Remote Forensics Of Windows 10 Mobile Devices

by Oleg Afonin, Elcomsoft

Microsoft has developed Windows 10 as the one OS for all types of devices from servers to wearables. Desktops, laptops, two-in-ones, tablets and smartphones can (and do) run a version of Windows 10. There are countless forensic tools for acquiring evidence from the desktop version of Windows 10, much less for Windows-powered smartphones.

Forensic analysis of Windows 10 Mobile devices can be complicated due to the exotic status of such devices. Due to full-disk encryption, on-device access may not be an option. However, Microsoft collects enormous amounts of information from its users. This information is then stored in the user’s Microsoft Account. Some bits of data are fully accessible to the user, while access to some other bits (such as mobile backups) is restricted.

In this article we’ll have a look at what exactly is available in Microsoft cloud, what can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(c) DobaKung on Flickr

Microsoft Collects Information

Microsoft is notorious for collecting information from Windows 10 users. The amount of data collected by Windows 10 devices increased dramatically compared to the days of Windows 7. This “usage and diagnostics” data, which may include text snippets, app usage data, detailed or approximated location information etc., is automatically collected and transmitted to Microsoft servers unless one explicitly opts out.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Users of Windows-powered handsets (Windows Phone 8.x and Windows 10 Mobile) have access to iOS-style cloud backups created in their Windows Account. Once cloud backups are enabled, things such as application data, call logs, text messages and so on will also be stored in the cloud.

Finally, some information is synchronized by Windows-powered desktop and mobile devices in real-time or close to real-time speed. This includes Web browser history, Bing search history, location data, as well as other things such as notes, calendars, contacts etc.

Microsoft offers ways to access, restrict or delete this information via the Privacy portal.

However, we found that this portal returns very limited amounts of data compared to what’s being actually collected. For this reason we expanded Microsoft Account support in this latest EPB build.

(c) wynpnt on Pixabay

Windows 10 Mobile: What’s In The Cloud?

Browsing and Search History

Windows browsing history can only be extracted from the cloud from Windows 10 Mobile (phones) and regular Windows 10 devices if Microsoft Edge was used as a Web browser. Edge browsing history is automatically synced across desktop and mobile Windows 10 devices logged in to the same Microsoft Account. Windows 10 Mobile devices (phones) have Microsoft Edge as their default (and most commonly adopted) Web browser. Edge adoption is growing slowly but steadily on desktops. Note that we also have tools to extract browsing history from other popular Web browsers such as Chrome and Safari using their respective cloud services.

Search history can be extracted from all types of devices regardless of the Web browser used providing that the searches occurred on Microsoft-owned Bing. Microsoft collects Bing search requests if the user has been logged in to their Microsoft Account in the Web browser while running the search.

Call Logs

The call logs can be important evidence. Since cloud backups are enabled by default for all Windows Phone 8, 8.1 and Windows 10 Mobile smartphones, call logs are one essential bit to extract.

Microsoft does not specify the origins of location data it collects on desktop and laptop computers, tablets and 2-in-1 devices. At very least, location is reported by Cortana and via the Edge browser.

Location History

Microsoft collects location history from all stationary and mobile Windows devices starting with Windows 8.1. While users can review their location history by visiting https://account.microsoft.com/privacy/location and signing in to their Microsoft Account, the amount of data points returned on that Web page is low. Only the last detected location is displayed. However, forensic tools are available allowing to extract the complete location history from the cloud.

Text Messages (SMS) and Other Previously Extractable Data

Users of Windows 10 Mobile handsets enjoy the ability to synchronize text messages (SMS), notes, calendar events, contacts and some other information with the cloud. This data can be extracted.

Accessing the Data

Since Windows 10 (Mobile) data is stored in the cloud, user’s Microsoft Account authentication credentials are required to sign in and extract the data. Note that once you try to access mobile backups, the user will be alerted by email while you will see a request for the secondary authentication factor – even if two-factor authentication is not enabled on the user’s account. This means you will need access to the secondary authentication factor such as the user’s SIM card with trusted phone number, a trusted email address or similar.

Conclusion

Cloud forensics allows extracting information from the user’s Microsoft Account without having physical access to the actual mobile device. Considering the amounts of data collected, synchronized and stored by Microsoft in the cloud, cloud forensic is the way to go when analysing Windows 10 Mobile devices, and can return additional evidence when analysing Windows 10 PCs.

This article was submitted by ElcomSoft, a digital forensics solutions provider specialising in password recovery, mobile and cloud forensics.

1 thought on “Remote Forensics Of Windows 10 Mobile Devices”

  1. Very well described I was unaware of the fact that there are so many things that are included in Windows 10 and they are used in several jobs over the system. Like this remote forensics is also one of the features of Windows 10 that are of a great function.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...