I've just taken a physical dump of a Nokia Lumia 920 with UFED and after loading it up in PA it only shows me recovered deleted SMS, none of the existing SMS have been recovered.
Seems odd to me, but I know Windows phones are problematic.
Anyone had any luck with this model of phone or have an explanation as to why only deleted messages are recovered?
Edit I see from some other posts that the file I need is store.vol. I've found this file and now am searching for something that can make sense of it. There was mention of a database viewer from OS forensics in one thread but not the name of the software…
I was in a bit of a time crunch here so I just pointed IEF at the bin image and this decoded all the SMS from the store.vol file.
I could then export out an excel workbook to work with further.
Given that this file is a known file and it can obviously be decoded I'm assuming I could achieve this with UFED PA as well but perhaps I didn't tick the right box?
Any idea on that one?
Windows phone are not supported well at all in UFED/XRY.
IEF actually seems to provide the best results, especially if you can get a JTAG/ISP physical from the phone.
Oxygen does a slightly better job than UFED/XRY in Windows phones but nothing does particularly well.
However importing a physical image into X-Ways can provide excellent results, though more manual work.
@Adam10541, there is a feature called ESEDB Viewer in OSForencics. store.vol is just an ESEDB file and can be read with that. You can also use esedatabaseview from nirsoft to view and export data from this file. Just ignore the diffent file extension.
There's a "message" table inside with the stuff you're looking for but it requires some manual handling to make something usefull out of it.
I did have a look at it with both nirsoft and OSF and found the message table, but you are right a bit of manual work required to make it workable.
Under normal circumstances that might have been fun to figure out but I was on a very tight timeline for my client (couple of hours) so I needed an automated option and IEF came to the rescue.
Sorry I am a bit late in replying
I have a free ese/edb viewer available from my site
http//
The Forensic Browser for SQLite also has a (paid) extension that allows you to process a ESE database and then use the Browser to create custom reports on the ESE database.
http//
Cheers
Paul