Tuesday, December 1, 2015

WeChat: script to convert and play AUD files

Months ago I had to extract WeChat chats from an iPhone 5S. I extracted the data from the device using the UFED Physical Analyzer software.

Each parsed conversation contained hundreds of audio messages with AUD extension and so I ended up with thousands of AUD files.

I don't know if something has changed in the meantime, but these files are not directly playable with a media player as they lack the proper AMR header. I then came across a blog post in Chinese that explained how to make these files readable:
After adding the right header, the AUD files can be played for instance with VLC but not in Windows Media Player. WMP doesn't support this format. AUD files have to be converted to something else in order to be played in WMP. The author of the post uses SoX to convert to the WAV format. I found that SoX tends to crash a lot when dealing with corrupted AUD files.
I preferred to use libav instead.

I mentioned WMP because it's a preinstalled media player and sometimes I have to hand in the extracted data to somebody with no admin rights on his computer (that means no way to install new software - like VLC) and with aversion to learn something new (for instance how to use a portable program to open the selected file).

In this scenario, what I did was to export a report in HTML format for each WeChat conversation using the Physical Analyzer. I then wrote a python script to:
  • convert AUD files to WAV files
  • fix the links inside each HTML report by replacing the .aud string with .wav

[UPDATE 03/April/2016]

I updated the script in order to decode audio messages compressed with the SILK codec. I've found useful information here:
You can download the script from my Github repository.

Wednesday, October 28, 2015

Apple iOS: Recently Deleted images

Apple iOS 8 introduced a new feature called Recently Deleted album that temporarily displays images that have been removed by the user from the Photos app.

From a forensics perspective, once deleted these images still reside in their original path but they are marked as trashed within a SQLite database called Photos.sqlite.

ZGENERICASSET is the table containing this information.

Deleted images have the ZTRASHEDSTATE field set to "1". We can use the following query to extract and convert what we need:

SELECT ZHEIGHT,ZWIDTH,ZADDEDDATE,strftime('%Y-%m-%d %H:%M', datetime(ZADDEDDATE+978307200, 'unixepoch', 'localtime')) AS ZADDEDDATE_LT,ZDATECREATED,strftime('%Y-%m-%d %H:%M', datetime(ZDATECREATED+978307200, 'unixepoch', 'localtime')) AS ZDATECREATED_LT,ZTRASHEDDATE,strftime('%Y-%m-%d %H:%M', datetime(ZTRASHEDDATE+978307200, 'unixepoch', 'localtime')) AS ZTRASHEDDATE_LT,ZTRASHEDSTATE,ZDIRECTORY,ZFILENAME FROM ZGENERICASSET WHERE ZTRASHEDSTATE=1 ORDER BY ZTRASHEDDATE

Here's the result:

[UPDATE 02/10/2017]: This post has been cited as a source in the "Application data analysis" section of Learning iOS Forensics, 2nd ed. (p.286).

Saturday, September 5, 2015

Windows Phone 7.8 Forensics

Evidence examination

Mobile device analyzed: NOKIA Lumia 800

The forensic acquisition produced a 15 GB raw image. When I opened the file, all I got was just a list of partitions. None of my tools were able to recognize and parse the file system of each partition. What caught my attention was the size of the last partition (14.7 GB) and the exFAT signature.

Luckily for me, X-Ways Forensics (XWF) is a very flexible tool. My analysis wouldn't have been possible without XWF and the precious help provided by its creator Stefan Fleischmann who improved a lot the parsing of exFAT volumes.

To correctly parse the image with XWF:
  • open the image with X-Ways Forensics v18.5. From XWF v18.5 beta2, the partition containing Windows Phone data will be shown as WinPhone Container. In the figure below, it's partition 8.

  • Go to Tools | Disk Tools | Scan for Lost Partitions. In the window "Scan For Lost Partitions", tick the first checkbox only and click OK

  • the search will find two more partitions:
  • double click on each of them: one of them will be fully parsed. In my case it was partition 10. Then add the partition to your active case.

The file system is not encrypted. That allowed me to run data carving to recover deleted files, especially pictures and videos.

What follows is a gathering of the main artifacts that I managed to manually extract and parse. Bear in mind that my assumptions could be imprecise or incorrect.


Contacts and Call Log
Contacts are stored in: \Application Data\Microsoft\Outlook\Stores\DeviceStore\store.vol
Call log is stored in: \Application Data\Microsoft\pim.vol

I ran strings against both of the files. I haven't found any timestamp inside the pim.vol file.

