Who is this document for?

This document is a data specification for 3rd party developers

This document is an introduction to a specification of MOBILedit Forensic Express export XML. It describes the format and structure of the export XML, as well as additional rules that affect its appearance. It is primarily intended for third-party developers who will further process the export XML and import its data to their solutions such as databases or viewers of digital evidence.

Basic concepts

Data (e.g. contacts, messages, call logs) obtained from the device is referred to as items and a set of such items as a container. They usually have an almost identical tag name distinguished only by quantity, such as CONTACT and CONTACTS, MESSAGE and MESSAGES, CALL and CALLS. However, even items are such, only smaller, containers that contain information of various natures: texts, numbers, logical values, dates, addresses, etc. Gradually, the designations CONTAINER, ITEM and PART have become established for this triad of data of various levels. The first two ones are represented in the XSD file by the abstract types CONTAINERTYPE and ITEMTYPE. PART (leaf in the XML tree) is expressed by its string value supplemented by various attributes. In the past, this simple data structure would suffice, but in modern devices with a large number of applications, there was a need to group them into even higher units (SOURCE and SOURCES tags). Also various file systems are an essential part of them (FILESYSTEM, FOLDER, FILE tags and others). And to ensure that the data is not completely passive, e.g. the IDENTIFIERPART, DATASOURCEPART tags take care of their activation (interconnection). Finally, the addition of the MEFEXPORT root tag and other auxiliary tags (e.g. PROPERTIES, PHONEPHOTO) created a comprehensive set used to describe all the information extracted from a physical device or other sources. It remains to add that the relationship between CONTAINER, ITEM and PART is not always so one-way and there is a set of exceptions in their interconnection.

Brief description of XML

Although XSD allows great variability in the data structure, the generated XMLs show identical features, which can be described relatively easily. The introductory tag MEFEXPORT (root) contains a set of PROPERTIES with information about the case, the examiner, the device and the application itself. The most important, however, is the SOURCE tag (currently just one), which accumulates a description of all device data (or alternative data source). SOURCE again first of all contains information about the device, including its image. This is followed by a description of all the files that are part of the export. These ones are divided according to the physical or logical storage into one or more FILESYSTEM (FILESYSTEM corresponds to the classic storage composed of FOLDER and FILES). Other tags represent various containers with global data (contacts, SMS, MMS, etc.) followed by data obtained by application analysis. Each application has its own SOURCE, which encapsulates its data and uses the same sub tags as the SOURCE on the global level to record them. All applications are grouped in one SOURCES container.

More about files

All files and directories in the export are included under one or more FILESYSTEM tags. FILESYSTEM must contain exactly one FOLDER, which can already contain any number of other FOLDER and FILE tags. It is worth noting here that although FOLDER is of type ITEMTYPE, it contains other tags of ITEMTYPE type (FOLDER and FILE). The FILEPART tag is used where it is needed to link a specific file. Linking is done via the path attribute. Important tags of the ITEMTYPE type, which also use a link to the FILEPART file, are the so-called media files AUDIO, IMAGE, VIDEO and, surprisingly, DOCUMENT (the parent tag is always MEDIA). All of these must contain exactly one FILEPART tag. Another IMAGEPART tag has more options, it can be linked to both a file (FILE) and an image (IMAGE) via the path attribute. Just the IMAGE tag can contain other interesting data (e.g. width and height). The last of the important ones that contain FILEPART is the MESSAGEFILE tag, which is an attachment (even multiple) inserted into a message. If it is a physical location of files, then they are on the relative path to the export XML, this path is specified in the ‘files’ attribute of the MEFEXPORT tag.

Containers, items, parts and others

Genuine containers derived from CONTAINERTYPE are: SOURCES, SOURCE, ACCOUNTS, ALARMS, AUTOFILLS, BOOKMARKS, BTPAIRINGS, CALLS, CELLTOWERS, CONTACTS, CONTAINER, CONVERSATIONS, COOKIES, CREDITCARDS, DOWNLOADS, EVENTS, FILESYSTEM, GROUPS, LOGITEMS, MEDIA, MEDIAFOLDER, MESSAGES, NETWORKS, NEWS, NOTES, NOTIFICATIONS, PAGES, PASSWORDS, PLACES, ROUTES, SEARCHES, TASKS, TRANSACTIONS, TYPEDTEXT

