Just for the record (and FYI) ALL Windows Phone OS seemingly uses TexFAT (and NOT exFAT), the point is WHEN (IF) there was a switch from TexFAT 1.x to 2.x, see
http//www.forensicfocus.com/Forums/viewtopic/p=6574964/#6574964
http//www.forensicfocus.com/Forums/viewtopic/t=11393/
jaclaz
FYI, i managed to do some other tests, and appearently Autopsy v3 is ingesting the image and reading the files without any issue, while the sleuthkit command line tools aren't working properly on my linux machine.
Rampage,
I have a case for my Pro Bono practice for the Domestic Violence court that involves a Nokia Windows phone. My client suspects the Respondent of "knowing things they could not know / should not know". I have had six such cases to date and each time my client was NOT paranoid, but in fact was being spied upon (examples include the Respondent using trackmyiphone, using autoforward of all sent and received emails in Gmail unbeknownst to my client, installing Telenav on my client's phone).
The goal of my client, if I can find evidence of malfeasance on the part of the Respondent would be a plenary order of protection and also to definitively "clean" her devices of any "infection" so that she can achieve piece of mind that she is no longer being spied upon.
Obviously I would like to collect as much evidence in a forensically sound manner as possible before performing a factory reset on my client's phone (to cleanse it).
I am waiting to hear which specific Nokia model number and Windows version but do not currently know it.
You mentioned that "I managed to extract the partitions from the internal flash of the device.. one is approximately 15GB, which i think is the OS partitions, others are boot and stuff.."
Would you be willing to share what steps and tools you used to "extract the partitions"?
I have Katana Forensic's Lantern, Compelson's Mobiledit Forensic, DEFT, CAINE, and Paladin in my tool chest.
Thank you in advance for any advice.
Hi,
depending on the device itself, techniques are different, and in some cases, acquiring a physical dump of the internal flash cannot be done with traditional methods.
In my specific case i was dealing with a Windows phone 7 device, a Lumia 800, which was broken (wouldn't turn on).
For this specific model there are two way for extracting the partitions
1) via JTAG by directly accessing the eMMC from the test points (you can do it using an ATF Box for instance)
2) via the qualcomm bootloader (which allows direct access to the eMMC chip like it's a storage device).
For the second method you don't need to disassemble the phone, but you need the phone to have the qualcomm unlocked bootloader installed, which is not the case in 90% of the times as nokia shipped only a few early releases with that bootloader, by quickly replacing it with the proprietary locked DLOAD bootloader.
But there is a workaround, as via USB, and with proper tools (chimera tools or ATF box) you can flash the bootloader on the device and therefore unlock it.
This is obviously an invasive technique, BUT it's known to NOT alter the operating system and most importantly the user data partition. It's similar to a jailbreak, but even less invasive as only the bootloader is replaced and nothing is touched on the system.
In my case i was authorized to use the second method and worked like a charm also consider that the process is reversible, so you can restore it back as it was previously and jailbreak it only for the period needed to acquire the dump.
The dump can be done with anything like dd in linux or FTK Imager.
Once you have the dump, use testdisk to find the offset of the extfat partition, dump it and open it in autopsy3, and you are done.
oh, i almost forgot to mention my first attempt was to disassemble the phone and use JTAG, but this device is a pain to tear down to the bones, because the NAND chip is shielded with a metal plate which you need to remove to access the soldering test point, and, afaik, the only way to remove it is by cutting it, which obviously results in a phone that is physically tampered
Rampage,
Many thanks for your advice and guidance - success!
I was able to use the ChimeraTool ( https://chimeratool.com/) software to flash the Qualcomm bootloader to my client's Nokia Lumia 710.
<EDIT> The next step involved connecting the 710 to my forensic PC in USB external storage mode by holding the up volume key and power key at the same time, connecting the USB cable, and then releasing the power button after the phone vibrated once. The phone comes up as a "Qualcomm CDMA Technologies MSM" drive. <EDIT>
Then, using FTK Imager, I was able to create a DD image of the "Qualcomm CDMA Technologies MSM" physical drive / Lumia 710.
After the DD image verified in FTK, I added the image (using green plus button) and FTK was able to see multiple partitions within the DD image.
I did not need to use Testdisk (http//
I am now running Internet Evidence Finder (IEF) on the DD image and sure enough IEF recognized the DD image as a Windows phone image file and is now extracting a ton of evidence (Internet Browsing history, Windows Phone SMS messages, Outlook Webmail, Facebook Pages).
Interestingly, all of the Windows Phone SMS messages are coming up as Chinese language, which means IEF appears to be misinterpreting the message content (my client does NOT speak Chinese. So, I will attempt to find/carve the SMS files another way. My initial research shows I need to get at a file called "store.vol" ESE database file located at "\Application Data\Microsoft\Outlook\Stores\DeviceStore\store.vol" as a possible candidate file to hold the SMS messages.
I am going to run Forensic Explorer (
Regards,
Larry
Larry any update on your findings with decoding ?
I currently have a Microsoft 535 handset to examine, I can do a manual examination, but want to dig a bit deeper into the handset.
Larry any update on your findings with decoding ?
I currently have a Microsoft 535 handset to examine, I can do a manual examination, but want to dig a bit deeper into the handset.
Youll need to look into reading the EMMC in order to get the data
Thanks for your advice Alex.
I was enquiring if Larry was able to parse the data correctly in the end, instead of the chinese returned values.
Apologies for the late response.
The file of interest that I found is called CommsBackup.xml.
CommsBackup.xml appears to be a type of "Volume Shadow Copy" / archive file that Microsoft Windows phones use.
I found two CommsBackup.xml files, with two different creation dates.
The xml file printed out to 32,000 pages, which I ultimate converted to PDF format to use as an exhibit.
The first section of CommsBackup.xml lists account names and email addresses from the phone.
Further down in the file, I began to see text communications, all bracketed by
<Property Name ="0x37001f">Hello this is the text I wrote to you</Property>
<Property Name ="0xc1f001f">+8883331234</Property>
So, I ended up creating a separate numbered Word table exhibit with text message content I cut and paste from the CommsBackup.xml file to hit the easy button somewhat on reviewing conversations.
** I did NOT figure out which bracketed data equated to sent/received dates and times for the text messages. There is other repeating bracketed data prior to and following the above text message / phone number content, but I do not know which values are dates and times or how to convert the hexadecimal text to normal dates.
PM me please if you would like some more help. Also if you are LE, please do hesitate to call me and I will provide a webmeeting so I can walk you through rooting, imaging, identification and extracting of the CommsBackup.xml file.
All of my research pointed to content in Store.vol file, but I found nothing of interest in that particular file.
CommsBackup.xml was exactly what I has hoping to find.
Hi UA
What did you use to look through the ESE file store.vol?
Paul