Hello,
I used the RIFF box to obtain a .bin file from a WP7 Nokia Lumia 610 and partition 11 (6944MB) in size has no file format therefore OS Forensics, EnCase or FTK will not map this partition.
I welcome any suggestions if there is another way to obtain the text message (store.vol) and phone containers?
NSB
X-Ways and Cellebrite Analyzer both support the binary dump you have and will parse the file system.
I used Cellebrite but no chain was applied. I tried WP8 chains but nothing. As I was short on time, I gave up so I will have another look at it in the week.
I'm puzzled as to why the partition could not be identified as I believe that is what the problem is. I thought of using WIN HEX on a working copy of the .bin file and name partition 11 to FAT 16, FAT X etc.
I used X-Ways too, to find and parse the exFAT partition. I don't think PA decodes any of the files from Windows Phone 7; I haven't tried recently. The databases are not the same as WP8.
JFYI, there is a related thread about a "phantom" version of ExFat/TexFat, here
http//www.forensicfocus.com/Forums/viewtopic/t=11393
And it seems like X-Ways (WinHex) is the only tool around correctly interpreting it.
Check if in the meantime The Sleuthkit available build has included it
http//www.forensicfocus.com/Forums/viewtopic/p=6571446/#6571446
If - by any chance - you have the possibility to create (on that device or on another one) a "new" image with that filesystem (without of course customer/case data) and provide it to Cybergonzo, it would be appreciated
http//www.forensicfocus.com/Forums/viewtopic/p=6572995/#6572995
as well as exact information on the OS version running on that phone
http//www.forensicfocus.com/Forums/viewtopic/p=6571453/#6571453
jaclaz
We have done a few jag examinations with Nokia Lumia. We contacted Cellebrite and uploaded our bin file and they gave us a UFDR package to open in UFED. However I think the next physical analyzer release is well supported.
By any chance did you have to solder a 16 pin molex to the board or were you lucky to have one already there for you?
By any chance did you have to solder a 16 pin molex to the board or were you lucky to have one already there for you?
None of the 610s we've seen have had a connector attached to the board.
Hello,
I used the RIFF box to obtain a .bin file from a WP7 Nokia Lumia 610 and partition 11 (6944MB) in size has no file format therefore OS Forensics, EnCase or FTK will not map this partition.
I welcome any suggestions if there is another way to obtain the text message (store.vol) and phone containers?
NSB
Cellebrite have released UFED Physical Analyzer 4.0, of which states …
'JTAG decoding enhancement
Windows Phone 8 – Decoding of contacts, call logs and SMS from physical extraction performed using JTAG'
I did a JTAG on a Nokia Lumia 610 yesterday so I will let you know the results as soon as i get latest version of PA.
Hi
I JTAG'd a Nokia Lumia 520 (Win 8) and ran into similar problems. I fired the BIN file into Recover My Files and selected recover drive. Recover my files mapped all partitions and I was able to get at the stor.vol etc with relative ease
I tried loading the bin file into Cellebrite, latest version but it did not parse the store.vol, it just parsed 4 partitions.
There is a useful article here about Win 8 forensics
http//
Jim
Hi
I JTAG'd a Nokia Lumia 520 (Win 8) and ran into similar problems. I fired the BIN file into Recover My Files and selected recover drive. Recover my files mapped all partitions and I was able to get at the stor.vol etc with relative ease
I tried loading the bin file into Cellebrite, latest version but it did not parse the store.vol, it just parsed 4 partitions.
There is a useful article here about Win 8 forensics
http//
cheeky4n6monkey.blogspot.co.uk/2014/06/monkeying-around-with-windows-phone-80.html Jim
Yea I also tried opening a 'bin' file with the latest Cellebrite PA of a Nokia Lumia 610 had no luck either, struggling to get hold of this store.vol file.
I have also popped it into X-Ways Forensics but i'm about two versions behind (15.9), has anyone had any success with this version? If I do a search for 'IPM.SMStext' I can see the messages in hex view, so I'm wondering whether I need to upgrade X-Ways.