dfirhub

WindowsYourPhone

Appsv1

Author: Andrew Rathbun

description

Windows Your Phone

paths

1 path
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: WindowsYourPhone
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Windows Your Phone - All Databases
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed"
        Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Your_Phone_All_Databases_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

notes

This has only been tested with Android at this time. I don't own an Apple device but if someone else does, feel free to edit this target file with iOS related information.

This target will recursively grab folders with a complete file path similar to this one: .\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed\GUID\System\Database\.

Inside this directory on my system were the following files:

calling.db

calling.db-shm

calling.db-wal

contacts.db

contacts.db-shm

contacts.db-wal

deviceData.db-shm

deviceData.db-wal

notifications.db

notifications.db-shm

notifications.db-wal

phone.db

phone.db-shm

phone.db-wal

photos.db

photos.db-shm

photos.db-wal

settings.db

settings.db-shm

settings.db-wal

Throw any of these files into a SQLite viewer such as SQLite Expert Pro or DB Browser for SQLite to view the contents.

A quick rundown:

Photos.db will have filenames and blob files.

Phone.db will contain all text messages on the device, including RCS chats, conversations, and file transfers, MMS messages, etc.

Contacts.db will contain all contact names, numbers, addresses, email addresses, etc.

Settings.db will contain an enumerated list of installed apps on the device.

Calling.db will contain call history.

Notifications.db will show the active notifications from the device.

DeviceData.db will have the current wallpaper that's displayed on the device.

There are now SQLECmd maps for this databases: