SANS Digital Forensics and Incident Response Blog

MIAT for Symbian & Windows Mobile Forensics

I recently became interested in mobile device forensics. This area covers a lot of ground, but a particularly interesting subfield is the forensics of Windows Mobile. As far as I was able to discover, not much has been written about this, which makes it perfect for a blog posting.

After a significant amount of Google research, I found a paper presented at the 2008 DFRWS conference. In it, the authors discuss a Mobile Internal Acquisition Tool, MIAT. They created this tool for extracting files from Smartphones running Symbian or Windows Mobile, and saving them to removable media. Another reference to the same work is presented here.

I was unable to locate a download site for the tool, so I contacted one of the presenters, Alessandro Distefano, as invited in the paper. I found out that the tool is to be released in open source format later this month, and it will be downloadable from http://www.miatforensics.org however that site is currently under construction as of this writing.

I tried out the tool, and found it useful, though there are a couple of potentially significant issues, which I've reported back to the authors. My testing was done on a Motorola Q9c, running Windows Mobile 6.1, and provisioned by Sprint with complete 3G Internet service.

The biggest gotcha I discovered was that after imaging the phone with MIAT, my mobile email configuration crashed on startup until I did a Master Reset on my phone. I'm not sure, but I suspect that this was caused by the mail application itself mishandling the fact that one of its files was locked for reading when it attempted to update it. In any case, I was able to avoid this problem subsequently by temporarily changing my Activesync schedule to only run when manually triggered.

Other issues currently include an inability to copy locked files such as index.dat, and a minor encoding issue with the output of MIATs XML logs (They refuse to open properly in some XML viewers). I'm told that you can copy out some locked files using the Remote File Viewer that comes with Microsoft Visual Studio, but be aware that you can also copy files onto the device using this method (Thanks Eoghan!).

When run, the tool dumps out copies of all accessable files from the device's filesystem to the configured local storage path (expected to be a removable storage card). It also creates a top level 'Statistics' folder for its log files and hashes.

In examining the MIAT dump of the phone's filesystem, I found the following interesting items of evidence (note that these are not intended to be comprehensive):

  • \Windows\Profiles\guest\ - Contained the Pocket IE cache, including Cookies, index.dat (which was not extracted due to the previously specified issue), and Temporary Internet Files
  • \Windows\Messaging - Contained various .mbp files which proved to hold the text of downloaded email messages. There is also an Attachments folder under this path that may hold downloaded attachments.
  • \Windows\ActiveSync - Contained various configuration and log files from Activesync
  • \Windows\Favorites - Contained Favorite links used by Pocket IE
  • \Application Data\GoogleMaps - Contained configuration and cache files used by the installed Google Maps application. These files are all binary, but one of them, prefsext.dat, contains a variety of strings which match searches that have been performed and results (street addresses) which have been returned. Somebody could probably reverse engineer the format and write a parser for this that would be really useful.
  • \*.vol these files contain Embedded databases, which include all of the phone-related information such as call logs, phone book, appointment list, etc. I haven't yet found a free application to parse them, but there's got to be something out there.
  • I also found a number of other empty Attachments folders, as well as additional empty Profiles and Temporary Internet Folders folders. This probably means that these various locations are implementation dependant.

As always, please feel free to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

5 Comments

Posted July 17, 2009 at 4:21 PM | Permalink | Reply

Phone Detective

It's pretty amazing what you can do online ..It was not that long ago that you were wondering who just called your when you were not
at home. Now you can only see who's the unknown caller .. and also spy on who's talking to your lover :))
It's crazy '' You can even find the address by a simple phone number.. Wonder what's gonna come next ?

Posted July 20, 2009 at 4:04 PM | Permalink | Reply

Evgueni Tchijevski

Hi, i'm testing an approch to recover data stored on embedded db (*.vol files).
I found useful a WM mobile emulator and itsutilsbin tools from XDA.
You can copy this file on your emulator and then use pdblist to retrive data from cemail.vol (sms/mail). It works well.
To retrive data from pim.vol (last call/phone book/appointements) install dbExplorer on your emulator and then export data in CSV format.

Posted July 27, 2009 at 7:17 PM | Permalink | Reply

johnmccash

I just came back from vacation, and it seems that http://www.miatforensics.org has gone live while I was out.

Posted July 28, 2009 at 11:31 AM | Permalink | Reply

Leonardo

Dear Rob Lee,
my name is Leonardo Musumeci, I am a native italian translator, graduated in Foreign Languages and Literature.
My specializations are:
* Web programming, web design (1 year of professional experience as web programmer and web designer)
* Software localization (experience in software localization and in particular translating documentation and software GUI for Sun Microsystem Openoffice.org.)
* Great familiarity with IT, Open Source software (in particular with OpenOffice.org, Linux operating sytem ''" Ubuntu distribution -), Cisco systems (I have attended a Net Security Course ''" preparation course for Cisco Ccna Certification- ), IT concepts, programming languages, networking technologies, digital forensics ( I have attended a course ''" computerforensics.unimi.it ''" in digital forensics and investigations, about the different informatics and legal techniques and the strategies of incident response management )
* Technical and Linguistic background, studies in Languages and Informatics (I have got a Master's Degree in E-Government)
A web profile is available here:
http://www.proz.com/pro/48102
Since your posts are highly technical and original, it would be nice to translate some of them into italian and put them on my blog:
leonardomusumeci.net
Is it possible?
Thanks in advance
Best Regards
Leonardo

Posted April 2, 2012 at 2:41 PM | Permalink | Reply

Ardham Lisa

Somehow you just made a really complicated topic simple and concise. Thank you so much for sharing! You are outstanding.