کد مقاله | کد نشریه | سال انتشار | مقاله انگلیسی | نسخه تمام متن |
---|---|---|---|---|
456403 | 695712 | 2013 | 23 صفحه PDF | دانلود رایگان |
![عکس صفحه اول مقاله: Forensic access to Windows Mobile pim.vol and other Embedded Database (EDB) volumes Forensic access to Windows Mobile pim.vol and other Embedded Database (EDB) volumes](/preview/png/456403.png)
Forensic examination of Windows Mobile devices and devices running its successor Windows Phone 7 remains relevant for the digital forensic community. In these devices, the file pim.vol is a Microsoft Embedded Database (EDB) volume that contains information related to contacts, appointments, call history, speed-dial settings and tasks. Current literature shows that analysis of the pim.vol file is less than optimal. We succeeded in reverse-engineering significant parts of the EDB volume format and this article presents our current understanding of the format. In addition we provide a mapping from internal column identifiers to human readable application-level property names for the pim.vol database. We implemented a parser and compared our results to the traditional approach using an emulator and the API provided by the Windows CE operating system. We were able to recover additional databases, additional properties per record and unallocated records.
Journal: Digital Investigation - Volume 9, Issues 3–4, February 2013, Pages 170–192