Windows Phone Digital Forensics II
Abbreviated as WP, Windows Phone is a new Smartphone operating system developed by Microsoft in order to succeed the old Windows Mobile. This "new" operating system may potentially be the major mobile platform in next few years. Windows Phone is still a young proprietary mobile operating system, which can mean their digital forensics are still not very advanced.
Learn Digital Forensics
This article will take a look at Windows Phone 7 from a forensics perspective; we'll see how to explore SMS, Facebook and Whatsapp messages, how to extract emails, contacts and pictures. I'll show you the basics and extract as much information as I can from a Windows Phone.
All tests will be done on an unlocked Nokia Lumia 710 running Windows Phone 7.5, but theoretically this should work with any with Windows Phone device.
Windows Phone 7 has a security model based on the least privilege principle, a set of privileges that is given to a certain process starting from lowest access rights given to Windows Phone developer. Standard rights are given to a native application. In addition to that, every user application is running in a kind of sandbox - which means it runs in a restricted environment and isn't allowed to directly access the operating system internals.
Data acquisition approaches depend on the kind of the Smartphone we want to investigate (unlocked or not), and in general we need to install an application that will gain "root" privilege, grab data, then send it back to a connected computer. Technically this may bring some changes to the "original stat" of the Smartphone which may result in a small change of evidence. And even if we accept that, a full unlocked phone is needed to deploy an application on Windows Phone 7.
Personally, I always opt for the "dirty" old school way. Always do it by hand! I'll suppose that your Windows Phone is fully unlocked, that would be necessary for any investigation (as there's a method which doesn't work anymore to bypass the marketplace procedure for installing an application, like the use of ChevronWP7).
I assume that you're targeting a fully unlocked phone, and if so we can proceed by installing either "Windows Mobile Device Center," which is still compatible with Windows Phone, or "Windows Phone Device Manager." Technically those tools are aimed to implement an efficient business-data synchronization platform, and can be used to transfer all kinds of data between the connected device and your computer.
Both Windows Mobile Device Center and Windows Phone Device Manager need Zune software 4.8 or later to be installed on the computer.
In this article I'll use both of those tools.
Windows Phone Device Manager Installation
- Download Windows Phone Device Manager and launch WPDeviceManager.exe
- Plug in your phone, it should detect it automatically, if not click Connect in the menu
- The first time you connect your phone, Windows Phone Device Manager will automatically install TouchXperience
All links for downloading the necessary files are in the reference section.
After connecting the phone to your computer and launching Zune, you can run Windows Phone Device Manager which will automatically install TouchXperience on your Windows Phone. The interfaces of both applications are quite user friendly and need no presentation.
Use "Explore File and Folders" to navigate your Windows Phone files. The data acquisition methodology may differ depending on how we conceive it, you can just make a full copy of the connected mobile device and work on it or just investigate files directly from the phone.
As you can probably guess, the Windows Phone file system is arranged the way a normal desktop Windows based file system is, just like Windows XP or Windows 7. It's structured with the usual directories reachable from the root.
The most important directories to investigate are:
- Application data, contains Internet Explorer, Outlook, Maps and all data related to installed applications on the phone
- Applications, contains the isolated storage for every application in addition to all applications installed by the user
- My Documents, contains some configuration files, Microsoft Office files, music and videos
- Windows, contains the core files of the operating system.
In this paper I'll talk neither about the registry nor about active tasks.
All SMSs are stored in one single file located in the directory "rootApplication DataMicrosoftOutlookStoresDeviceStore." The file is "store.vol" and cannot be directly handled (you cannot copy or edit it) since it's always in use by the operating system. The tip is to rename the file in a way that a copy of the original is instantly made by the operating system:
Let's see the content of this file using any text or hexadecimal editor. I always use a hexadecimal editor because it may make you aware of some details that you won't see with normal text editor. The Vol file seems to be a Windows CE database and I didn't have enough time to search for a desktop way to explore them. We'll do it manually:
You can see "Your Viber code is: 6895…" sent from "+44773602030." All SMSs either sent or received start by "IPM.SMStext" can make it easy to find them which may automate the process of extracting them.
Since we're talking about a Windows based operating system, it seems logical that a Windows Phone uses Outlook as its standard email client. That means that the user can synchronize it with the service they want, such as Yahoo Mail or Gmail.
Outlook data is stored in ApplicationDataMicrosoftOutlookStoresDeviceStoredata, and its subdirectories. All these subdirectories are numbered, and each of them contain different data:
We'll focus on folder 3, 4, and 19 as for the other folders, I don't know why they're empty!
All files contained in these subfolders are ".dat" files, but if you can deal with basic file craving, you can easily find that folder 3 and 19 contain JPEG files, and folder "14" contains HTML files.
Let's see how it works:
I'll open the first file with a hexadecimal editor and see how it looks:
This file contains a valid JPEG file header, so let's just rename the file to something.jpeg and see:
This is one of my contacts' photos and in addition to this now I know that the phone I'm investigating is "in principle" synchronized with LinkedIn too. So I can go this way as well and push my investigation in depth.
