neddy and Andy,
I'm trying to get some information for you, on either file, and right now I'm up against "why do you want to know?"
So, what is the forensic significance of these files?
Harlan
Thx Harlan, the main reason for examining the Windows media player database file would be to establish if the software has indeed been used to view video files that are of an illegal nature. The database wmdb may contain evidence of this activity (i.e. prevously played video/movie files)?
Andy
> The database wmdb may contain evidence of this activity
Okay, I'll have to say that I'm not familiar with this, and so far, neither are the folks at MS I'm talking to…
When looking at the file in a hex editor, I see strings in the file that look like headers or table names or something. So my question to you is, how do items get added to this file?
Also, what leads you to believe that this file contains the evidence you're looking for?
I know what when I add files to a data CD (or even a music CD), for example, I have to create a list of files. After I've created the CD, the software asks me if I want to save this list of files for later use, and I usually say no. When I'm done, there's no "play list" left behind.
Have you tried looking at the MRULists associated with this application, in the Registry?
Harlan
It’s been a while since these we first made these postings. The wmdb file relates to the media ‘library’ in Windows Media Player.
File extension search describes this file as “the media catalog the Windows Media Player creates when you ask it to search your disk for mediaâ€.
The last written attribute updates to whenever a new file is played. On my machine I found entries in the wmdb file relating to files recently played and updated in my library. For example “C\Documents and Settings\Andy\My Documents\My Music\Green Day\01-American Idiot.mp3â€.
You have been lucky getting any help/info from MS, well done. It would be really good if you could write a script to parse any relevant data.
I actually found more compelling evidence in the registry key-
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentFileList
You can find these displayed in the WMP software if you click ‘file’ and you will see a list of some of the previous files played (first in the list = last file played). WMP keeps a list of the last several (9 actually) files played.
Andy
> I actually found more compelling evidence in the registry key-
Yes, that's what I was talking about when I mentioned MRULists for this app.
Still no luck with the file format…I guess that just hasn't been asked all that often or much.
Harlan
Hi there. I'm new here and fairly new to the forensics field (computer forensics), just thought I'd throw in 2 cents or so on this.
0_12.db is for windows media player 7 and 8
59r.wmdb is for windows media player 9
219.wmdb is for windows media player 10
346.wmdb is for windows media player 11
wmdb files appear to act more than a library, but also as a history file, recording everything media player has played since it was last created. I was playing around with it a little bit to see how it worked, and it looks like it updates as you actively fastforward/rewind/switch tracks, or as it automatically changes to the next song/video/whatever.
I would definitely like to see a way to access the data in there, as the file is fairly well hidden in the background for your typical user. I was however able to completely block the "recently played" list, so my recentfilelist registry key is empty and stays empty.
some interesting info straight from Microsoft's KB articles
http//
specific interest would be their "cause" section
CAUSE
This behavior occurs because the Windows Media Player library is not dynamic and does not refresh the links that are added to its database.
Since it is not dynamic I can assume that records are unchanged, unless the user re-created the file. This is good from an investigator's point of view, so long as the user does not know of the file's existence and it is intact.
I made a copy of my wmdb and changed the extension to .txt which allowed me to view the data.. it looks a lot like a table. there are sections like <trackname> <trackrequestid> <explicitlyrics> etc etc I dont have any video files handy to see if it tacks any other fields on there.
some other interesting info buried in there is file paths.. so you could search for evidence of a thumb drive or external hard drive like Z\*.*
web addresses, not sure where these come from, but there are tons of them embedded in mine, and i don't stream audio.
an "other.acquisitiontime" field
I'm sure there's more, I'll keep looking through it and see what I can find