Dear all,

I was wondering if everyone could participate in this topic, where all the important (logs,databases etc..) of most mobile devices will be mentioned. For example identifying the important databases and logs that a forensic investigator should look at while investiagting.

For instance, On Nokia Series 40 ( logs are only stored for 30 days, therefor it is recommended you perform your analysis instantly after a crime occurs.

A Database that is important in a Nokia while investigating is the (Ms_del.dat) database that include chunks of the deleted messages and so on, how do you read that database?

Databases that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)

RIM ???

Please share your knowledge, TIPS while performing mobile forensics.

Is there a way an investigator can know if a mobile has recently been formatted?
Logs that indicated the first date of usage, and last date of usage?  

There are plenty of topics covering all of the above. I think it would be unfair to expect everyone to make a central repository of such information when it is all available on the forum if you search for specific criteria.

I highly recommend you have a dig through some old posts and take notes, then as specific jobs come up, post a question and if we know the answer we will help in turn  

Have you looked at Forensics Wiki? Maybe you can contribute/update their pages...  

It may make sense to double check each of your findings already also. I mention that as you have said that Series 40 Nokia's only keep logs for 30 days. The 6230 is a Series 40 handset and it keeps it logs until the end of time, there is no expiration time. A lot of newer Series 40's behave the same, in fact I don't think I've ever seen a series 40 where data expires.

Symbian devices on the other hand only keep logs for a maximum of 30 days. But you can of course subvert that process if you know what you are doing.

I am intrigued by the suggestion of deleted messages in MS_Del.dat too and wonder if you have any further information. I know a number of people who have researched that file and found that it contains status (delivery) reports only including sent and delivered dates/times with numbers etc..

Thanks
_________________
Colin Mortimer
FishNet Security 

- CopyRight

Databases that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)

Make sure when you are looking at these db files that you looking at all of the files located in the folder they originate from. I'd point you in the direction of this blog and specifically this article;

digitalinvestigation.w...ahead-log/

Worth a read.  

Great Stuff,

So How is it possible to read a ms_del.dat file?
And a whatever.bak (blackberry backup files)..?  

You may find ms_del.dat contains DELivery reports not deleted data.

We have a python script that parses them (I didn't write it so can't take credit/don't know what it's looking at), though there is a difference that I can't remember off the top of my head between earlier series 40s and the later series 40 3rd editions.