SMS messages
Text messages are stored in: \Application Data\Microsoft\Outlook\Stores\DeviceStore\store.vol

In hex view the body of each text message is preceded by the string "IPM.SMS" or "IPM.SMStext". From what I've seen, the timestamp is not nearby the message and I don't know where it could be located. It's possible to distinguish sent messages from received messages by the fact that a sent message lacks the phone number of the recipient in its structure.

Received Message

Sent Message

According to what I read in the XDA-Developers forum and on Forensic Focus, Windows Phone periodically creates a XML backup of text messages and stores them in a file named CommsBackup.xml (\Application Data\Microsoft\Outlook\BackupVols). The xml file contains many tags, the most important are:

TAG NAME Description
<Property Name="0x37001f"> body
<Property Name="0x3003001f"> sender/receiver's phone number
<Property Name="0xe070003"> value 21 = sent
value 01 = received
<Property Name="0xe060040"> timestamp (received/sent)

I successfully retrieved thousands of old text messages from unallocated space. In order to carve out deleted SMS XML entries, add the following data to the file File Type Signatures Search.txt located in the XWF installation folder.

Description WP SMS backup
Extensions sms
Header <Property Name="0x1a001f">IPM.SMStext
Offset 0
Footer SMS:ReplaceOption">
Default Size 100/6000

You can manually edit that file with notepad. Just copy and paste at the end of the file:
WP SMS backup sms <Property Name="0x1a001f">IPM.SMStext 0 SMS:ReplaceOption"> 100/6000

Within XWF, press F10, tick the File header signature search checkbox and press OK. In the File header search window, tick the newly created signature and choose complete byte-level search  at the right bottom.

Once finished carving, export all these files to a folder. Use my script wp78_sms_xml.py to automate the parsing of all these carved messages.

Pictures are stored in: \My Documents\Zune\Content\0300\00
The file names are numeric (in hex format) and are in the order in which the pictures were saved on the phone. Even though the phone is running Window Phone 7.8, EXIF metadata shows Windows Phone 7.5. Data carving allowed me to fully recover many deleted pictures.

The list of received files via bluetooth is stored in:
I used the freeware utility CompactView to open this file and read the table ReceivedFiles.

Emails are stored in .dat files under:
\Application Data\Microsoft\Outlook\Stores\DeviceStore\data

Downloaded attachments are stored under:
\Application Data\Volatile\EmailAttachments\Attachments[e-mail ID]

The .dat files contain the message body of each e-mail. The header is stored in the store.vol file. A keyword search for the term SMTP in the store.vol file allows to find all the e-mail addresses related to received and sent emails.

In the following picture I show the content of an incoming email that I'd sent to myself from another device during the testing. The email is stored inside a dat file. Its partial header is located inside the store.vol file. I don't know yet how to automate the correlation of these two blocks of information.  

Internet Explorer
Browser artifacts are stored in:

Favorites: \Windows\Favorites <== URL files (both default and personal ones)
Cookies: \Windows\Profiles\guest\Cookies
History: \Windows\Profiles\guest\History\History.IE5\index.dat
Cache: \Windows\Profiles\guest\Temporary Internet Files\Content.IE5

I extracted the entire guest folder and parsed it with full success with Internet Evidence Finder v6.6.

The two paths \Applications\Data and \Applications\Install contain the same number of subfolders with the same ID names. The data folder contains app settings and user data while install is the installation folder.

In order to retrieve the name corresponding to each ID use the URL:
http://windowsphone.com/s?appid=ID (where ID is the ID you want to search)

Some apps are preinstalled and their IDs are listed here:

I wrote a small python script wp_appid.py that automatically retrieves AppNames from AppIDs.

The app version information is sometimes stored in files named __ApplicationSettings in  \Applications\Data\[App-ID]\Data\IsolatedStore. For instance this one is from the Twitter app:

Wireless Networks

Creation time will correspond to the first connection to that SSID.

Adobe PDF Reader
Last opened PDF files are listed in:

Each entry shows as well when the PDF file was opened.

Copies of opened PDF files are stored in:

WhatsApp (v2.12.72)
The app version information is stored in the file \Applications\Data\218A0EBB-1585-4C7E-A9EC-054CF4569A79\Data\IsolatedStore\version

The phone number in use is located in:

This file contains the filetime timestamp of when WhatsApp was activated. You can convert it from here: http://www.silisoftware.com/tools/date.php

Messages are stored in a SQLite database:

Pictures and video shared (received and sent) are stored in:

Received pictures when viewed get automatically saved in:
\My Documents\Zune\Content\0300\00

Deleted messages: I successfully carved out SQLite databases with XWF. That meant thousands of deleted messages recovered.

Twitter (v3.0.1.25063)
The most interesting files are stored in:

You can run strings against these files:
{Twitter UserID}.Timeline.dat <== contains tweets that appeared on the user's timeline
{Twitter UserID}.Connect.dat <== notifications for the tweets that got favorited or retweeted
{Twitter UserID}.Friends.dat
{Twitter UserID}.DirectMessages.dat  <== contains direct messages
{Twitter UserID}.SavedSearches.dat <== saved searches on Twitter


Under this folder there are files in JSON format with a prefix name ItemViewModel containing metadata of files stored on the user's OneDrive account. These files contain useful pieces of information that inform us if a OneDrive account is in use: DiskQuotaUsage, DisplayQuotaRemaining and DateModifiedOnClient.

In case SyncUpload is active on the phone, we'll also see additional details for uploaded files such as: filename, extension, displaysize, lastaccess, modifieddate, ownername and sharinglevel.

Timestamps are in DateTime format. In the following article, Microsoft explains how DateTime works:
Time values are measured in 100-nanosecond units called ticks, and a particular date is the number of ticks since 12:00 midnight, January 1, 0001 A.D. (C.E.) in the GregorianCalendar calendar.
For instance, 635503790921870000 decodes to 2014-10-31 19:04:52.187000. Here's a post on how to convert from ticks to human readable date.

Registry artifacts

The path \Windows\Registry\ contains two registry hive files: system.hv and user.hv.
Timestamps are encoded in Win64Bit Little Endian.

An old post in the xda-developers forum explains how to convert hv files into text files by using a command line tool named rgucomp. The result is not that good, but it's better than nothing. From the command prompt type:
  • rgucomp -nologo -o system.hv > system.txt
I'll list below some artifacts that can be extracted from the two hives. We can use them as keywords to perform searches in the unallocated space.

Account (user.hv)
The current Microsoft account configured on the phone is located in:


AccountCreateTime = time when the account was first configured on the phone
LastSyncSuccess = time of last successful sync

Internet Explorer - Typed URLs (user.hv)
URLs typed by the user are located in:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PreviouslyTyped\[URL]

For example:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PreviouslyTyped\http://www.ansa.it/]
  "LastVisited"=hex:10,2F,A0,FF,FD,D7,D0,01 <== (decodes to August 16, 2015 08:31:50)

IMSI (system.hv)
FriendlyName (device name set by the owner of the phone)
SimImsi (current IMSI)
LastSimImsi (previous IMSI - useful in case we need to know if another SIM card was used)

Bluetooth (system.hv)
name (paired device name - the field "name" is preceded by the keyword "keytype")
LastConnectTime (last connection time to the paired mobile device)

Network address (system.hv)
LeaseObtainedHigh (date and time of when the IP was obtained)

LastShutDownDateTime (system.hv)
LastShutDownDateTime keeps track of the last shutdown time of the device.

GPS coordinates  (system.hv)
  • LastPosInjected (last GPS coordinates injected by an application - e.g. Maps)
  • LastKnownLocation (provides date/time and GPS coordinates - I noticed it got updated when I took geotagged pictures and when I chose Find my phone).
  • LocationSyncStart (time of last location sync)


I wrote three Python scripts to automate the parsing of all the above artifacts. Some pieces of code are taken from the script wp8-callhistory.py written by cheeky4n6monkey.

My following scripts need Python 2.7 and have been tested on Microsoft Windows only:
  • wp78_parser.py: you can run it against specific files or the entire image. Call log and contacts are extracted from store.vol and pim.vol only.
         [UPDATE 03/27/2016]: text message timestamp has been found and decoded
  • wp_appid.py: finds AppNames from AppIDs. If you need to query multiple AppIDs at once, write them in a text file and use the file as input data. When reading from a text file, the script will automatically skip invalid lines and wrong characters. So you don't have to worry about normalizing input data.
  • wp78_sms_xml.py: after carving out SMS xml entries from the forensic image, use this script to do the parsing

You can download the scripts from my Github repository.

Final notes

The following articles have been very helpful to me to understand the structure and location of the data stored on Windows Phone devices:

Monday, August 17, 2015

How to get a physical image of a Lumia 800 (Windows Phone v7.8)

I recently had to analyze a Nokia Lumia 800 (RM-801) which is a smartphone running Windows Phone v7.8.

Unfortunately for me, at the time of this writing Cellebrite UFED 4PC is unable to extract a physical image from this phone model.

After some research on the internet, I found out that there's a flasher box which is able to root specifically two Lumia phones: Lumia 800 and Lumia 800C. After rooting, according to some posts I read in the forum GSM-Forum, the phone should be recognized as a mass storage device (or something like that).

If you're not familiar with flasher boxes, I recommend you to read the article Flasher Boxes: Back to Basics in Mobile Phone Forensics. A few years ago I attended these two excellent courses in order to learn how to use these tools:

After the research phase, I needed to do some lab testing. So I bought:
Cyclone Key Reloaded

I arranged a physical machine with Microsoft Windows XP SP3. In my experience, some flasher boxes are not that stable on newer operating systems. Cyclone Key Reloaded is one of them.

Rooting the device

After installing its drivers and software, plug in the flasher box to your computer.
From the main interface of the program Cyclone Box Module Loader: click on the Nokia Tool button | go to the Connection tab | set the connection to USB.

Connect the phone to your computer (not to your flasher box) by using a standard micro USB 2.0 cable. Wait for Windows to recognize the phone.

After that:

  • go to the tabs: WP7,WP8 (Qualcomm) | Simlocks
  • choose RM-801 Lumia 800
  • click on the ROOT ! button

This is an example log that will appear during the rooting on the right side of the program window.

[Nokia USB Connectivity]: WinUSB Port opened OK!
Product code read OK
Lumia No TP Root Procedure Started...

If phone is alive, It will be automatically swithced to OSBL mode.
If software can't switch to OSBL mode, or phone is generally DEAD do folllowing:

1. Turn OFF device, wait 15 seconds afterwards
2. Eject USB cable, wait 10 seconds
3. Press and hold Volume-UP button
4. Insert USB Cable. OSBL should be booted.

Booting CMT...
[Nokia USB Connectivity]: WinUSB Port opened OK!
Switching to RAW Mode...
[Nokia USB Connectivity]: WinUSB Port opened OK!
[Nokia USB Connectivity]: WinUSB Port opened OK!
OSBL Details
Protocol: v1.1
Version: v257.6
Build: 12
OSBL Bootloader Ready
USB&UART Tracing set
RSA Signature Calculated for QCB Boot, Writing...
OSBL Certificate Details
Magic:      WP70
Version:        0
Auth Level: Care
Data Encryption:    0
Image Index:    0
Asic Index: 0
Type:       Image Write
Hashtable Parsed OK
Certificate Accepted
[ASIC 0, Storage 4,1] Writing 850.552kB @ 0x000000000007D200
Write taken 0.400s (Average speed: 17419,04kBits/s)
Restoring Modem from BACKUP_RAMFS_IMAGE...
Restore OK
Restarting MCU...
Rooting Finished!

I unplugged the phone and turned it back on. I didn't notice any data loss. All my data was still there.

Imaging the device

Go to your forensic acquisition computer.
  • turn off the phone
  • connect the USB cable to the computer, but not yet to the phone
  • while holding the Volume Up button, connect the USB cable to the phone 
  • release the Volume Up button as soon as you see Windows asking you to format the phone
  • Please, don't format the device!

Now, you're ready to physically image your Nokia Lumia 800 phone.

I'll write about parsing in the next blog post.

Saturday, August 15, 2015

Geotag2kml: python script to create a KML file from geotagged pictures

Sometimes it's not the photo itself that matters, but where the photo was taken.

I needed a tool to parse thousands of geotagged pictures and show them on Google Earth. I wrote a Python script based in part on what was posted years ago in the ExifTool Forum.

My script was written to:
  • parse recursively geotagged pictures
  • create a KML file to show geotagged pictures on Google Earth
  • group and sort GPS data by date
  • show visually for each date where the first geotagged picture was taken. Each first GPS point is indicated by the icon of a small man
  • connect the GPS points of each date with a colored line
  • get the preview of a picture when clicking on a placemark
  • list make and model information of each digital camera used to take and geotag the analyzed photos
  • speed up my analysis ;)

  • Python v2.7
  • Exiftool (rename the executable to "exiftool.exe" and put it in the same folder of the script)
  • Google Earth


Run the script and type the absolute path of the directory containing your pictures. The script will create and save in this path a file named "GoogleEarth.kml".


geotag2kml v0.1

Here are a couple of screenshots.

Thursday, August 13, 2015

USB Write-Blocking with the registry: Beware of UASP on Windows 8/8.1 - Workaround

I read once more the description of USB Attached SCSI on Wikipedia and I noticed these two lines:

Microsoft added native support for UAS to Windows 8. Drives supporting UAS load Uaspstor.sys instead of the older Usbstor.sys. Windows 8 supports UAS by default over USB 2.0 as well.

