15:50

Does anyone have any experience with software that decodes artefacts from Windows Phones? Currently looking at a Lumia 520 and UFED/XRY have got basically nothing back. IEF got a couple of items but missed all the 3rd party app stuff, are there any other? Does Oxygen deal with it any better?  
 
  

PaulSanderson
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 17:40

Hi minime

If you can get access to the file system the apps tend to be either ESE databases or SQLite. Obviously my Forensic Toolkit for SQLite can deal with the SQLite side.

But you may not be aware that there is an optional Browser extension for the toolkit that allows you to use the full power of the Browser to investigate the ESE databases.

There is more information on the ESE extension here :

sandersonforensics.com...ic-Browser

I am just about to make an update to the ESE extension (and the standalone EseViewer - more at the above link) that recovers deleted records from the ESE database.

There is more information about the Browser and a link to request a demo (of the Toolkit and ESE extension) at this link.

sandersonforensics.com...for-SQLite

Hope this helps

Cheers
Paul
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

keydet89
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 18:01

RegRipper works just fine with the Registry hive files from Windows phones. Unfortunately, no one who has access to these files has written any plugins for RR, and only one person (a cop) provided me with hive files from such a device.

I wish there was more, but without support from the community... ;-(  
 
  

OxygenForensics
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 18:03

Minime2k9, live data acquisition will give you only very basic data. To access applications, deleted records and SQLite databases you can create a JTAG image from Windows Phone and then import it to Oxygen Forensic products.  
 
  

trewmte
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 18:05

In addition to Paul's *comments, have you had a look here as these scripts relating to Windows Mobile 8.x on Lumia 520 github.com/cheeky4n6mo...n6-scripts


* and Oxygen (I hadn't seen that post by the time I posted.)
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

minime2k9
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 20:55

Thanks for the replies so far, I think I should have probably posed my question slightly better though.

As Paul mentioned, some of the artefacts are stored in Sqlite or ESE database files, but they also use SDF (Compact SQL - Microsoft) and flat data files for data (KIK messenger is a good example).
Much as I can manually decode these, I was hoping there might be some support for a least a few of the standard artefacts.

We have a JTAG image of the phone already, so this isn't an issue - does Oxygen support decoding of any application data?

It does seem that a lot of the apps store data in a completely different format from the norm - whatsapp seems to use unencrypted sqlite, KIK uses flat files for each conversation that I'm still working out the format for and some use this SDF file.

What I'm basically getting is that Windows phones are basically unsupported (in terms of APP data decoding) by all the major tools and that each one will require manually extracting (and possibly decoding) with a few python scripts for some areas.  
 
  

OxygenForensics
Senior Member
 

Re: Windows Mobile software

Post Posted: Nov 25, 15 21:19

Minime2k9, Oxygen supports data decoding from most popular apps, like WhatsApp, Viber, Skype, Facebook Messenger, Here Maps, etc if you import a Windows Phone JTAG image. If app is not supported you will be able to open all app files on Applications files tab in Applications section and examine them in HEX or SQLite Viewer.  
 

Page 1 of 3
Page 1, 2, 3  Next