Genuine items derived from ITEMTYPE are: ACCOUNT, ALARM, AUTOFILL, BOOKMARK, BTPAIRING, CALL, CELLTOWER, CONTACT, ITEM, CONVERSATION, COOKIE, CREDITCARD, DOCUMENT, DOWNLOAD, EVENT, FOLDER, FILE, GROUP, LOGITEM, AUDIO, IMAGE, VIDEO, MESSAGE, MESSAGEFILE, NETWORK, NEWSITEM, NOTE, NOTIFICATION, PAGE, PASSWORD, PLACE, ROUTE, SEARCH, TASK, TRANSACTION, WORD

Genuine parts derived from character string are: ADDRESSPART, BOOLPART, CAMERABALLISTICSPART, DATASOURCEPART, DATEPART, DATETIMEPART, DURATIONPART, ENUMPART, FILEPART, GENDERPART, GEOPART, IDENTIFIERPART, IDREFERENCEPART, IMAGEPART, NUMBERPART, RECURRENCEPART, TEXTPART, TIMEPART, THUMBNAILPART, URLPART

Individual containers are specialized for certain items. For which, it is already known by their name (e.g. TASKS for TASK). However, there is also various other data that does not correspond to any specific container. In this case, the general CONTAINER is used, the data in it are marked as ITEM. Unfortunately, there is currently no easy way to programmatically recognize what type of data it is.

In order not to isolate the data in their containers, they are linked together by references. There are two tags for this: IDENTIFIERPART and IDREFERENCEPART. What type of binding it is, it can be decided according to the attribute "type", e.g. if type is "account", the linked tag is ACCOUNT. However, not all values of the type attribute may be clear, so it is important to verify the target item (or items). In addition, it may not always be valid.

Data sources

Each ITEMTYPE obtained by analyzing a particular file should list that file using the DATASOURCEPART. Pairing with a physical file is the same as other links to the file system, i.e. via the path attribute. There can be more links, they can also be hierarchized in a simple way.

A few notes on use

Over the years of use, it has crystallized additional rules that are not and cannot be recorded in the XSD file. They are:

  • The application SOURCE tag no longer contains any other SOURCE.

  • The binding of the data item (ITEMTYPE) with the corresponding ACCOUNT tag is done via IDREFERENCEPART (type = "account"), any other variants even valid according to XSD are inadmissible.

  • The GROUP tag contains references (IDENTIFIERPART, type = "participant") to its members (CONTACT and GROUP), not the other way around.

  • The CONVERSATION tag contains references (IDENTIFIERPART, type = "participant") to its members (CONTACT, GROUP, and ACCOUNT).

  • The MESSAGE tag contains (if known) a reference (IDREFERENCEPART, type = "conversation") to its conversation (CONVERSATION), the opposite approach is no longer used.

  • The MESSAGE tag contains (if known) references (IDENTIFIERPART) to the items involved. The type is "from", "to" or a general "participant". Other types of messages may use other variants, e.g. "cc", "bcc", etc.

  • The CALL tag follows similar rules like MESSAGE.

  • Do not mix different reference parts (IDENTIFIERPART vs. IDREFERENCEPART) for the same situations e.g. MESSAGE to its CONVERSATION.

Explanation of table items

Occurrence indicators

cnt

meaning

description

!

just one

?

0 or 1

+

1 or more

*

0 or more

Data types

dtp

meaning

description

S

string

N

number

integer or 64-bit integer

R

real

double

E

enumeration

defined in the XSD file

B

boolean/logical

“true” or “false”

D

date

date corresponding to ISO 8601, i.e. in the format yyyy-MM-dd optionally with time zone (Z for UTC or [+ | -] HH: mm)

T

time

time corresponding to ISO 8601, i.e. in the format HH: mm: ss optionally with time zone (Z for UTC or [+ | -] HH: mm) and decimal part of seconds

DT

datetime

date and time corresponding to ISO 8601, i.e. in the format yyyy-MM-ddTHH: mm: ss optionally with time zone (Z for UTC or [+ | -] HH: mm) and decimal part of seconds

Containers in detail - attributes and nested tags

All red values in the table are inherited from CONTAINERTYPE.

For dtp and cnt, see the table of data types and the table of occurrence indicators in the legend section.

container\attribute

xml:id

label

type

analysis1)

class

structure2)

description3)

dtp

S

S

E

E

E

E

S

MEFEXPORT2)

attribute

dtp

cnt

description

dtdtversion

R

!

fixed value “2.0”

appversion

!

created

!

application

!

files

S

!

typically “mobiledit_export_files”

PROPERTIES4)

!

?

?

?

SOURCES

!

!

?

?

?

SOURCE5)

!

!

?

?

?

ACCOUNTS

!

!

?

?

?

?

ALARMS

!

!

?

?

AUTOFILLS

!

!

?

?

BOOKMARKS

!

!

?

?

BTPAIRINGS

!

!

?

?

CALLS

!

!

?

?

?

CELLTOWERS

!

!

?

?

CONTACTS

!

!

?

?

?

?

CONTAINER

!

!

?

?

?

CONVERSATIONS

!

!

?

?

?

COOKIES

!

!

?

?

CREDITCARDS

!

!

?

?

DOWNLOADS

!

!

?

?

EVENTS

!

!

?

?

?

?

FILESYSTEM

!

!

?

?

?

?

attribute

dtp

cnt

description

path

S

?

priority

?

index

?

GROUPS

!

!

?

?

LOGITEMS

!

!

?

?

MEDIA

!

!

?

?

?

attribute

dtp

cnt

description

priority

?

MEDIAFOLDER

!

!

?

?

MESSAGES

!

!

?

?

?

?

NETWORKS

!

!

?

?

?

?

NEWS

!

!

?

?

NOTES

!

!

?

?

?

?

attribute

dtp

cnt

description

deleted

?

NOTIFICATIONS

!

!

?

?

PAGES

!

!

?

?

PASSWORDS

!

!

?

?

?

attribute

dtp

cnt

description

significance

?

PLACES

!

!

?

?

ROUTES

!

!

?

?

SEARCHES

!

!

?

?

?

TASKS

!

!

?

?

?

?

attribute

dtp

cnt

description

deleted

?

TRANSACTIONS

!

!

?

?

TYPEDTEXT

!

!

?

?

?

PHONEPHOTOS

!

?

?

THUMBNAILS

1) “forensic” if data were obtained by file analysis

2) sorting flag

3) this is the real name of the attribute

4) MEFEXPORT and PROPERTIES are not genuine ITEMTYPE tags, but they have a very important function in our XML tree

5) the "reference" attribute is no longer used

container\child

cnt

PROPERTIES

SOURCE

not ITEMTYPE

* by default

ITEMTYPE

* by default

MEFEXPORT1)

*

?

PROPERTIES1)

see tables below

SOURCES

+

SOURCE

*

*3)

SOURCES

ITEMTYPE2)

IMAGEPART

PHONEPHOTOS

METANOTE

ACCOUNTS

*

ACCOUNT

ALARMS

ALARM

AUTOFILLS

AUTOFILL

BOOKMARKS

*

BOOKMARK

BTPAIRINGS

BTPAIRING

CALLS

*

CALL

CELLTOWERS

CELLTOWER

CONTACTS

*

CONTACT

CONTAINER

*

ITEM

CONVERSATIONS

*

CONVERSATION

COOKIES

COOKIES

CREDITCARDS

CREDITCARD

DOWNLOADS

DOWNLOAD

EVENTS

*

EVENT

FILESYSTEM

*

FOLDER

!

GROUPS

*

GROUP

LOGITEMS

LOGITEM

MEDIA

AUDIO

IMAGE

VIDEO

DOCUMENT

MEDIAFOLDER

MEDIA

MESSAGES

*

MESSAGE

NETWORKS

*

NETWORK

NEWS

NEWSITEM

NOTES

*

NOTE

NOTIFICATIONS

NOTIFICATION

PAGES

*

PAGE

PASSWORDS

PASSWORD

PLACES

*

PLACE

ROUTES

*

ROUTE

SEARCHES

*

SEARCH

TASKS

*

TASK

TRANSACTIONS

TRANSACTION

TYPEDTEXT

*

WORD

other non-CONTAINERTYPE tags

PHONEPHOTOS

PHONEPHOTO

FOLDER

FOLDER

FILE

VIDEO

THUMBNAILS

?

THUMBNAILS

THUMBNAIL

DOCUMENT

DOCUMENTCONTENT

?