That explains why my UASP device works in "UASP" mode even if I plug it in on a USB 2.0 port.

I then thought: what if I replace uaspstor.sys with usbstor.sys?

And you know what? It worked!

These are the steps for the workaround:

  • boot into safe mode: within Windows, hold the SHIFT key and click Restart
  • click on the Troubleshoot button
  • select  Advanced Options
  • choose Command Prompt
  • login into your admin account
  • from command prompt, type C: and press Enter
  • type cd windows\system32\drivers and press Enter
  • type ren uaspstor.sys uaspstor.sys.old and press Enter to rename the file uaspstor.sys into uaspstor.sys.old (or whatever you like)
  • type copy usbstor.sys uaspstor.sys and press Enter to have an additional copy of usbstor.sys renamed into uaspstor.sys
  • close your command prompt by clicking on the "X" in the upper right corner
  • click on the Continue button to exit and reboot into Windows 8/8.1

Set "WriteProtect" to "1" in the registry, plug in your UASP device and finally enjoy it in read-only mode!

Since I applied the workaround, I haven't had any BSOD or software issue. So far it appears to be a stable workaround.

Your feedback is appreciated, thanks.

Sunday, August 9, 2015

USB Write-Blocking with the registry: Beware of UASP on Windows 8/8.1


On Microsoft Windows operating systems it's possible to use the Windows registry to disable write access on USB ports.

Figure 1: HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies

That has been for a long time a convenient and safe way to make USB ports read only. Until UASP came out.

"USB Attached SCSI Protocol" (UASP) is designed to improve USB 3.0 transfer speeds. Microsoft Windows 8 has native support for UASP as written on the page "Windows 8: What's new for USB":
Windows 8 includes a new USB storage driver that implements the USB Attached SCSI Protocol (UASP). The new driver uses static streams for bulk endpoints, as per the official USB 3.0 specification.

For this test I decided to use:
  • HP EliteBook 8470w Mobile Workstation
  • OS Windows 8.1 Pro x64
  • Transcend JetFlash USB 3.0 64GB Flash Drive (not UASP)
  • StarTech adapter cable USB 3.0 to 2.5" SATA  w/UASP  (mod. USB3S2SAT3CB) with HGST 1 TB internal 2,5" SATA drive
After turning ON the USB write protection with the Windows registry, I plugged in the two USB 3.0 devices directly into my laptop.

The tool USB Device Viewer shows that the flash drive has been recognized as a "USB Mass Storage device", while the other one as a "USB Attached SCSI mass storage device".

Figure 2: output of USB Device Viewer

In Windows PowerShell, I used the cmdlet GET-WMIOBJECT to list my drives:

PS > GET-WMIOBJECT win32_diskdrive

The thumb drive is shown as a "USB device", on the other hand the SATA drive (externally connected via USB) is shown as a "SCSI disk device". My notebook has USB 3.0 and USB 2.0 ports, but it doesn't make a difference where I plug in the drive. The adapter makes the SATA drive appear as a SCSI device.
Figure 3: Powershell "GET-WMIOBJECT win32_diskdrive" on Win 8.1 Pro

I then checked the read-only state of the two devices by using Diskpart.

The thumb drive (Disk 3 - \\.\PhysicalDrive3) is in read-only mode as expected.

Figure 4: the thumb drive is in read-only mode

The external SATA drive (Disk 2 - \\.\.PhysicalDrive2) is NOT in read only mode.

Figure 5: the external SATA drive is still in WRITE mode
I successfully created a new folder named "BrandNewFolder".

Figure 6: folder creation

 And I created a new txt file named "BrandNewFile.txt" inside this folder.

Figure 7: file creation

I then unplugged the drive and I plugged it in on a second computer (Intel NUC DN2820FYKH with Windows 8.1). The newly created folder was still there. Unfortunately that means I modified my "evidence" drive.

Figure 8: the folder was really written to the drive

I repeated the same test on the second computer and I had the same results.

I made a last test: I went back to my laptop and installed Windows 7 Pro (on a different internal drive). Windows 7 has no native support for UASP. I repeated all the steps written above and this time the 1 TB drive with the mentioned adapter was recognized as a simple USB device in read only mode.

Figure 9: external drive in read-only mode on Windows 7 Pro


The registry key doesn't work on Win8/8.1 with UASP devices. At the moment I haven't found a way to disable UASP. I googled a bit and have found out there are already around some thumb drives which use UASP.

For the time being, stay safe on Windows 7 or choose a hardware write-blocker.