Archive for September, 2009

Windows Media Player Database (CurrentDatabase_360.wmdb files)

08/09/2009

This article covers the program Windows Media Player and analysis of the data file typically titled CurrentDatabase_360.wmdb and how to extract the content for review.  This article may serve as an aid to forensic examiners or data recovery technicians.

Windows Media Player is a multimedia, video and music player program developed by Microsoft and comes installed as part of the Microsoft Windows operating system.

Windows Media player will search a comptuer for compatible multimedia file types and automatically add to the library.  A user can also add additional folders or storage devices containing supported file types.  The library can be accessed via Media player, contents can be sorted, arranged and playlists created.

The library is saved to a file with the file extension wmdb – on Windows Media Player 11 this file is called CurrentDatabase_360.wmdb.  Depending on the version of player installed the file may be called CurrentDatabase_219.wmdb or CurrentDatabase_59R.  There may also be a file titled ‘CorruptDatabase_XXX.wmdb’ where X denotes a number.

The library file is located in the following location within each profile:

VOLUME\Users\PROFILE\AppData\Local\Microsoft\Media Player

Note: the location may vary depending on Windows Operating System version.

The Windows media player library file (for example CurrentDatabase_360.wmdb ) can be readily examined using the tool WMDB Extractor, a forensic software tool which is part of the Simple Carver Suite. The WMDB Extractor is capable of reading the wmdb file and save the contents to CSV, TXT and HTML file formats.

WMDB Extractor:

http://www.simplecarver.com/tool.php?toolname=WMDB%20Extractor

The Media player library file (example: CurrentDatabase_360.wmdb) contains a wealth of information including but not limited to File Path information, file properties, play counts, playlist information, video, music and photo file listings.

Advertisements