DOCUMENTCONTENT

TEXTPART

CONVERSATION

MESSAGE3)

MESSAGE

MESSAGEFILE

1) MEFEXPORT and PROPERTIES are not genuine ITEMTYPE tags, but they have a very important function in our XML tree

2) ACCOUNT, ALARM, AUTOFILL, BOOKMARK, BTPAIRING, CALL, CELLTOWER, CONTACT, ITEM, CONVERSATION, COOKIE, CREDITCARD, DOCUMENT, DOWNLOAD, EVENT, FOLDER, FILE, GROUP, LOGITEM, AUDIO, IMAGE, VIDEO, MESSAGE, MESSAGEFILE, NETWORK, NEWSITEM, NOTE, NOTIFICATION, PAGE, PASSWORD, PLACE, ROUTE, SEARCH, TASK, TRANSACTION, WORD

3) unused combination

Items in detail - attributes and nested tags

All red values in the table are inherited from ITEMPTYPE.

item\attribute

xml:id

label

type

time

deleted

dtp

S

S

E

DT

B

ACCOUNT

!

?

?

?

ALARM

!

?

?

?

AUTOFILL

!

?

?

?

BOOKMARK

!

?

?

?

BTPAIRING

!

?

?

?

CALL

!

?

!

?

?

CELLTOWER

!

?

?

?

CONTACT

!

?

?

?

ITEM

!

?

?

?

CONVERSATION

!

?

?

?

COOKIE

!

?

?

?

CREDITCARD

!

?

?

?

DOCUMENT

!

?

?

?

DOWNLOAD

!

?

?

?

EVENT

!

?

?

?

?

FOLDER

!

?

?

?

FILE

!

?

!

?

?

attribute

dtp

cnt

description

filename

S

?

path

S

?

size

N

?

created

DT

?

modified

DT

?

accessed

DT

?

mimetype

S

?

hash

S?

?

md5hash

S?

?

sha1hash

S?

?

sha256hash

S?

?

sha512hash

S?

?

name

S?

?

iscommon

B?

?

hashCategories

S

?

GROUP

!

?

?

?

LOGITEM

!

?

!

?

?

AUDIO

!

?

?

?

IMAGE

!

?

?

?

attribute

dtp

cnt

description

width

N

?

height

N

?

VIDEO

!

?

?

?

MESSAGE

!

?

!

?

?

MESSAGEFILE

!

?

?

?

?

NETWORK

!

?

?

?

NEWSITEM

!

?

?

?

NOTE

!

?

?

?

?

NOTIFICATION

!

?

?

?

PAGE

!

?

?

?

PASSWORD

!

?

?

?

PLACE

!

?

?

?

?

ROUTE

!

?

?

?

SEARCH

!

?

?

?

TASK

!

?

?

?

TRANSACTION

!

?

?

?

?

WORD

!

?

?

?

?

other non-ITEMTYPE tags

PHONEPHOTO

!

attribute

dtp

cnt

description

path

S

?

note

S

?

THUMBNAIL

attribute

dtp

cnt

description

name

S

!

position

!

timestamp

!

path

S

!

METANOTE

!

!

!

item\part1)

ADDR

GEO

BOOL

IDEN

CMBL

IDRF

DTSR

IMG

DATE

NUM

DTIM

RECR

DUR

TEXT

ENUM

TIME

FILE

THMB

GEN

URL

ACCOUNT

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

ALARM

*

*

*

*

*

*

*

*

AUTOFILL

*

*

*

*

*

BOOKMARK

*

*

*

*

*

*

*

*

*

*

BTPAIRING

*

*

*

CALL

*

*

*

*

*

*

*

*

*

CELLTOWER

*

*

*

*

*

CONTACT

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

ITEM

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

CONVERSATION

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

COOKIE

*

*

*

CREDITCARD

*

*

*

*

*

*

*

DOWNLOAD

*

*

*

*

*

*

*

*

*

EVENT

*

*

*

*

*

*

*

*

*

*

*

*

*

*

FOLDER

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

FILE

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

GROUP

*

*

*

*

*

*

*

*

*

LOGITEM

*

*

*

*

*

AUDIO

*

*

!

*

*

IMAGE

*

*

*

!

*

*

*

*

*

VIDEO

*

*

*

!

*

*

*

*

?

*

DOCUMENT

*

!

