I am working with a Cellebrite Physical dump of a Nokia Lumia 521 windows phone - OS v8.0.10328.78. I am trying to determine (basically) how some suspect images were created on the device.
I have a path that contain a large majority of these images WPNETWORK/APPDATA/Local/Tap and Share **-
There is then "Tap and Share 1" thru "16". Each Tap and Share folder contains different image file names such as "received", "FB" "Snapchat"…
I haven't been able to locate much documentation on this location other than it is possibly Nokia's or Window's near field transfer option (much like Apple's AirDrop).
The interesting part is that 89 of 129 images from the tap and share directories have been deleted from the "Saved Pictures" directory on the device.
In conclusion, I am leaning towards the photo's being received via near field transfer from an old phone or computer OR sent to a phone or computer THEN deleted from the "saved pictures" directory.
Any input is GREATLY appreciated!
I recommend processing the folders and files in Encase/Forensic Explorer/X-Ways/OSForensics as Windows Phone files are absolutely "processable" by Windows forensic software.
Your Windows forensic software of choice will enable you to generate timelines and potentially see what activities were occurring concurrent with the pictures being interacted with on the phone.