Embedded Databases

Posts Tagged ‘Embedded Databases’

Winner of the DFRWS2011 Forensics Challenge Announced

Monday, Sep 26th, 2011
Posted By Eoghan Casey

This year Eoghan Casey worked with Tim Vidas at Carnegie Mellon University and Matthew Geiger at CERT to create the DFRWS Forensics Challenge in an effort to advance forensic analysis of Android mobile devices. The winners of the challenge were Ivo Pooters, Steffen Moorrees and Pascal Arends from Fox-IT. Their submission provides a suite of utilities written in Python for extracting information from data acquired from Flash memory on Android devices. Complete results are posted on the DFRWS Web site.

The scenarios for the DFRWS 2011 Forensics Challenge were two seemingly unrelated crimes that turned out to be tightly linked with each other. The first scenario was a suspicious death and the goal of the investigation was to determine whether the victim killed himself or was murdered. The second scenario was an intellectual property theft case and the goal of the investigation was to document any evidence that intellectual property was stolen and to support termination of the suspected insider.

An interesting outcome of the challenge was that using dd to acquire data from the Android device in Scenario 1 did not copy the important information in out-of-band (OOB) areas of the YAFFS2 file system. As a result, it was not possible to reconstruct the file system. However, contestants were still able to carve out usable content from this data.

The winning submission provides a technical analysis of data structures found in memory dump from Android mobile devices and provides an Android analysis toolkit that extracts specific items and formats them in a report. Using this toolkit to perform a forensic examination of a full NAND dump of a YAFFS2 file system (such as in Scenario 2 of the DFRWS 2011 Forensics Challenge) first requires the file system to be mounted under Linux as an emulated Flash device (using nandsim).

A sample of the information extracted by the winners from the SQLite database located on the Android device in Scenario 2 (mtd8\data\com.android.providers.telephony\databases\mmssms.db) is provided here:

Address	date/time (UTC)	read	type	body
shandra@cheerful.com	05/06/2011 01:34:55 AM	True	in	(Nearby! Coming for my beer) Hey Yob, I am closing in on Fat Heads. See ya soon.
sms.dynadel@gmail.com	05/06/2011 05:53:30 PM	True	in	Reminder, planned IT outage this weekend. This maintenance window will start at 3 PM today and continue for approx 48 hours.
sms.dynadel@gmail.com	05/06/2011 05:55:16 PM	True	in	This effects external services such as website, email, webmail, and the ftp server. Use the secondary email access and helpdesk # for emergencies
shandra@cheerful.com	05/07/2011 11:39:16 PM	True	in	(Save me!) If Luke asks, I’m going out with you to dinner, OK? I just can’t face Mr. Smooth tonight. Shandra
6245	05/07/2011 11:44:27 PM	True	out	Sure thing. Do you know where the wine loft is?
6245	05/07/2011 11:54:37 PM	True	out	I ran into some friends at the double wide, meetup at 8:30 or so?
6245	05/07/2011 11:56:53 PM	True	out	Or you can walk down Carson and join us

Much more information was extracted from both Android devices as detailed in the reports, which include an impressive graphical reconstruction of events.

(No Comments)

Advances in Windows Mobile Forensics

Sunday, Aug 29th, 2010
Posted By Eoghan Casey

Recent research into important file formats on Windows Mobile devices has led to a breakthrough in mobile device forensics. Our improved understanding of the proprietary Microsoft embedded database format enables us to recover all available data from files such as cemail.vol, including deleted items.

The papers and associated tools detailing these advances in Windows Mobile forensic analysis are published in the Journal of Digital Investigation. The most recent special issue on forensic analysis of embedded systems contains two papers: Introduction to Windows Mobile Forensics and Windows Mobile Advanced Forensics.

Introduction to Windows Mobile Forensics by Eoghan Casey, Michael Bann and John Doyle covers the fundamentals of Windows Mobile systems, embedded database formats and tools for acquiring and examining these systems in a forensic context. A table from this paper is provided here, listing potentially useful sources of evidence on Windows Mobile devices.

Windows Mobile Advanced Forensics by Coert Klaver from the Netherlands Forensic Institute provides in-depth technical details about embedded database formats and tools for acquiring and examining this information. The author developed tools for interpreting data in embedded databases acquired from Windows Mobile devices, including deleted items.

