Forensic access to Windows Mobile pim.vol and other Embedded Database (EDB) volumes |
| |
Authors: | M. Kaart C. Klaver R.B. van Baar |
| |
Affiliation: | Netherlands Forensic Institute, Dept. Digital Technology and Biometrics, Digital Technology Group, Postbus 24044, 2490 AA The Hague, The Netherlands |
| |
Abstract: | Forensic examination of Windows Mobile devices and devices running its successor Windows Phone 7 remains relevant for the digital forensic community. In these devices, the file pim.vol is a Microsoft Embedded Database (EDB) volume that contains information related to contacts, appointments, call history, speed-dial settings and tasks. Current literature shows that analysis of the pim.vol file is less than optimal. We succeeded in reverse-engineering significant parts of the EDB volume format and this article presents our current understanding of the format. In addition we provide a mapping from internal column identifiers to human readable application-level property names for the pim.vol database. We implemented a parser and compared our results to the traditional approach using an emulator and the API provided by the Windows CE operating system. We were able to recover additional databases, additional properties per record and unallocated records. |
| |
Keywords: | |
本文献已被 ScienceDirect 等数据库收录! |
|