SANS Digital Forensics and Incident Response Blog

Examining Windows Mobile Devices Using File System Forensic Tools

Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

$ fsstat SamsungBlackjack.bin

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16
OEM Name: MSWIN4.1
Volume ID: 0x8250047
Volume Label (Boot Sector):
Volume Label (Root Directory):
File System Type Label: TFAT16
Sectors before file system: 0
File System Layout (in sectors)
Total Range: 0 - 112389
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 110
* FAT 1: 111 - 220
* Data Area: 221 - 112389
** Root Directory: 221 - 252
** Cluster Area: 253 - 112388
** Non-clustered: 112389 - 112389

As with any FAT file system, forensic analysts can recover deleted files from Windows Mobile devices and view date-time stamps as shown below in Autopsy.

Samsung Blackjack Autopsy

The folder hierarchy on Windows Mobile devices has some similarities with other Windows systems. For instance, the majority of user-created files, including digital photographs and videos taken with the device camera, are stored in the "My Documents" folder.

Many of the lessons learned from forensic processing of other Microsoft Windows operating systems can be applied to Windows Mobile, including understanding of FAT file systems and index.dat files. Entries extracted from index.dat files on a Windows Mobile device using EnCase are shown below.

BlackjackEnCaseBlackjackEnCase

However, there are sufficient differences between Windows Mobile systems and other Windows operating systems to require specialized knowledge and tools to locate and interpret digital evidence. There are data structures on Windows Mobile devices like volume files that contain communications, contacts, and other useful information. In addition, forensic analysts must be alert to interpretation errors introduced by forensic tools that result in important information not being displayed. Furthermore, the use of Flash memory in mobile devices has a number of implications from a forensic viewpoint, potentially retaining copies of deleted data that may not be accessible using commonly available methods and tools.

These and many other topics are covered in SANS FOR563 Mobile Device Forensics. I am teaching this course in San Diego on May 8-12 (register here).