So as an update
Got my trial of Oxygen and ran it against JTAG Image.
Decoded contacts, SMS messages, Internet explorer history and emails. So managed to do more than UFED/XRY had.
On the flip side of that, it didn't decode the chat messages from KIK or NIMBUZZ app (no surprise on last one, first I've heard of it!), but it did do Whatsapp (again the only one to decode it).
That said it did a much better job of identifying installed applications and showing me all files relating to that app.
Either way, looks like a lot of manual decoding for me!
Hi Minime
Nimbuzz on windows is an SQLite DB so you may find it is the same on windows phone. It has a number of tables with some good info and you would probably be better off looking at it outside of a generic app that just sumarises what it thinks is important.
Kik is also SQLite on windows and again has lots of useful info that most tools just summarise for you. But I have heard somewhere that Kik on Windows uses sdf )
A fully functional trial is available for my Forenisc Toolkit for SQLite if it helps
http//
Paul
Paul,
Yeah I've got the Nimbuzz app as SDF database, the KIK app on Windows Phones stores the files as a flat .bf2 file. As far as I can tell its a simple binary file and there is one for each conversation.
Some apps which were Sqlite on other platforms aren't on Windows an vice versa!
KIK app on Windows Phones stores the files as a flat .bf2 file. As far as I can tell its a simple binary file and there is one for each conversation.
We have also ran into the '.bf2' files for Kik. I can confirm one for each chat, one for contacts and one for the conversations list overview. We resulted in carving the strings of relevant chats for this one and locating the chat attachments via ID references. I'd be interested in seeing what method(s) you use to decode the chats as Kik seems to be the app of choice on WP for southerners! ) P.S. Cheers for the feedback on Oxygen's ability when it come's to WP.
Flash the Phone with the ATF and you have the full dump. With this you can work in your favourite tool.
Good Morning All,
I also have some bf2 files from an eMMC download of a Nokia Lumia.
I would be grateful for any guidance with regard to decoding these as none of the tools we have in our arsenal actually do anything with them.
Good Morning All,
I also have some bf2 files from an eMMC download of a Nokia Lumia.
I would be grateful for any guidance with regard to decoding these as none of the tools we have in our arsenal actually do anything with them.
So you have a physical dump (ISP?) instead of a logical read? What are the size of the files?
Have you looked at Oxygen Forensic Analyst?
Good Morning All,
I also have some bf2 files from an eMMC download of a Nokia Lumia.
I would be grateful for any guidance with regard to decoding these as none of the tools we have in our arsenal actually do anything with them.
hello,
UFED PA and AXIOM can extract data from the dump lumia 520
best regards,
Thanks - neither Axiom or UFED dealt with the .bf2 files.
Oxygen made the best effort but still only found the text components with no time/date stamp or sent/received context.
I've sent some sample conversation files to Cellebrite and will be sending the same to Oxygen.
I've obfuscated the email addresses but not sent those with image transfers as the files contain base64 thumbnail images (illegal files in my case)