Windows Mobile soft...
 
Notifications
Clear all

Windows Mobile software

19 Posts
9 Users
0 Likes
1,683 Views
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Does anyone have any experience with software that decodes artefacts from Windows Phones? Currently looking at a Lumia 520 and UFED/XRY have got basically nothing back. IEF got a couple of items but missed all the 3rd party app stuff, are there any other? Does Oxygen deal with it any better?

 
Posted : 25/11/2015 2:50 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi minime

If you can get access to the file system the apps tend to be either ESE databases or SQLite. Obviously my Forensic Toolkit for SQLite can deal with the SQLite side.

But you may not be aware that there is an optional Browser extension for the toolkit that allows you to use the full power of the Browser to investigate the ESE databases.

There is more information on the ESE extension here

http//sandersonforensics.com/forum/content.php?242-ESE-EDB-JetBlue-Database-extension-for-the-Forensic-Browser

I am just about to make an update to the ESE extension (and the standalone EseViewer - more at the above link) that recovers deleted records from the ESE database.

There is more information about the Browser and a link to request a demo (of the Toolkit and ESE extension) at this link.

http//sandersonforensics.com/forum/content.php?198-Forensic-Browser-for-SQLite

Hope this helps

Cheers
Paul

 
Posted : 25/11/2015 4:40 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

RegRipper works just fine with the Registry hive files from Windows phones. Unfortunately, no one who has access to these files has written any plugins for RR, and only one person (a cop) provided me with hive files from such a device.

I wish there was more, but without support from the community… ;-(

 
Posted : 25/11/2015 5:01 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Minime2k9, live data acquisition will give you only very basic data. To access applications, deleted records and SQLite databases you can create a JTAG image from Windows Phone and then import it to Oxygen Forensic products.

 
Posted : 25/11/2015 5:03 pm
(@trewmte)
Posts: 1877
Noble Member
 

In addition to Paul's *comments, have you had a look here as these scripts relating to Windows Mobile 8.x on Lumia 520 https://github.com/cheeky4n6monkey/4n6-scripts

* and Oxygen (I hadn't seen that post by the time I posted.)

 
Posted : 25/11/2015 5:05 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Thanks for the replies so far, I think I should have probably posed my question slightly better though.

As Paul mentioned, some of the artefacts are stored in Sqlite or ESE database files, but they also use SDF (Compact SQL - Microsoft) and flat data files for data (KIK messenger is a good example).
Much as I can manually decode these, I was hoping there might be some support for a least a few of the standard artefacts.

We have a JTAG image of the phone already, so this isn't an issue - does Oxygen support decoding of any application data?

It does seem that a lot of the apps store data in a completely different format from the norm - whatsapp seems to use unencrypted sqlite, KIK uses flat files for each conversation that I'm still working out the format for and some use this SDF file.

What I'm basically getting is that Windows phones are basically unsupported (in terms of APP data decoding) by all the major tools and that each one will require manually extracting (and possibly decoding) with a few python scripts for some areas.

 
Posted : 25/11/2015 7:55 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Minime2k9, Oxygen supports data decoding from most popular apps, like WhatsApp, Viber, Skype, Facebook Messenger, Here Maps, etc if you import a Windows Phone JTAG image. If app is not supported you will be able to open all app files on Applications files tab in Applications section and examine them in HEX or SQLite Viewer.

 
Posted : 25/11/2015 8:19 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

That sounds great, I've emailed you for a trial version that you've mentioned was available in another post.

 
Posted : 25/11/2015 9:15 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi minime - sent you a pm a couple of hours ago. Outbox says you have seen it so as you have been on-line since then I thought I would let you know.

 
Posted : 25/11/2015 9:48 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Sorry Paul, I always seem to miss PM's!
As far as viewers for the SDF database's go, I managed to locate one here
http//sourceforge.net/projects/compactview/
You will need to install some things from Microsoft to make it work (Basically and SDF SDK).

 
Posted : 25/11/2015 9:51 pm
Page 1 / 2
Share: