Sigma Converter

WindowsYourPhone

Author: Andrew Rathbun

description

Windows Your Phone

paths

1 path

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: WindowsYourPhone
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Windows Your Phone - All Databases
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Windows_Your_Phone___All_Databases"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

https://iconline.ipleiria.pt/bitstream/10400.8/4179/1/Digital_forensic_artifacts_YourPhone_W10.pdf

This has only been tested with Android at this time. I don't own an Apple device but if someone else does, feel free to edit this target file with iOS related information.

This target will recursively grab folders with a complete file path similar to this one: .\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\GUID\System\Database\.

Inside this directory on my system were the following files:

contacts.db-shm

contacts.db-wal

deviceData.db-shm

deviceData.db-wal

notifications.db

notifications.db-shm

notifications.db-wal

settings.db-shm

settings.db-wal

Throw any of these files into a SQLite viewer such as SQLite Expert Pro or DB Browser for SQLite to view the contents.

A quick rundown:

Photos.db will have filenames and blob files.

Phone.db will contain all text messages on the device, including RCS chats, conversations, and file transfers, MMS messages, etc.

Contacts.db will contain all contact names, numbers, addresses, email addresses, etc.

Settings.db will contain an enumerated list of installed apps on the device.

Calling.db will contain call history.

Notifications.db will show the active notifications from the device.

DeviceData.db will have the current wallpaper that's displayed on the device.

There are now SQLECmd maps for this databases:

https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_YourPhone_NotificationsDB.smap

https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_YourPhone_PhoneDB-SMSMessages.smap

https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_YourPhone_PhotosDB.smap

https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_YourPhone_SettingsDB.smap