iam new to mobile forensics and was wondering if bitpim,or any commercial product can undelete pictures or text messages from a windows mobile image file?any help would be great thanks.
iam new to mobile forensics and was wondering if bitpim,or any commercial product can undelete pictures or text messages from a windows mobile image file?any help would be great thanks.
Cadogan27,
I think you may want to consider ways to recover the data from this image file you have but I put it to you that 'un-deleting' is not necessarily going to be the correct avenue to take if you are performing a forensic examination and I am sure that most users on this forum would agree.
There are various ways to recover deleted data from image files. For the purposes of recovering pictures from the image you could use a very simple command line tool called Scalpel to name but one. I have never had to recover deleted SMS from a Windows Mobile device and so have no first hand knowledge of a particular tool. Do you know how the messages are stored in the image? Knowing this may allow myself of others to better advise you.
Regards,
Colin
Cadogan27
Have you looked at what XACT can do? I can not access their summary sheet but believe they at least support some deleted information extraction for Windows mobiles.
If you have a raw PM file and wish to investigate this ensuring you extract 'all' of the information available and clearly determine where the SMS messages originally resided (e.g. are they draft or sent?) then my thoughts are you need to experiement with a test handset to determine how the telephone stores its messages. You can then use this to interpret your dump data.
It's quite a time consuming process but my experience is that mobile software may not interpret things correctly (particularly the type of message) or extract all of the information available. Hence, if it is an important factor in a legal case then my view is that it may need bespoke research and investigation. If it is just to find out if the matter may be worth pursing then using a tool may be the best way for you to proceed.
Kind regards
i was reading that the sms text arent actually stored on the phone when deleted so there is no chance of recovery.thats fine just something curious on seeing if it would.ill check out those other tools.thanks
Yes there is support for physical dumping and decoding of Windows Mobile Devices in XACT (now called XRY Physical) but it is limited so it may not be the magic bullet you seek.
Dumping is done via the FAL (Flash Abstraction Layer) of Windows Mobile. This means that the flash memory is not accessed directly but via the hardware abstraction layer of Windows Mobile. This means that the data retrieved from the memory chip is run via the filtering layer of FAL resulting in unallocated sectors and spare area being inaccessible.
However certain deleted data may be available in the dump within database files as well as certain files which are normally inaccessible. There is partial support for SMS, MMS and Email but the notes in our help files state that
SMS/MMS status can not be trusted.
MMS & Email only subject of the MMS is displayed.
Hope that helps…
i found a program that gives me access to the phones internal memory.(wm5torage)i hooked up my phone to my ubuntu machine and made a couple dd images from it.so i should look into getting XRY Physical?iam guessing sms/mms is kind of a lost cause.is there a trial version of xry available?thanks
Cellebrite UFED Physical supports more than 600 different models with Physical dump including Windows Mobile devices.
It can decode deleted SMS and deleted emails from Windows Mobile dumps.
i was reading a little bit more about it and found out that "cemail.vol" is where the sms messages are stored.that cellebrite is nice,but out of my price range.i have been trying to find a way to extract and view that .vol file.thanks
UFED and UFED Physical is not more expensive than other solutions, check this and you will find that it is even less and does more
i mean compared to any free windows/linux software out now that is capable of doing that.