Information Technology Reference
In-Depth Information
Data acquisition
Acquiring data from a Windows Phone is challenging for forensic examiners, as physical
and logical methods defined in previous chapters are not commonly supported. One of the
most common techniques in data acquisition is to install an application or agent on the
device, which extracts as much data as possible from the device. This could result in cer-
tain changes on the device but nevertheless, it is still forensically sound if the examiner fol-
lows standard protocols. These protocols include proper testing to ensure no user data is
changed, validation of the method on a test device, and documenting all steps taken during
the acquisition process. For this acquisition method to work, the app needs to be installed
with the privileges of Standard Rights Chamber. This may require the examiner to copy the
manufacturer's DLLs, which have higher privileges into the user app. This allows the app
to access methods and resources that are usually limited to native apps.
Most examiners rely on forensic tools and methods to acquire mobile devices. Again, these
practices are not readily available for Windows Mobile devices. Keep in mind that to de-
ploy and run an app on Windows Phone, both the phone and the developer must be re-
gistered and unlocked by Microsoft. This restriction can be bypassed by unlocking the
device using tools such as
ChevronWP7
. This tool basically allows the bypassing of Mar-
ketplace procedure and allows you to sideload (run unsigned applications without the re-
strictions listed) an unpublished application.
