CN106412200B - A method of extracting WP interconnection personal data - Google Patents
A method of extracting WP interconnection personal data Download PDFInfo
- Publication number
- CN106412200B CN106412200B CN201610874303.5A CN201610874303A CN106412200B CN 106412200 B CN106412200 B CN 106412200B CN 201610874303 A CN201610874303 A CN 201610874303A CN 106412200 B CN106412200 B CN 106412200B
- Authority
- CN
- China
- Prior art keywords
- data
- management block
- bytes
- management
- represent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/26—Devices for calling a subscriber
- H04M1/27—Devices whereby a plurality of signals may be stored simultaneously
- H04M1/274—Devices whereby a plurality of signals may be stored simultaneously with provision for storing more than one subscriber number at a time, e.g. using toothed disc
- H04M1/2745—Devices whereby a plurality of signals may be stored simultaneously with provision for storing more than one subscriber number at a time, e.g. using toothed disc using static electronic memories, e.g. chips
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1415—Saving, restoring, recovering or retrying at system level
- G06F11/1435—Saving, restoring, recovering or retrying at system level using file system or storage system metadata
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
Abstract
The invention discloses a kind of methods for extracting WP interconnection personal data, comprising the following steps: S1: orientation and communication records the path where file;S2: search address list feature " 2A002A1F009600 ";S3: first management block is searched for after address list feature;S4: all management blocks are traversed by format;S5: the corresponding contact content of the management block is judged according to the first character section of management block;S6: the corresponding Data Area data of management block is obtained;S7: by all Data Area datas of extraction by Unicode UTF-16Little Endian transcoding, restore All Contacts' data.Beneficial effects of the present invention are as follows: comprehensively can completely retrieve the contact information in WP mobile phone comprehensively and extract, can extract the contact information deleted.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of method for extracting WP interconnection personal data.
Background technique
With the continuous improvement and expansion of mobile communication technology service provided level and type service, mobile phone increasingly at
For connection tool indispensable in people's Working Life, however at the same time, is swindled, calumniated and forged using mobile phone
Criminal activity is also commonplace.Mobile Phone Forensics are exactly an effective means for hitting this kind of crime.Mobile Phone Forensics in concept
It is exactly set in storage card and Mobile Network Operator database from SIM cards of mobile phones, mobile phone inside/outside and collects, saves from damage and analyze phase
The electronic evidence of pass, and it is final therefrom obtain there is legal effect, can be by the process for the evidence that court is received.It involves at present
There are three types of the criminal offences substantially of mobile phone: first is that serving as liaison work using mobile phone in the implementation process of criminal offence
Tool;Second is that mobile phone is used as a kind of storage media of evidence of crime;A kind of last mode is that mobile phone is taken as short message fraud, short message
The implementation tool of the novel mobile phones criminal activity such as harassing and wrecking and bogusware propagation.These, which are all fully showed that, carries out Mobile Phone Forensics skill
The correlative study of art is for maintaining social stability, guarantee people's equity and behavior of fighting crime with sufficient necessity and greatly
Urgency.
It is very mature for data recovery technique of the intelligence in Mobile Phone Forensics at present, but the WP system that Microsoft releases
Data have special data structure, and the domestic data reconstruction method for being directed to the structure not yet, encountering such mobile phone will
Case is set to have reached an impasse.
Summary of the invention
The present invention in view of the drawbacks of the prior art, provides a kind of method for extracting WP interconnection personal data, can be effective
Solution the above-mentioned problems of the prior art.
A method of extracting WP interconnection personal data, comprising the following steps:
S1: orientation and communication records the path where file;
S2: in the normal region of file and free area search address list feature " 2A002A1F009600 ";
S3: searching for " 40 " after address list feature, and taking and forming 4 bytes including " 40 " and " 40 " preceding 3 bytes is one group
Management block;
S4: it is one group with 4 bytes and traverses all management blocks backward, be not if meeting second byte in 4 bytes
" 01 ", first of the 4th byte do not indicate it is not management block then for " 4 ", terminate traversal;
S5: the corresponding contact content of the management block is judged according to the first character section of management block;
S6: by each management block, latter two byte is 12 low, obtains the corresponding Data Area data initial position of management block,
It jumps to data start to fetch backward evidence, until " 00 00 01 " terminate;
S7: by all Data Area datas of extraction by Unicode UTF-16Little Endian transcoding, WP is recovered
All Contacts' data in mobile phone.
