SMS from Nokia Lumi...
 
Notifications
Clear all

SMS from Nokia Lumia 920

6 Posts
4 Users
0 Likes
385 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I've just taken a physical dump of a Nokia Lumia 920 with UFED and after loading it up in PA it only shows me recovered deleted SMS, none of the existing SMS have been recovered.

Seems odd to me, but I know Windows phones are problematic.

Anyone had any luck with this model of phone or have an explanation as to why only deleted messages are recovered?

Edit I see from some other posts that the file I need is store.vol. I've found this file and now am searching for something that can make sense of it. There was mention of a database viewer from OS forensics in one thread but not the name of the software…

 
Posted : 18/10/2016 6:30 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I was in a bit of a time crunch here so I just pointed IEF at the bin image and this decoded all the SMS from the store.vol file.

I could then export out an excel workbook to work with further.

Given that this file is a known file and it can obviously be decoded I'm assuming I could achieve this with UFED PA as well but perhaps I didn't tick the right box?

Any idea on that one?

 
Posted : 18/10/2016 9:13 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Windows phone are not supported well at all in UFED/XRY.
IEF actually seems to provide the best results, especially if you can get a JTAG/ISP physical from the phone.
Oxygen does a slightly better job than UFED/XRY in Windows phones but nothing does particularly well.
However importing a physical image into X-Ways can provide excellent results, though more manual work.

 
Posted : 18/10/2016 11:44 am
(@arcaine2)
Posts: 235
Estimable Member
 

@Adam10541, there is a feature called ESEDB Viewer in OSForencics. store.vol is just an ESEDB file and can be read with that. You can also use esedatabaseview from nirsoft to view and export data from this file. Just ignore the diffent file extension.
There's a "message" table inside with the stuff you're looking for but it requires some manual handling to make something usefull out of it.

 
Posted : 19/10/2016 12:13 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I did have a look at it with both nirsoft and OSF and found the message table, but you are right a bit of manual work required to make it workable.

Under normal circumstances that might have been fun to figure out but I was on a very tight timeline for my client (couple of hours) so I needed an automated option and IEF came to the rescue.

 
Posted : 20/10/2016 6:54 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Sorry I am a bit late in replying

I have a free ese/edb viewer available from my site

http//sandersonforensics.com/forum/content.php?263-EseViewer

The Forensic Browser for SQLite also has a (paid) extension that allows you to process a ESE database and then use the Browser to create custom reports on the ESE database.

http//sandersonforensics.com/forum/content.php?242-ESE-EDB-JetBlue-Database-extension-for-the-Forensic-Browser

Cheers
Paul

 
Posted : 22/10/2016 1:56 am
Share: