I recently became interested in mobile device forensics. This area covers a lot of ground, but a particularly interesting subfield is the forensics of Windows Mobile. As far as I was able to discover, not much has been written about this, which makes it perfect for a blog posting.
After a significant amount of Google research, I found a paper presented at the 2008 DFRWS conference. In it, the authors discuss a Mobile Internal Acquisition Tool, MIAT. They created this tool for extracting files from Smartphones running Symbian or Windows Mobile, and saving them to removable media. Another reference to the same work is presented here.
I was unable to locate a download site for the tool, so I contacted one of the presenters, Alessandro Distefano, as invited in the paper. I found out that the tool is to be released in open source format later this month, and it will be downloadable from http://www.miatforensics.org however that site is currently under construction as of this writing.
I tried out the tool, and found it useful, though there are a couple of potentially significant issues, which I've reported back to the authors. My testing was done on a Motorola Q9c, running Windows Mobile 6.1, and provisioned by Sprint with complete 3G Internet service.
The biggest gotcha I discovered was that after imaging the phone with MIAT, my mobile email configuration crashed on startup until I did a Master Reset on my phone. I'm not sure, but I suspect that this was caused by the mail application itself mishandling the fact that one of its files was locked for reading when it attempted to update it. In any case, I was able to avoid this problem subsequently by temporarily changing my Activesync schedule to only run when manually triggered.
Other issues currently include an inability to copy locked files such as index.dat, and a minor encoding issue with the output of MIATs XML logs (They refuse to open properly in some XML viewers). I'm told that you can copy out some locked files using the Remote File Viewer that comes with Microsoft Visual Studio, but be aware that you can also copy files onto the device using this method (Thanks Eoghan!).
When run, the tool dumps out copies of all accessible files from the device's filesystem to the configured local storage path (expected to be a removable storage card). It also creates a top level 'Statistics' folder for its log files and hashes.
In examining the MIAT dump of the phone's filesystem, I found the following interesting items of evidence (note that these are not intended to be comprehensive):
- \Windows\Profiles\guest\ - Contained the Pocket IE cache, including Cookies, index.dat (which was not extracted due to the previously specified issue), and Temporary Internet Files
- \Windows\Messaging - Contained various .mbp files which proved to hold the text of downloaded email messages. There is also an Attachments folder under this path that may hold downloaded attachments.
- \Windows\ActiveSync - Contained various configuration and log files from Activesync
- \Windows\Favorites - Contained Favorite links used by Pocket IE
- \Application Data\GoogleMaps - Contained configuration and cache files used by the installed Google Maps application. These files are all binary, but one of them, prefsext.dat, contains a variety of strings which match searches that have been performed and results (street addresses) which have been returned. Somebody could probably reverse engineer the format and write a parser for this that would be really useful.
- \*.vol these files contain Embedded databases, which include all of the phone-related information such as call logs, phone book, appointment list, etc. I haven't yet found a free application to parse them, but there's got to be something out there.
- I also found a number of other empty Attachments folders, as well as additional empty Profiles and Temporary Internet Folders folders. This probably means that these various locations are implementation dependent.
As always, please feel free to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy.
John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
