C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130417091016
The pattern of the backup directory is very easy to identify.
The backup history is stored under C:\Users\<UID>\AppData\Roaming\Samsung\Kies\BatchImportExport in file BackupHistory.xml
Many basic configuration settings can be located in the registry under
HKEY_CURRENT_USER\Software\Samsung\Kies
If you find out that our evidence contains backup of devices, even if the images were not backed up, we can look at other locations for cached items. Some of the items will be located in SQLite database, but some of them in individual files; these files are stored under a BR folder and have a file extension of BK. The BK files can be renamed to ZIP files and extract the database from each. The location below will have the image thumbnails of pictures and videos.
C:\Users\<UID>\Documents\samsung\Kies\Backup\SPH-D710\SPH-D710_20130417091016\Others\DCIM\Camera\cache
I have mentioned in the previous post that TEC files are just modified JPEG files with 6 Bytes extra at the beginning of each file and one additional Byte at its end.
In this post, I wanted to explore a simple way to extract the images so Windows Explorer's thumbnail view could be used to quickly browse through the images for relevancy. Dcfldd was an easy and obvious tool to use for this purpose. The TEC files were copied into input folder under the dcfldd folder and an output folder was created to store the extracted files.
C:\dcfldd>for /f %i in ( 'dir /b .\input' ) do dcfldd if=input\%i of=output\%i.jpg bs=1 skip=6
Where
'dir /b .\input' means to display the basic output of file listings in the input directory
output\%i.jpg means to save the modified files in the output directory with appended JPG file extensions
bs=1 block size of one Byte
skip=6 skip 6 block or 6x1Bytes at the beginning of the file
