11 October 2019

Digital Forensics Tips&Tricks: «Your Phone» app Forensics

Information Security
Recently I've received the Announcing Windows 10 Insider Preview Build 18999 including an update for «Your Phone» app, and my first thing was — is there something useful for digital forensics?

So, I've immediately installed this app on my test workstation and connected it with my Android phone. On the same time I was checking for all system activities with Process Monitor to understand where all Your Phone app files are stored.

image

It seems that all files are located in:
%userprofile%\AppData\Local\Packages\Microsoft.YourPhone_???????\LocalCache\Indexed\????????????????\System\Database
Where "????" is randomized ID

Here is the content inside this folder:

image

And you can see a couple of .db files which are SQLite Databases
Well, I've downloaded a simple SQLite Browser and opened them one-by-one to check the internals. Some of DBs were empty, therefore I'll describe only ones with “Forensically sound” info.

1. Notifications.db

Notifications table:
image

When something happens on your Android smartphone, the notification about the event appears and Your Phone app puts this event here, into this table. I've sent a email from the desktop to my smartphone, a popup notification about new letter has appeared and here you can see a lot of properties which were extracted from the notification:

image

appname — my mobile email app
bigtext — subject and text
bigtitle — my name
posttime — timestamp when the message has been received by email server in Unix-time format
subtext — sender's email address
timestamp — timestamp when the message has been sent

Well, an investigator does not even need the message itself, he can get a lot of info, including the text, from the notification.

2. Phone.db

I found a lot of interesting tables inside!

image

Address table:

image

BOOM! All incoming numbers with timestamps! Cool!

Contact table:

image

BOOM again! The whole contact list even with photos :))

Message table:

image

Text messages (SMS) with senders' names (I've cut senders with numbers, but you can trust me — they are there) and timestamps, and text (yes, from banks and kind of)

Subscription table:

image

Here is the info about SIM cards

3. Photos.db

Photo table:

image

What a surprise! All pics stored on the mobile phone with timestamps :-)

4. Settings.db

Phone_apps table:

image

All installed apps list. Not so interesting, but who knows…

So, as a final — what do I think about it?
Of course it's really unsecured way to store so important info in unencrypted databases. As example, an intruder can get a remote access to your laptop or workstation (using Telegram RAT, haha :)) and download a lot of your important personal data.

On the other hand — this is a good place to get more digital evidences for a computer forensics investigator, for instance, in cases when inseder was involved in enterprise-targeted cyberattack. Getting a phone number of attack organizer is a good point for further investigation.

Be secured and thank you for attention!
Tags: microsoft android windows computer forensics digital forensics mobile
Hubs: Information Security
+1
728 1
Leave a comment
Ads