手机取证技巧之微信迁移取证
Announcing Windows 10 Insider Preview Build 18999 including an update for «Your Phone» app, and my first thing was — is there something useful for digital forensics? Windows 10 Insider Preview Build 18999公告,其中包括“您的电话”应用的更新,我的第一件事是—数字取证有用吗?So, I've immediately installed this app on my test workstation and connected it with my Android phone. On the same time I was checking for all system activities with Process Monitor to understand where all Your Phone app files are stored.
因此,我立即在测试工作站上安装了该应用程序,并将其与Android手机连接。 同时,我正在使用Process Monitor检查所有系统活动,以了解所有Phone应用程序文件的存储位置。
It seems that all files are located in:
似乎所有文件都位于:
%userprofile%\AppData\Local\Packages\Microsoft.YourPhone_???????\LocalCache\Indexed\????????????????\System\DatabaseWhere "????" is randomized ID
%userprofile%\ AppData \ Local \ Packages \ Microsoft.YourPhone _ ??????? \ LocalCache \ Indexed \ ???????????????? \ System \ Database哪里“ ???” 是随机编号
Here is the content inside this folder:
这是此文件夹内的内容:
And you can see a couple of
你会看到几个
。D b (.db)
files which are
文件是
SQLite数据库 (SQLite Databases)
Well, I've downloaded a simple SQLite Browser and opened them one-by-one to check the internals. Some of DBs were empty, therefore I'll describe only ones with “Forensically sound” info.
好了,我已经下载了一个简单SQLite浏览器,并一个一个地打开它们以检查内部。 一些数据库是空的,因此,我将仅描述具有“法医声音”信息的数据库。
1. Notifications.db (1. Notifications.db)
Notifications table: 通知表 :When something happens on your Android smartphone, the notification about the event appears and Your Phone app puts this event here, into this table. I've sent a email from the desktop to my smartphone, a popup notification about new letter has appeared and here you can see a lot of properties which were extracted from the notification:
当您的Android智能手机上发生任何事情时,会出现有关该事件的通知,并且您的Phone应用会将此事件放在此表中。 我已经从桌面向我的智能手机发送了一封电子邮件,关于新字母的弹出通知已经出现,在这里您可以看到从通知中提取的许多属性:
Well, an investigator does not even need the message itself, he can get a lot of info, including the text, from the notification.
好吧,调查人员甚至不需要消息本身,他可以从通知中获得很多信息,包括文本。
2. Phone.db (2. Phone.db)
I found a lot of interesting tables inside!
我发现里面有很多有趣的桌子!
繁荣! (BOOM!)
All incoming numbers with timestamps! Cool!
所有带有时间戳的来电号码! 凉!
Contact table: 联系表 :繁荣 (BOOM)
again! The whole contact list even with photos :))
再次! 整个联系人列表,甚至有照片:))
Message table: 留言表 :Text messages (SMS) with senders' names (I've cut senders with numbers, but you can trust me — they are there) and timestamps, and text (yes, from banks and kind of)
带有发件人姓名的短信(SMS)(我已经用数字剪掉了发件人,但是您可以信任我-他们在那里)和时间戳,以及文本(是,来自银行等)
Subscription table: 订阅表 :Here is the info about SIM cards
这是有关SIM卡的信息
3. Photos.db (3. Photos.db)
Photo table: 相片桌 :What a surprise! All pics stored on the mobile phone with timestamps :-)
真是惊喜! 所有带有时间戳的照片都存储在手机中:-)
4. Settings.db (4. Settings.db)
Phone_apps table: Phone_apps表 :All installed apps list. Not so interesting, but who knows…
所有已安装的应用程序列表。 没那么有趣,但是谁知道……
So, as a final — what do I think about it?
那么,作为最后-我对此有何看法?
Of course it's really unsecured way to store so important info in unencrypted databases. As example, an intruder can get a remote access to your laptop or workstation (using Telegram RAT, haha :)) and download a lot of your important personal data.
当然,将如此重要的信息存储在未加密的数据库中确实是一种不安全的方法。 例如,入侵者可以远程访问您的笔记本电脑或工作站(使用Telegram RAT ,haha :)),并下载许多重要的个人数据。
On the other hand — this is a good place to get more digital evidences for a computer forensics investigator, for instance, in cases when inseder was involved in enterprise-targeted cyberattack. Getting a phone number of attack organizer is a good point for further investigation.
另一方面,这是一个为计算机取证调查员获取更多数字证据的好地方,例如,当inseder参与了针对企业的网络攻击时。 获取攻击组织者的电话号码是进一步调查的好点。
Be secured and thank you for attention!
确保安全,感谢您的关注!
手机取证技巧之微信迁移取证