Windows phone 8.1 forensic artifacts

http//www.magnetforensics.com/mobile-forensics/analyzing-windows-phone-artifacts-with-ief

Acquisition

One of the major challenges for Windows Phone analysis is the acquisition phase. Unlike other devices, such as iOS and Android, JTAG and Chip-off acquisitions are the only methods to acquire most Windows Phones. This means that your traditional forensic acquisition tools such as Cellebrite, XRY, MPE+, etc., cannot acquire the data from a Windows Phone.

Examiners must manually connect to the Standard Test Access Ports (TAP) and transfer the raw physical data from memory, or manually de-solder the physical chip from the phone and read the data directly to acquire any evidence from the phone.

jaclaz

ddave93,

Windows Phone 8.1 is pretty much supported by Cellebrite.

They hold profiles and the ability to extract Windows Phone 8, which in my experience is able to support the same devices updated to Windows 8.1. For example, Nokia Lumia 520 and Nokia Lumia 920 running Windows Phone 8.1 were successful on physical extractions using Cellebrite UFED Touch Ultimate.

The decode support is somewhat limited, but does do a reconstruction of the filesystem and decodes standard applications such as call logs and SMS and MMS messages.

JTAG is also a viable option, as I'm sure chip off would be providing the same results.

Hope this helps in some way!

J

http//www.magnetforensics.com/mobile-forensics/analyzing-windows-phone-artifacts-with-ief

Acquisition

One of the major challenges for Windows Phone analysis is the acquisition phase. Unlike other devices, such as iOS and Android, JTAG and Chip-off acquisitions are the only methods to acquire most Windows Phones. This means that your traditional forensic acquisition tools such as Cellebrite, XRY, MPE+, etc., cannot acquire the data from a Windows Phone.

Examiners must manually connect to the Standard Test Access Ports (TAP) and transfer the raw physical data from memory, or manually de-solder the physical chip from the phone and read the data directly to acquire any evidence from the phone.

jaclaz

Just an update to the quote above. I know Cellebrite and a few others now support Windows Phone now as well as IEF. When I wrote that post/video, they didn't have the support out yet. So depending what evidence or artifacts you're looking for, each tool will pull different things.

Jamie

Just an update to the quote above. I know Cellebrite and a few others now support Windows Phone now …

Yep ), which is of course good, but what I wanted to highlight in reply to the OP was that there is no "pure software", "linux" or "dd-like" tool or technique capable of creating a RAW image, there is a need for a hardware method, JTAG being the "base approach".
The UFED (or similar devices) are anyway other pieces of "special" hardware needed in the process to just create the RAW image (or physical extraction) and comprise also some imaging software.

If the JTAG data is available (or a hardware tool like the mentioned UFED) it is IMHO much easier/faster than chip-off, which should be seen as a "last chance" on non-supported phone models only.

jaclaz

I cannot find any potential tool or technique to do windows phone 8.1 forensics.

You can read our article at http//belkasoft.com/en/jtag-analysis. You can also try our Belkasoft Evidence Center (http//belkasoft.com/trial) in order to see what can it extract from a JTAG dump of Windows 8.1.

Thanks for the replies and I will try all of that as per time concerns.

If you have a JTAG image of Windows Phone 8 you can import it in Oxygen Forensic Suite. All the user data will be decoded contacts, messages, calls, calendar, tasks, popular apps (WhatsApp, Skype, Here Maps, etc) as well as deleted images, videos, documents. conversations.