Good Morning Forensicators
I have some evidential data within Zune's ArtCache Folder. I have conducted some limited testing (I do not currently have access to a Windows Mobile) but I am struggling to tie down which user was logged in and how to tie the images back to the originating source.
I have VM'd the evidential image and I can see Zune is installed and I can navigate to the ArtCache folder and the images are there as live files, but I cannot see Windows Live user that is associated with the SW. I have identified through my testing that my Live ID appears in the ZuneStore.sdf, as does the original file path of the images I populated Zune with from my computer, but they don't appear beside each other. Whereas my evidential ZuneStore.sdf has a mobile 'Name', brand, model, file path and live ID all in quite close succession, which is slightly different behaviour.
I'm viewing the ZuneStore.sdf in EnCase 6 (and EnCase 7 just to be sure) just as raw data. I have tried 'Compact View' and 'SDF Viewer' but these report errors when trying to parse both my file and the evidential file.
Does anyone know anything about Zune forensics, specifically in relation to parsing out the ZuneStore.sdf file?
My next port of call is to source a Windows Mobile and do some more in depth testing but all the data is held within the ZuneStore.sdf by the looks of it but I just can't view it in a meaningful way at the moment!
Thanks in advance!
There's a discussion over on msdn (
Thanks, I'll give that a try!