It compared with prior art the present invention has the advantages that can be comprehensively comprehensively complete by the contact information in WP mobile phone
Whole retrieval extracts, and can extract the contact information deleted.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, by the following examples, to the present invention do into
One step is described in detail.
A method of extracting WP interconnection personal data, comprising the following steps:
S1: orientation and communication records the path where file;The file system of WP mobile phone is NTFS, then file system does not need to solve
Analysis;Address list storage path data field " User WPCOMMSSERVICES APPDATA Local Unistore
store.vol";
S2: address list feature " 2A002A1F009600 " is searched in binary file;Each mark represents one and leads to
News record;
S3: searching for " 40 " after address list feature, and taking and forming 4 bytes including " 40 " and " 40 " preceding 3 bytes is one group
Be before management block, such as " 40 " " 00 01 CC " then " 00 01 CC40 " be one group of management block;
S4: it is one group with 4 bytes and traverses all management blocks backward, be not if meeting second byte in 4 bytes
" 01 ", first of the 4th byte do not indicate it is not management block then for " 4 ", terminate traversal;
S5: the corresponding content of the management block is judged according to the first character section of management block;" 03 " represents name of contact person
Mark;" 06 " represents the city of work address;" 07 " represents the state of work address;" 08 " represents the postcode of work address;"09"
Represent the province of work address;" 0A " represents the street of work address;" 0B " represents work fax;" 0C " represents Work Telephone 1;
" 0D " represents Work Telephone 2;" 0E " represents children;" 0F " represents CompanyName;" 10 " represent firm telephone;" 15 " represent connection
People's name;" 16 " represent name of contact person;" 17 " represent personal email;" 18 " represent work email;" 19 " represent
Other Emails;" 1A " represents name of contact person;" 1B " represents name of contact person;" 20 " represent the city of home address;
" 21 " represent the country of home address;" 22 " represent the postcode of home address;" 23 " represent the postcode of home address;" 24 " represent
The street of home address;" 25 " represent house fax;" 26 " represent Home Telephone 1;" 27 " represent Home Telephone 2;" 28 " represent
Post;2A " represents surname;" 2C " represents middle name;" 30 " represent phone number 1;" 31 " represent phone number 2;" 32 " represent
ABCH (does not know concrete meaning);" 34 " representative office position;" 37 " represent the city of other addresses;" 38 " represent other ground
The country of location;" 39 " represent the postcode of other addresses;" 3A " represents the province of other addresses;" 3B " represents the street of other addresses
Road;" 3C " represents pager phone;It is unknown that " 3F " represents meaning;" 40 " represent the store path of the tinkle of bells;" 41 " represent cell-phone number
Code;" 42 " represent name (having space);" 43 " represent name (having space);" 44 " represent spouse/partner;" 49 " represent network address;
" 50 " represent ringing sound of text message store path.
S6: by each management block, latter two byte is 12 low, obtains the corresponding Data Area data initial position of management block,
It jumps to data start to fetch backward evidence, until " 00 00 01 " terminate;
S7: by all Data Area datas of extraction by Unicode UTF-16Little Endian transcoding, WP is recovered
All Contacts' data in mobile phone.
Those of ordinary skill in the art will understand that the embodiments described herein, which is to help reader, understands this hair
Bright implementation method, it should be understood that protection scope of the present invention is not limited to such specific embodiments and embodiments.Ability
The those of ordinary skill in domain disclosed the technical disclosures can make its various for not departing from essence of the invention according to the present invention
Its various specific variations and combinations, these variations and combinations are still within the scope of the present invention.
Claims (1)
1. a kind of method for extracting WP interconnection personal data, it is characterised in that the following steps are included:
S1: orientation and communication records the path where file;
S2: in the normal region of file and free area search address list feature " 2A002A1F009600 ";
S3: searching for " 40 " after address list feature, takes and forms the management that 4 bytes are one group including " 40 " and " 40 " preceding 3 bytes
Block;
S4: being one group with 4 bytes and traverse all management blocks backward, if meeting second byte in 4 bytes is not " 01 ", the
First of four bytes does not indicate it is not management block then for " 4 ", terminates traversal;
S5: the corresponding contact content of the management block is judged according to the first character section of management block;
S6: by each management block, latter two byte is 12 low, obtains the corresponding Data Area data initial position of management block, jumps
It fetches backward evidence to data start, until " 00 00 01 " terminate;
S7: by all Data Area datas of extraction by Unicode UTF-16Little Endian transcoding, WP mobile phone is recovered
Interior All Contacts' data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610874303.5A CN106412200B (en) | 2016-10-08 | 2016-10-08 | A method of extracting WP interconnection personal data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610874303.5A CN106412200B (en) | 2016-10-08 | 2016-10-08 | A method of extracting WP interconnection personal data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106412200A CN106412200A (en) | 2017-02-15 |
| CN106412200B true CN106412200B (en) | 2019-12-03 |
Family
ID=59228698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610874303.5A Active CN106412200B (en) | 2016-10-08 | 2016-10-08 | A method of extracting WP interconnection personal data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106412200B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1752939A (en) * | 2004-09-22 | 2006-03-29 | 微软公司 | Method and system for synthetic backup and restore |
| CN102298546A (en) * | 2011-09-07 | 2011-12-28 | 深圳市万兴软件有限公司 | Method and computer for restoring deleted joint picture group (JPG) file from disk |
| CN102750204A (en) * | 2012-06-07 | 2012-10-24 | 深圳市万兴软件有限公司 | Data recovery method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7089449B1 (en) * | 2000-11-06 | 2006-08-08 | Micron Technology, Inc. | Recovering a system that has experienced a fault |
-
2016
- 2016-10-08 CN CN201610874303.5A patent/CN106412200B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1752939A (en) * | 2004-09-22 | 2006-03-29 | 微软公司 | Method and system for synthetic backup and restore |
| CN102298546A (en) * | 2011-09-07 | 2011-12-28 | 深圳市万兴软件有限公司 | Method and computer for restoring deleted joint picture group (JPG) file from disk |
| CN102750204A (en) * | 2012-06-07 | 2012-10-24 | 深圳市万兴软件有限公司 | Data recovery method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106412200A (en) | 2017-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108092963B (en) | Webpage identification method and device, computer equipment and storage medium | |
| CN103731832A (en) | System and method for preventing phone and short message frauds | |
| CN105354196A (en) | Information pushing method and information pushing apparatus | |
| CN104580650A (en) | Method for pointing out defrauding call and communication terminal | |
| CN101287214A (en) | Method and system for acquiring information by mobile terminal and applying the same | |
| CN102937926A (en) | Method and device for recovering deleted sqlite files on mobile terminal | |
| CN103167086A (en) | System and method for cleaning invalid contact persons of mobile phone | |
| CN103973550A (en) | Method, system and device for rapidly and intelligently identifying instant messaging application ID (identity) number and carrying out instant messaging | |
| CN103425668A (en) | Information search method and electronic equipment | |
| CN104244206A (en) | Method, device and terminal device for processing short message | |
| CN111625863B (en) | Privacy protection method, device, electronic equipment and storage medium | |
| CN104021217A (en) | System and method for extracting fragment file and deleted file of mobile phone | |
| CN104580725A (en) | Method for hinting fraud calls and communication terminal | |
| CN106412200B (en) | A method of extracting WP interconnection personal data | |
| CN110532805B (en) | Data desensitization method and device | |
| CN109359481B (en) | Anti-collision search reduction method based on BK tree | |
| CN106484691B (en) | data storage method and device of mobile terminal | |
| CN109255214B (en) | Authority configuration method and device | |
| CN103093213A (en) | Video file classification method and terminal | |
| CN107729457B (en) | Method, device and storage medium for intelligent information retrieval | |
| CN109308229B (en) | Method for recovering WeChat chat records | |
| CN108540471B (en) | Mobile application network traffic clustering method, computer readable storage medium and terminal | |
| CN106503197B (en) | A method of extracting android system Baidu map base station data | |
| CN114168860A (en) | Dark website point user association method and device based on network characteristics | |
| CN102768632B (en) | Method and device for recovering data of mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant after: Sichuan Miwu Traceless Science and Technology Co., Ltd. Address before: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant before: SICHUAN MWH INFORMATION SAFETY TECHNOLOGY CO., LTD. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |