digital investigation 6 (2010) 147–167 available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/diin 5 Windows Mobile advanced forensics C. Klaver* Netherlands Forensic Institute, Dept. Digital Technology and Biometrics, Digital Technology Group, Postbus 24044, 2490 AA Den Haag, The Netherlands article info abstract Article history: Windows CE (at this moment sold as Windows Mobile) is on the market for more than 10 Received 31 December 2009 years now. In the third quarter of 2009, Microsoft reached a market share of 8.8% of the Received in revised form more than 41 million mobile phones shipped worldwide in that quarter. This makes it 9 February 2010 a relevant subject for the forensic community. Most commercially available forensic tools Accepted 10 February 2010 supporting Windows CE deliver logical acquisition, yielding active data only. The possi- bilities for physical acquisition are increasing as some tool vendors are starting to imple- Keywords: ment forms of physical acquisition. This paper introduces the forensic application of freely Windows mobile available tools and describes how known methods of Physical Acquisition can be applied to NAND flash Windows CE devices. Furthermore it introduces a method to investigate isolated Windows TFAT file system CE database volume files for both active and deleted data. Live forensics ª 2010 Elsevier Ltd. All rights reserved. Heap CEDB/EDB database Logical/physical acquisition 1. Introduction MSAB’s.XRY and Cellebrite’s UFED support logical acquisition of WCE devices. In Ayers et al. (2005), a comprehensive over- With Windows CE on the market for more than 10 years now, view of forensic tools for mobile devices is given. Microsoft has a market share that makes it a relevant subject MSAB is implementing physical acquisition of WCE devices for the forensic community. The first versions of Windows CE in its tool XACT (MSAB). Cellebrite is supporting physical were not very successful on the hand-held electronics market. acquisition for Windows CE devices in their Physical-Pro However, with the release of Windows Mobile 6, based on version of UFED (Cellebrite). Since 2003 Hengeveld (2009) is Windows CE 5.2 (Herrera, 2009), Microsoft has gained a market publishing his open source XDA tools. With this toolset, share of 13.6% of the nearly 40 million mobile phones shipped among other things, an acquisition of RAM and flash memory worldwide in the third quarter of 2008, but appears to be inside WCE devices can be done. All these tools assume a WCE falling in 2009 (Canalys, 2009). device that is not device locked by a handset security code. Currently most commercial forensic tools that support Revealing or circumventing security codes is beyond the scope Windows CE (WCE) acquire data from the device through the of this paper, but physical acquisition methods like chip standard Remote Application Programmers Interface (RAPI). extraction, or the use of JTAG or a boot loader, work around This results in the acquisition of only the active data. The handset security codes. More advanced protection of a smart capturing of deleted data is not possible using just this method. phone would encrypt user data, imposing a new challenge to In 2005, PDA Seizure was one of the first tools that supported forensic examination of such a mobile device. This is also logical acquisition of WCE devices. Nowadays, other tools like beyond the scope of this paper. 5 The Netherlands government is authorized to reproduce and distribute reprints of this paper for governmental purposes notwith- standing any copyright notation there on. * Tel.: þ31 (0)70 888 6423; fax: þ31 (0)70 888 6559. E-mail address: c.klaver@nfi.minjus.nl 1742-2876/$ – see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2010.02.001 148 digital investigation 6 (2010) 147–167 This paper takes forensic examination of WCE devices 2.2. Flash memory beyond logical acquisition with commercial, off-the-shelf forensic tools. In section 2 relevant aspects of the typical Flash memory is widely used for non volatile storage of data. hardware of a WCE device are described and physical loca- There are two main types of flash memory, NOR and NAND tions that can contain user data are identified. Section 3 flash (Knijff). Flash has specific properties that have forensic describes software components in a WCE device that are relevance. For instance, as data cannot be updated in place in involved in storing user data or can be used in a forensic flash memory, first the data has to be copied from flash to acquisition. Section 4 describes the process of acquiring RAM, changed and then copied back to a different, empty a forensic duplicate of data on a WCE based device. Section 5 location in flash. The data before the change might be avail- covers methods for performing a physical acquisition of able after the change through physical acquisition for quite a WCE device. Section 6 presents tools and techniques for a while. (Breeuwsma et al., 2007). analyzing results of a physical acquisition. Section 7 discusses results and future work is identified in section 8. 