The Senator Patrick Leahy Center for Digital Investigation
Deleted SMS Text Messages
For the last part of this blog, I will be focusing on a very important aspect of Mobile Device Forensics: recovering deleted SMS Text Messages.
Retrieving SMS Text Messages (Deleted)
During the examination of this phone, I specifically wanted to recover deleted SMS text messages. Most people today use text messaging more than they use anything else on their phones, and text messages can hold some of the most important data on a suspect’s phone. Researching how to recover messages and the process to actually retrieve the deleted SMS text messages was very time consuming. After some time, I was able to figure out that text messages are stored in cemail.vol, which is an embedded database.
During my research, I was also able to find a blog on the SANS Computer Forensics website called “Recovering Deleted Text Messages from Windows Mobile Devices”. The blog talks about recovering deleted text messages from the cemail.vol file using different tools including: ActiveSync, Microsoft Device Emulator, Microsoft Visual Studio 2008, the pdblist utility from the itsutils suite, and a copy of the acquired cemail.vol file, which I retrieved from the MIAT seizure ( see part two of the “HTC Fuze Forensics” blog post). Once you download and install all of these tools, follow the steps below to attempt to mount the cemail.vol as a virtual storage card and recover the deleted data.
Recovering Deleted Text Message Instructions:
Adding cemail.vol to Emulator:
- Open Emulator.
- Click file.
- Clicks configure.
- Next to the shared folder, click the button with three dots (…).
- Point the shared folder to the folder containing the cemail.vol file.
- Click ok.
Accessing cemail.vol in Emulator:
- Click start.
- Click programs.
- Click File explorer.
- Click the drop down button that says “My Documents” and change it to storage card.
- You should see the cemail.vol file.
Microsoft Visual Studio 2008 Cradling Emulator:
- After launching and configuring the desired Windows Mobile Emulator, create a conduit that itstutils can use to send commands to the Emulator by establishing an ActiveSync connection. Open Windows Visual 2008.
- Click the tools menu.
- Click on Device Emulator Manager in Visual Studio.
- Find the Emulator that you are currently using in the list.
- Right-click the selected Emulator and select Cradle.
- In addition, within ActiveSync connection settings it is necessary to allow DMA connections.
Allow DMA connections in ActiveSync:
- Open ActiveSync.
- Click on file; “Connection Settings”.
- Click the check box next to “Allow connections to one of the following”.
- Click the drop down button and change it to “DMA”.
- Hit OK.
Once you have completed all of these steps, you can use the pdblist tool to find the deleted SMS Text Message data by using the following 3 commands:
- pdblist –v: lists accessible volumes, including the virtual storage card of the Windows Mobile Emulator.
- pdblist –D: list components of databases that are accessible via the emulator.
- pdblist –d: dump a particular object/file by name.
Unfortunately, during my attempt to follow all of these steps to recover the deleted SMS Text Messages, I was unable to view any text messages because I was unable to see the Virtual SD Card with the pdblist tool for an unknown reason.
Following this, I researched viewing contents of the cemail.vol in other software, and I discovered that I could view some of the data in a hex editor. I remembered that the Physical Analyzer (the Cellebrite software) had a hex editor built in. I took the .UFD file from the “Physical Extraction” that I took with the Cellebrite UFED Physical Pro and opened it in the Physical Analyzer. I then found the cemail.vol file and viewed it in the Physical Analyzer Hex Editor. I searched for the text that I had sent and instantly found it, as you can see in the image below.
When viewing the cemail.vol file in the Hex Editor, you can view what type of message was sent (SMS), the name and number of the contacts (Michael Jackson), what folder the message was saved in (Drafts), and the actual body of text (“Meet me at the…..”).
I wanted to determine why I could view the actual contents of the cemail.vol of the .UFD file and not the cemail.vol from the MIAT seizure, so I opened both of the files in a Hex Editor and found that only the one from the .UFD file worked properly. So, although MIAT seizes all of the information off of the phone, it apparently does not fully seize every file, such as system protected files or files used by the system.
All of the findings found during this research were very time consuming and have helped us find some of the most important data that investigators need during a real forensic investigation. This project and this blog are concluded.
For the full report on HTC Fuze Forensics visit http://bit.ly/UTUq0a