An upcoming issues of the Journal of Digital Investigation contains the paper Windows Mobile Advanced Forensics: An Alternative to Existing Tools by Cpt. Frédérick Rehault from the French National Gendarmerie. The author developed custom boot loaders and file parsing tools to extract the maximum amount of information available from Windows Mobile devices. A small sample of the very detailed output from one customized tool is provided below, showing interpreted fields extracted from a text message in cemail.vol along with the location of associated content in the file system.

[ MESSAGE ] <<<< VISIBLE >>>>

Message Class : :  IPM.SMStext

Message Flag (1:Read; 0:Unread) : 0x00000028

Subject :  Love you too. Cant wait to see you tomorrow!

Msg Status : 0x00040000 : SMS

Delivery Time 2009-05-15 04:53:54

Sender Email Address :  14435551212

Sender Name :  14435551212

Last Modification Date 2009-05-15 04:53:55

Recipient Info: address & name :   t£ lT SMS14105551212Steven…

-- Message Content Location -- NORMALLY Stored in "\Windows\Messaging\ 453a000a xxxxxxxx.mpb "

The tool also extracts the raw database record as shown here with all of the internal database fields:

*************************************************************

[ DEBUG ]: Found RECORD HEADER at Offset 0x000b7e9c

[ DEBUG ]: hRecord = 0x00000a47 [ DEBUG ]: hDBHandle = 0x00000060 [ DEBUG ]: DataRecordSize = 0x00b8 [ DEBUG ]: CompDataRecordSize = 0x009e [ DEBUG ]: Nb Props found = 12 [ DEBUG ]: Flag = 0x4000 : Data might be compressed


00000000 45 0a 00 3a a0 00 00 00   0f 00 00 31 28 00 00 00   |E..:.......1(...|

00000010 00 00 b0 25 58 00 4c 00   6f 00 76 00 65 00 20 00   |...%X.L.o.v.e. .|

00000020 79 00 6f 00 75 00 20 00   74 00 6f 00 6f 00 2e 00   |y.o.u. .t.o.o...|

00000030 20 00 43 00 61 00 6e 00   74 00 20 00 77 00 61 00   | .C.a.n.t. .w.a.|

00000040 69 00 74 00 20 00 74 00   6f 00 20 00 73 00 65 00   |i.t. .t.o. .s.e.|

00000050 65 00 20 00 79 00 6f 00   75 00 20 00 74 00 6f 00   |e. .y.o.u. .t.o.|

00000060 6d 00 6f 00 72 00 72 00   6f 00 77 00 21 00 34 00   |m.o.r.r.o.w.!.4.|

00000070 00 00 04 00 00 9d b0 25   19 d5 c9 01 16 00 31 00   |.......%......1.|

00000080 34 00 34 00 33 00 35 00   35 00 35 00 31 00 32 00   |4.4.3.5.5.5.1.2.|

00000090 31 00 32 00 16 00 31 00   34 00 34 00 33 00 35 00   |1.2…1.4.4.3.5.|

000000a0 35 00 35 00 31 00 32 00   31 00 32 00 80 33 49 26   |5.5.1.2.1.2..3I&|

000000b0 19 d5 c9 01 47 0a 00 3b                             |....G..;|
+ List of properties in record:

-- PropID[ 0 ] = 0x80050013 UI4 : 0x3a000a45

-- PropID[ 1 ] = 0x80110013 UI4 : 0x000000a0

-- PropID[ 2 ] = 0x001a0013 UI4 : 0x3100000f

-- PropID[ 3 ] = 0x0e070013 UI4 : 0x00000028

-- PropID[ 4 ] = 0x003d001f LPWSTR :

-- PropID[ 5 ] = 0x0037001f LPWSTR : Love you too. Cant wait to see you tomorrow!

-- PropID[ 6 ] = 0x0e170013 UI4 : 0x00040000

-- PropID[ 7 ] = 0x0e060040 FILETIME 0x1c9d51925b09d00

-- PropID[ 8 ] = 0x0c1f001f LPWSTR : 14435551212

-- PropID[ 9 ] = 0x0c1a001f LPWSTR : 14435551212

-- PropID[ 10 ] = 0x30080040 FILETIME 0x1c9d51926493380

-- PropID[ 11 ] = 0x80010013 UI4 : 0x3b000a47

cmdLabs covers forensic analysis of Windows Mobile and other mobile devices in the course we develop and teach for SANS (FOR563 – Mobile Device Forensics).

(No Comments)