Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Meet the newest release of Belkasoft Evidence Center! In this release, we’ve added the ability to process, parse, and extract information stored in binary dumps of Windows Phone devices captured with JTAG or Cellebrite UFED hardware. We can fully reconstruct the original file system of the device, allowing experts to browse through the file system and view and extract individual files and folders.

Our signature discovery and analytics are also there for Windows Phone data. The updated Belkasoft Evidence Center will automatically search for, extract and analyze the many types of evidence essential for your investigation. Contacts and address books, call logs, Skype chats and communication histories in third-party messengers, browsing history and cached social network conversations are carefully extracted and added to the list of available evidence.


SQLite database, carved from JTAG dump, is shown in the built-in SQLite Viewer

Windows Phone Uses Page Files

Just like the bigger OS, Windows Phone uses page file to swap memory pages to persistent storage. With many Windows Phone devices featuring only 512 MB of onboard RAM, paging becomes an essential part of how the OS works.

Page files store information used by running and background apps, including opened Internet Explorer tabs, social network timelines or chat sessions. However, the very fact that Windows Phone devices use ARM architecture (unlike Intel x86 employed by devices running the desktop versions of Windows), the format and content of the page file differs significantly between platforms. As a result, using standard Windows tools to analyze Windows Phone page files is a no-go.

Belkasoft Evidence Center becomes the first digital forensic tool on the market to properly parse Pagefile.sys files produced by Windows Phone 8.1. The tool will automatically parse the page file, carving all known types of artifacts such as cached Web pages and pictures, chat messages and posts in social networks.


Internet Explorer history is found inside page file, found in JTAG dump


Internet Explorer history is found inside page file, found in JTAG dump

Windows Phone Takes Screen Shots of Minimized Apps

What happens to an app when the user switches tasks? Like most smartphones, Windows Phone devices can only have one foreground app. Minimized tasks are often pushed out of the volatile memory due to the limited amount of available memory. A minimized task is added as a static picture into the task manager. At the time Windows Phone minimized an app, the system captures and stores its screen shot in JPEG format. These screen shots are truly invaluable for digital investigations. Often displaying data not available from any other source, these application screen shots may feature currently visited Web pages or open social network profiles, current chat sessions, pictures or videos being viewed.

Belkasoft recognizes the importance of application screen shots, and makes every step to carve them out of a device dump. Application screen shots are then displayed in a dedicated section for your investigation.


A pack of applications screenshots found inside particular JTAG dump

About Belkasoft Evidence Center 2015

Belkasoft Evidence Center is a digital forensic solution enabling security experts and forensic specialists collect and analyze digital evidence from computer and mobile devices. Belkasoft Evidence Center can automatically locate, process and analyze evidence stored inside hard drives, forensic images and dumps. Hundreds of evidence types supported out of the box, such as documents, emails, pictures and videos, chats and browser histories, encrypted and system files.

Low-level access to hard disk and system structures means that even data that’s been deleted by a suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android and Mac OS X file systems, natively mounting images created in EnCase and FTK, DD and SMART formats, UFED, chip-off and JTAG binary dumps, X-Ways containers and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.

Information on Belkasoft Evidence Center as well as the free demo download are available at https://belkasoft.com/trial.


See also:

Forensic analysis of SQLite databases