Let's now see what folder "4" has to tell us:
This file contains HTML tags; renaming it to something.html will give us a working web page that you can easily open:
Extracting Facebook data
Every application on a Windows Phone has its own ID which will identify it on the marketplace, and as said earlier in this article, the folder "Applications" contains (between other things) all the applications installed on the phone. Each one is installed on a separate directory which has the unique application's ID,under "Application/Data" directory:
The unique Facebook Application ID is "82A23635-5BD9-DF11-A844-00237DE2DB9E" and after installation, the application creates many folders such as "Cookies", "History" and "IsolatedStore."
These folders can contain a lot of useful information, especially "IsolatedStore":
DataCache.userID contains almost everything you need to know about the Facebook user with that ID. (In this case 14913XXXX is mine, and the one starting with 5472 is probably a friend who's connected to Facebook using my phone.) This folder may contain the user's friends with some details about them such as birthdays, links to their profile pictures, friend requests, incoming and outgoing messages, recent Facebook feeds, user's notes and may even contain the last user's location if the option was enabled… and ALL the data isn't encrypted and can be easily parsed!
An example of some of the latest user's feeds:
The user (me, Soufiane Tahiri) added a new photo that was shared with all friends, except restricted ones with a direct link to the image.
All users' friends are listed with their FULL names, birthdays and direct links to their respective Facebook profile pictures:
Full Name: Abdelouahed XXXXX, birthday March 28, 1987 and the link to his profile picture.
All messages sent or received, even spam, are listed (as seen below):
The Images folder contains all the images viewed by the user on Facebook using this application. All you need to do is add ".jpeg" as an extension to the file name:
The file userID.setting contains the user's Facebook profile name, a link to that profile and a direct link to the user's profile picture:
I think I'm done with Facebook, just explore every single file and be sure that you'll get more information than you ask for.
Extracting Whatsapp data
Just like any other application, all you need to know is the application ID to find where Whatsapp is installed, and Whatsapp application ID is 218A0EBB-1585-4C7E-A9EC-054CF4569A79.
By navigating to ApplicationsData218A0EBB-1585-4C7E-A9EC-054CF4569A79Data, you can find two folders. PlatformData contains all the pictures captured and sent by the user and IsolatedStore contains almost everything you want to extract.
The IsolatedStore of Whatsap is arranged like this:
The Cphotos folder contains all current contact photos, all you have to do is to add ".jpeg" to their respective names.
The profilePictures folder contains all previous photos used by all your contacts, a kind of profile pictures history, and all you have to do is add ".jpeg."
The Shared folder contains three subdirectories, but the most interesting one is "Transfers." You can find every single file sent or received via Whatsapp. Even files you've deleted are still there. (I was quite surprised when I discovered that.)
Then two interesting files display, "contacts.db"and "messages.db." Obviously these are SQLite databases:
They can easily be explored using any SQLite browser. What's interesting about these files is that you can see every contact's phone number, name and every single detail.
Here's the schema of the contacts.db file and some of its content:
You can find all conversations via Whatsapp, stored clearly in the "messages.db" file.
Actually this folder can be really interesting for investigation. Maybe I'll write an article only about Whatsapp on Windows Phone, but to limit the size of this article I'll not go further.
In fact, by continually analyzing how things are done on a Windows Phone, I found that every installed application can be easily investigated, such as Tango, Viber, or LinkedIn. So every single message, email or file sent or received is just stored clearly, you just have to read it. This was just so intriguing to me and I decided to install the Paypal application and give it a try!
Extracting PayPal data
Once connected, the Paypal application stores everything you need to know about the Paypal owner in one single file called "__ApplicationSettings." It can be found under "ApplicationsData75738196-1DB2-49D9-AFB1-D66A34D19FB6DataIsolatedStore." It's an XML file.
The file contains the user's full address, email address, phone number, recent transactions, currency used, payments received and transaction history. It's really everything you need to know, all stored clearly:
Extracting Maps data
Maps data and user location data is in general storage in the "Application DataMaps" folder. "MapsDataSet.dat" contains the last known locations of the phone. (In my case I found last two addresses.) They were very accurate and given by address, not by GPS coordinates:
Analyzing a Windows Phone was very interesting since almost every single piece of data was cached or stored clearly, you can easily investigate Internet Explorer history, recently open tabs, every file exchange, every email attachment… Actually the only challenge was reaching the right of acceding data, since Windows Phone devices give limited access rights to the user. This limitation can be bypassed by many methods already available, tested and fully working. This article was just an initial test of my own phone and this process can be automated to get an even more in-depth analysis of any extracted file.
Learn Digital Forensics
- Windows Phone Device Manager : http://www.touchxperience.com/windows-phone-device-manager/
Windows Mobile Device Center : http://www.microsoft.com/en-us/download/details.aspx?id=14