MESSAGE

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

MESSAGEFILE

*

*

*

*

*

*

*1)

*

*

*

*

*

*

*

*

*

*1)

NETWORK

*

*

*

*

*

*

*

NEWSITEM

*

*

*

*

*

*

*

NOTE

*

*

*

*

*

*

*

*

*

*

*

NOTIFICATION

*

*

*

*

*

*

*

*

*

*

PAGE

*

*

*

*

*

*

*

*

*

*

PASSWORD

*

*

*

*

*

*

PLACE

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

ROUTE

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

SEARCH

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

TASK

*

*

*

*

*

*

*

*

*

*

*

*

*

*

TRANSACTION

*

*

*

*

*

*

*

WORD

*

*

PROPERTIES2)

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

*

1) ADDR, BOOL etc. are abbreviations for the individual parts described above

2) MESSAGEFILE must contain at least one FILEPART or one URLPART

3) PROPERTIES is not genuine ITEMTYPE, but includes most of the PART tags

Parts in detail - attributes

part

attribute

cnt

dtp

description

ADDRESSPART

text value

N/A

type

!

E

used by drvman CONTACT only

class

?

E

for “raw”, full address in the street

street

?

S

addressextension

?

S

pobox

?

S

locality

?

S

region

?

S

country

?

S

postalcode

?

S

BOOLPART

text value

B

type

!

E

CAMERABALLISTICSPART

text value

N/A

probability

!

R

correlation

!

R

status

!

S

error text if fingerprint not found

match

!

S

boolean value written as “0” or “1”

fingerprint

!

S

path to fingerprint

DATASOURCEPART

text value

N/A

type

?

E

“main” or “other”

priority

!

N

“0” for “main” otherwise “1”

“0” is the highest priority

path

!

S

path to the file from which ITEM was obtained

table

?

S

database table name

offset

?

N

64-bit integer

DATEPART

text value

D

type

!

E

DATETIMEPART

text value

DT

type

!

E

flag

?

for “incomplete”, the text value does not include year (and/or other parts?)

DURATIONPART

text value

N

64-bit integer, number of seconds

type

!

E

ENUMPART

text value

S

value part of [type, value] pair

type

!

E, S

type part of [type, value] pair

FILEPART

text value

N/A

type

!

E

filename

?

S

path

?

S

path to the file

size

?

N

in bytes

created

?

DT

modified

?

DT

accessed

?

DT

mimetype

?

S

hash

?

S

hexadecimal

md5hash

?

S

hexadecimal

sha256hash

?

S

hexadecimal

name

?

S

GENDERPART

text value

N/A

gender

?

E

“male“, ”female” or ”unknown”

GEOPART

text value

N/A

type

!

E

time

?

DT

latitude

!

R

in degrees

longitude

!

R

in degrees

accuracy

?

N

in meters

altitude

?

N

in meters

speed

?

N

in meters per second

heading

?

R

direction in degrees

IDENTIFIERPART

text value

S

displayed value

type

!

E

linking

?

E

for “cross-referenced”, source and target can be from different SOURCE

idrefs

!

S

references somewhere, separated by space

IDREFERENCEPART

text value

S

same as the idrefs

type

?

E

idrefs

!

S

reference somewhere

IMAGEPART

text value

N/A

type

?

E

path

!

S

path to the file

height

?

N

width

?

N

mimetype

?

S

NUMBERPART

text value

N, R

type

!

E

notation

?

E

“real” nebo “int”; “real” if empty

unit

?

E

RECURRENCEPART

text value

N/A

type

!

E

frequency

?

E

“once“, “daily“, “weekly“, “fortnightly“, “monthly“, “yearly“, “weeklyex“, “daysinweek“, “daysinmonth“

interval

?

N

e.g. once in 3 years, the interval is 3

until

?

DT

dayflags

?

S

“SU“, “MO“, “TU“, “WE“, “TH“, “FR“, “SA“

occurence

?

N

e.g. every 2nd Sunday, the occurence is 2

numofrepeating

?

N

TEXTPART

text value

S

type

!

E

TIMEPART

text value

T

time

type

!

E

THUMBNAILPART

text value

N/A

name

!

S

file name

path

!

S

path to the file

URLPART

text value

S

URL itself

type

!

E

path

?

S

path to the file

timestamp

?

DT

download time

XSD file structure specification

Following XSD file describes the structure of MOBILedit export XML format. Feel free to download it here.