±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Nokia PC Suite dat/db etc files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Rich2005
Senior Member
 

Nokia PC Suite dat/db etc files

Post Posted: Dec 14, 09 18:14

Has anyone dealt with the PC suite files left in a users Application Data folder before? (within the relevant IMEI named folders)
I have various files of note, most of the dat's are reasonably readable, and the .db is browsable using an sqlite browser. However for some reason the message portion viewable as text within the .db doesnt appear to be viewable from any of the fields in the SQlite browser.
Are there any good viewers or parsers for these files? (the .db's particularly)
Cheers,
Rich  
 
  

ahoog
Member
 

Re: Nokia PC Suite dat/db etc files

Post Posted: Dec 14, 09 20:29

If you can see the text of the messages in the sqlite db (i.e. using strings) but not in SQLite browser (or other such tools), then the records are likely deleted. We use hex editors (xxd) and some custom programs which "carve" out the data structures from the db and recover more than just the text portions. If you'd like me to look at it, just send me a PM or email via my website...
_________________
Andrew Hoog
viaForensics
viaforensics.com/ 
 
  

Rich2005
Senior Member
 

Re: Nokia PC Suite dat/db etc files

Post Posted: Dec 14, 09 20:55

Heh, I can view the raw hex and manipulate/export that as necessary. I'm just after something which can properly interpret the file. Whether that be a parser (ideally), or the format/structure of the file if not (even if that just confirms its definitely deleted records - rather than a format that isn't purely viewable using an sqlite browser)
(don't really have the time to spend days working this out as its just one of many items of info)
As always this is a live case so can't send anything Wink  
 
  

ahoog
Member
 

Re: Nokia PC Suite dat/db etc files

Post Posted: Dec 14, 09 22:31

Understood, you are already using programs that properly interpret SQLite (i.e. SQLite Browser, sqlite, some perl libraries, etc.).

If the records are deleted (added to sqlite's internal "free-list"), I am not aware of any public programs to parse. Hex editor is a good route...after doing it many time, we just wrote some custom apps to automate the process. Good luck with the case.
_________________
Andrew Hoog
viaForensics
viaforensics.com/ 
 
  

Rich2005
Senior Member
 

Re: Nokia PC Suite dat/db etc files

Post Posted: Dec 14, 09 23:16

Thinking out loud, is it possible to modify a bit or flag in a hex editor to change these records that are now in the free-list back to live records, with a view to looking at them an sqlite browser afterwards?
Edit: Hmm and looking at them more, it definitely appears that all of the other info relating to the message is present in the SQLite browser (ie sender, date time etc), with the exception of the message blob which seems to only contain 1 char, so i'm still wondering whether they are in fact just not viewing correctly, as opposed to deleted.
Edit2: Appears like its browsing oddly for some reason, looking further, the sms_data blob value just appears to be displaying the first character of the blob for some reason. Why i haven't worked out yet Razz
Edit3: I'm wondering if that's because the blob is in Unicode, and that the standard sqlite browser(s) can't handle unicode blobs?  
 
  

Rich2005
Senior Member
 

Re: Nokia PC Suite dat/db etc files

Post Posted: Dec 15, 09 16:08

Appears its definitely related to the unicode stuff, its hitting the hex 00 and terminating the field/display of the field there. If I modify the field in a hex editor to ascii i can now see the messages displayed correctly.
(although there do appear to be a few deleted records also)
Still could do with a proper viewer for these, rather than manually editing the message entry to non unicode to display.
Guess i need to brush up on SQLite, to work out a query to output all the table info including the unicode blob data  
 

Page 1 of 1