Remote Forensics Of Windows 10 Mobile Devices

by Oleg Afonin, Elcomsoft

Microsoft has developed Windows 10 as the one OS for all types of devices from servers to wearables. Desktops, laptops, two-in-ones, tablets and smartphones can (and do) run a version of Windows 10. There are countless forensic tools for acquiring evidence from the desktop version of Windows 10, much less for Windows-powered smartphones.

Forensic analysis of Windows 10 Mobile devices can be complicated due to the exotic status of such devices. Due to full-disk encryption, on-device access may not be an option. However, Microsoft collects enormous amounts of information from its users. This information is then stored in the user’s Microsoft Account. Some bits of data are fully accessible to the user, while access to some other bits (such as mobile backups) is restricted.

In this article we’ll have a look at what exactly is available in Microsoft cloud, what can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(c) DobaKung on Flickr

Microsoft Collects Information

Microsoft is notorious for collecting information from Windows 10 users. The amount of data collected by Windows 10 devices increased dramatically compared to the days of Windows 7. This “usage and diagnostics” data, which may include text snippets, app usage data, detailed or approximated location information etc., is automatically collected and transmitted to Microsoft servers unless one explicitly opts out.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Users of Windows-powered handsets (Windows Phone 8.x and Windows 10 Mobile) have access to iOS-style cloud backups created in their Windows Account. Once cloud backups are enabled, things such as application data, call logs, text messages and so on will also be stored in the cloud.

Finally, some information is synchronized by Windows-powered desktop and mobile devices in real-time or close to real-time speed. This includes Web browser history, Bing search history, location data, as well as other things such as notes, calendars, contacts etc.

Microsoft offers ways to access, restrict or delete this information via the Privacy portal.

However, we found that this portal returns very limited amounts of data compared to what’s being actually collected. For this reason we expanded Microsoft Account support in this latest EPB build.

(c) wynpnt on Pixabay

Windows 10 Mobile: What’s In The Cloud?

Browsing and Search History

Windows browsing history can only be extracted from the cloud from Windows 10 Mobile (phones) and regular Windows 10 devices if Microsoft Edge was used as a Web browser. Edge browsing history is automatically synced across desktop and mobile Windows 10 devices logged in to the same Microsoft Account. Windows 10 Mobile devices (phones) have Microsoft Edge as their default (and most commonly adopted) Web browser. Edge adoption is growing slowly but steadily on desktops. Note that we also have tools to extract browsing history from other popular Web browsers such as Chrome and Safari using their respective cloud services.

Search history can be extracted from all types of devices regardless of the Web browser used providing that the searches occurred on Microsoft-owned Bing. Microsoft collects Bing search requests if the user has been logged in to their Microsoft Account in the Web browser while running the search.

Call Logs

The call logs can be important evidence. Since cloud backups are enabled by default for all Windows Phone 8, 8.1 and Windows 10 Mobile smartphones, call logs are one essential bit to extract.

Microsoft does not specify the origins of location data it collects on desktop and laptop computers, tablets and 2-in-1 devices. At very least, location is reported by Cortana and via the Edge browser.

Location History

Microsoft collects location history from all stationary and mobile Windows devices starting with Windows 8.1. While users can review their location history by visiting and signing in to their Microsoft Account, the amount of data points returned on that Web page is low. Only the last detected location is displayed. However, forensic tools are available allowing to extract the complete location history from the cloud.

Text Messages (SMS) and Other Previously Extractable Data

Users of Windows 10 Mobile handsets enjoy the ability to synchronize text messages (SMS), notes, calendar events, contacts and some other information with the cloud. This data can be extracted.

Accessing the Data

Since Windows 10 (Mobile) data is stored in the cloud, user’s Microsoft Account authentication credentials are required to sign in and extract the data. Note that once you try to access mobile backups, the user will be alerted by email while you will see a request for the secondary authentication factor – even if two-factor authentication is not enabled on the user’s account. This means you will need access to the secondary authentication factor such as the user’s SIM card with trusted phone number, a trusted email address or similar.


Cloud forensics allows extracting information from the user’s Microsoft Account without having physical access to the actual mobile device. Considering the amounts of data collected, synchronized and stored by Microsoft in the cloud, cloud forensic is the way to go when analysing Windows 10 Mobile devices, and can return additional evidence when analysing Windows 10 PCs.

This article was submitted by ElcomSoft, a digital forensics solutions provider specialising in password recovery, mobile and cloud forensics.

1 thought on “Remote Forensics Of Windows 10 Mobile Devices”

  1. Very well described I was unaware of the fact that there are so many things that are included in Windows 10 and they are used in several jobs over the system. Like this remote forensics is also one of the features of Windows 10 that are of a great function.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles