Windows Mobile software
Does anyone have any experience with software that decodes artefacts from Windows Phones? Currently looking at a Lumia 520 and UFED/XRY have got basically nothing back. IEF got a couple of items but missed all the 3rd party app stuff, are there any other? Does Oxygen deal with it any better?
If you can get access to the file system the apps tend to be either ESE databases or SQLite. Obviously my Forensic Toolkit for SQLite can deal with the SQLite side.
But you may not be aware that there is an optional Browser extension for the toolkit that allows you to use the full power of the Browser to investigate the ESE databases.
There is more information on the ESE extension here
I am just about to make an update to the ESE extension (and the standalone EseViewer - more at the above link) that recovers deleted records from the ESE database.
There is more information about the Browser and a link to request a demo (of the Toolkit and ESE extension) at this link.
Hope this helps
RegRipper works just fine with the Registry hive files from Windows phones. Unfortunately, no one who has access to these files has written any plugins for RR, and only one person (a cop) provided me with hive files from such a device.
I wish there was more, but without support from the community… ;-(
Minime2k9, live data acquisition will give you only very basic data. To access applications, deleted records and SQLite databases you can create a JTAG image from Windows Phone and then import it to Oxygen Forensic products.
In addition to Paul's *comments, have you had a look here as these scripts relating to Windows Mobile 8.x on Lumia 520 https://github.com/cheeky4n6monkey/4n6-scripts
* and Oxygen (I hadn't seen that post by the time I posted.)
Thanks for the replies so far, I think I should have probably posed my question slightly better though.
As Paul mentioned, some of the artefacts are stored in Sqlite or ESE database files, but they also use SDF (Compact SQL - Microsoft) and flat data files for data (KIK messenger is a good example).
Much as I can manually decode these, I was hoping there might be some support for a least a few of the standard artefacts.
We have a JTAG image of the phone already, so this isn't an issue - does Oxygen support decoding of any application data?
It does seem that a lot of the apps store data in a completely different format from the norm - whatsapp seems to use unencrypted sqlite, KIK uses flat files for each conversation that I'm still working out the format for and some use this SDF file.
What I'm basically getting is that Windows phones are basically unsupported (in terms of APP data decoding) by all the major tools and that each one will require manually extracting (and possibly decoding) with a few python scripts for some areas.
Minime2k9, Oxygen supports data decoding from most popular apps, like WhatsApp, Viber, Skype, Facebook Messenger, Here Maps, etc if you import a Windows Phone JTAG image. If app is not supported you will be able to open all app files on Applications files tab in Applications section and examine them in HEX or SQLite Viewer.
That sounds great, I've emailed you for a trial version that you've mentioned was available in another post.
Hi minime - sent you a pm a couple of hours ago. Outbox says you have seen it so as you have been on-line since then I thought I would let you know.
Sorry Paul, I always seem to miss PM's!
As far as viewers for the SDF database's go, I managed to locate one here
You will need to install some things from Microsoft to make it work (Basically and SDF SDK).
So as an update
Got my trial of Oxygen and ran it against JTAG Image.
Decoded contacts, SMS messages, Internet explorer history and emails. So managed to do more than UFED/XRY had.
On the flip side of that, it didn't decode the chat messages from KIK or NIMBUZZ app (no surprise on last one, first I've heard of it!), but it did do Whatsapp (again the only one to decode it).
That said it did a much better job of identifying installed applications and showing me all files relating to that app.
Either way, looks like a lot of manual decoding for me!
Nimbuzz on windows is an SQLite DB so you may find it is the same on windows phone. It has a number of tables with some good info and you would probably be better off looking at it outside of a generic app that just sumarises what it thinks is important.
Kik is also SQLite on windows and again has lots of useful info that most tools just summarise for you. But I have heard somewhere that Kik on Windows uses sdf )
A fully functional trial is available for my Forenisc Toolkit for SQLite if it helps
Yeah I've got the Nimbuzz app as SDF database, the KIK app on Windows Phones stores the files as a flat .bf2 file. As far as I can tell its a simple binary file and there is one for each conversation.
Some apps which were Sqlite on other platforms aren't on Windows an vice versa!
KIK app on Windows Phones stores the files as a flat .bf2 file. As far as I can tell its a simple binary file and there is one for each conversation.
We have also ran into the '.bf2' files for Kik. I can confirm one for each chat, one for contacts and one for the conversations list overview. We resulted in carving the strings of relevant chats for this one and locating the chat attachments via ID references. I'd be interested in seeing what method(s) you use to decode the chats as Kik seems to be the app of choice on WP for southerners! ) P.S. Cheers for the feedback on Oxygen's ability when it come's to WP.
Flash the Phone with the ATF and you have the full dump. With this you can work in your favourite tool.