Digital Forensics for a Windows Phone
Windows Phone Forensics
Although Android and iOS remain the two most dominant mobile platforms for smartphones and tablets (holding 52.2 and 41.3 percent of market share respectively), additional operating systems exist and should not be overlooked when it comes to mobile device forensics. One such platform, Windows Mobile, accounted for 3.6 percent of US smartphone subscribers as of January 2015. Despite the prevalence of Windows operating systems on desktop and laptop computers (52.02 percent of users across all versions of Windows), Windows Mobile has not reached the same level of popularity. This can pose a challenge for forensic examiners to perform Windows phone forensics, as tools normally used for forensic analysis have not kept pace with changing Windows Mobile technology, likely due to its smaller market share.
Microsoft licenses the Windows Mobile platform to various device manufacturers, including HTC, Huawei and others. In 2014, Microsoft acquired the phone making business of Nokia, the manufacturer of the popular Lumia line of Windows Phones. However in July 2015, the company began a large series of layoffs that continued into May of 2016, signaling the potential end of Microsoft’s experiment with mobile phone manufacturing.
Windows Mobile offers two platforms, Windows Mobile Standard edition and Windows Mobile Professional edition. Since its creation, Windows Mobile has released five different operating systems including Windows CE, Windows Mobile, Windows Phone 7, Windows Phone 8.0/8.1 and the newly released Windows 10 Mobile. While Windows Phone 8.0 and before are no longer supported by Microsoft, Windows Phone 8.1 will be supported through June 2017. Windows 10 Mobile was released to manufacturing of new devices in November 2015, and available for user upgrade in March 2016. At that time, 81.1 percent of Windows Mobile devices were running Windows 8.1, followed by 7.7 percent using Windows 10 Mobile, 7.4 percent using Windows Phone 8.0 and 3.9 percent using some version of Windows Phone 7.
Have a Windows Phone that could answer some important questions?
Why Windows Phone Forensics?
One of the key concepts of digital forensics is that “Every action leaves a trace”. As smartphones become more and more common, users are doing more things and storing more data than ever before on their devices. Traces of these activities can be uncovered through forensic analysis and give examiners a better idea of what the user was doing on the device.
Smartphones have become central to people’s daily lives, eliminating the need for other devices and consolidating them all into one place. From camera to calculator, address book to web browser, payment system to messaging tool, and even making phone calls from time to time, smartphones are more functional than ever.
All these activities lead to a surprising amount of data being stored, both intentionally and unintentionally. When you think of the data being stored on your phone, the first things that come to mind may be photos and videos, call history, text messages, contacts or apps. But the amount of data being collected and stored beneath the surface can often provide as much if not more information. From GPS location data to app usage data, the artifacts that are less visible to the average user can be extremely valuable to a forensic analyst.
There are a variety of reasons why a device may undergo a mobile forensic analysis. The smartphones of both victims and suspects in criminal investigations can hold valuable information, including location data, text message history, photos and more. Other legal investigations including divorce cases or traffic incidents can use data from phones to provide evidence in a court case. Corporations can also use smartphone data in cases of employee data theft or misconduct, if an employee had been issued a company owned device. In any of these cases, data from a mobile device can refute or corroborate someone’s statements based on the information stored on the device.
Gillware can provide Windows Phone forensics services in all of these situations and more. Our trained and experienced forensic analysts are experts at all types of mobile device forensics.
How Windows Phones Store Data
Windows phones have three primary points of data storage, and often use a combination of any of the three. Like most modern smartphones, Windows Phones use their internal NAND flash memory chips to store data. Most Windows Phones also have a removable Secure Digital (SD) card slot for expanded memory capabilities.
Additionally, Windows Mobile devices are designed to sync data to the cloud for backup purposes using Microsoft SkyDrive or Sharepoint accounts. This data often needs to be obtained via search warrant or other legal authority, as it is linked to an individual user’s private cloud account, and the data it holds is not stored on the phone itself. Microsoft provides users with a certain amount of free storage space to allow users to sync their data with the cloud using SkyDrive or Sharepoint accounts. Similar to Apple’s iCloud, Windows Mobile devices can store data such as photos, contacts and other data in the cloud.
Windows Mobile devices also make it easy to sync data to a computer using Microsoft Mobile Phone app or other tools such as the Sync Wizard, Zune, iTunes and Windows File Explorer. Legacy data from Windows Mobile devices can potentially be accessed through a computer the device may have synced with as well.
Types of Data Stored: Similarities to Windows PC OS
Although examiners may face challenges with Windows Phone forensics due to limited capabilities of forensic toolkits, the similarities between Microsoft Windows desktop and laptop operating systems and Windows Mobile platforms allow analysts to use many of the same techniques for forensic examination. Both Windows for PC and Windows Mobile use a similar file system structure, store user preferences and settings in a registry and use Temporary files that often hold high value in terms of forensic evidence.
Windows Mobile usage artifacts are different pieces of data left behind when a mobile phone is used. These artifacts exist in a number of different locations on a Windows Phone. They vary from photos, text messages, call logs and emails to more obscure data such as custom dictionary entries, speed dial data, Internet Explorer bookmarks and cookies, downloads, and file attachments. All of these different artifacts could be valuable to a Windows Phone forensics examination.
Windows Phone Forensics Services from Gillware
Are you in need of mobile device forensics from a Windows Mobile device? Gillware can provide full service forensic analysis from initial assessment to full data acquisition, including JTAG or Chip-Off services if necessary, and expert witness and testimony services. Our team of forensic experts, led by renowned forensic investigator and Gillware President Cindy A. Murphy, M.Sc. are ready and able to help you with all of your Windows Phone forensics needs. To get started, follow the link below to request an initial consultation with Gillware.