2.2.1. NOR flash This type of flash memory has a RAM-like interface; it has a data bus, an address bus and control lines. NOR flash is 2. Typical WCE hardware mapped in the processor’s memory map and processor code can be executed directly from it (this is called ‘execute in This section describes hardware elements in a typical WCE place’; XIP). NOR flash can also be used as storage location for device that can be relevant for a forensic examination of such user data. Many older WCE devices have a single folder in the a device. Only a general overview will be given of aspects of root directory that is mapped to a section in NOR flash. With the processor, flash memory and RAM. Description of other, a special driver, like Intel’s Persistent Storage Manager more specialized hardware components fall outside the scope (Intel, 2005) the part of the NOR flash memory that is not used of this paper. for code can be used for user data. In a forensic investigation, this folder should not be overlooked. This folder is for 2.1. Processor example very suitable for storing system backups and because it resides in flash, deleted data can persist. When With WCE Microsoft intends to deliver an Operating System a device with a completely drained battery makes a full (OS) that can run on a range of hardware platforms. Currently system reset, this folder might still contain a recent backup four families of processor cores are supported: ARM, MIPS, SH4 of all user data. and x86 (Microsoft 1). Of these, ARM currently is most common in consumer electronics like smart phones, PDAs and naviga- 2.2.2. NAND flash tion devices. This paper focuses on ARM based devices. NAND flash can be regarded as the solid state equivalent of The ARM processors used in WCE devices are coming from a hard disk. It has an interface with an I/O bus and control various vendors. To name some that we have come across the lines connecting the memory chip to the processor. Over this last years: Intel PXA2x0/PXA30x XScale family of processors. I/O bus, commands, addresses and data are sent. As NAND Intel sold their activities in this field to Marvell (Intel, 2006). flash memory is not mapped in the memory space of the Texas Instruments has its OMAP series (Texas Instruments). processor, code stored in a NAND flash chip can not be Another player on this market is Samsung with its S3Cxxxx executed directly, but has to be loaded into RAM first, again range (Samsung). much like a hard disk. One of the interesting aspects of all of this range of After reset, boot loader code is loaded into RAM through processors is that nearly all peripheral devices needed to build some mechanism that is dependant of the type of flash a smart phone are integrated into one chip. These processors memory used. Some flash memory types are capable of pre- are also referred to as System on Chip (SoC). This means that senting a boot block of flash memory through a NOR flash a lot of relevant information that might be needed for physical interface, allowing the processor to boot from this block. The data extraction on a device powered by such a SoC must come code in this block will contain instructions to access the rest of from datasheets of this SoC. To be able to make a copy of the the blocks, in order to load the OS into RAM. Typical behavior NOR flash memory in the device by using Boundary Scan of WCE smart phones is that after the OS is loaded, it will technique it might be necessary to know the memory layout of detect whether it is a cold reset. In that case, it will install a smart phone, which chip select lines are connected to which customization .cab files from the customization flash parti- type of memory chip. Finding datasheets however is getting tion, often TFAT. After these files are installed, the device is harder because many SoCs are designed specifically for the rebooted and it is ready for use. mobile handset builders and distribution of datasheets is Flash memory must be erased to all 1s before reuse and strictly controlled. Where these datasheets do not become flash can only be erased in fairly large blocks, typically available, the necessary information can only be gained by between 128 and 512 kB. An erase block that mainly contains reverse engineering an exemplar device of the same make and expired pages can be made fully expired by copying away the model as the evidence.