Analyzing Windows Phone 8.1 JTAG and UFED Dumps

© Belkasoft Research

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police departments, especially those from Germany, Italy, and the UK about extracting and analyzing JTAG and UFED-produced dumps of Windows phones. While in the past we were reluctant to work in this direction considering how small of a market share these devices had, the recently published numbers of every 10th device sold in Europe being a Windows Phone made us change our mind.

Meet the newest release of Belkasoft Evidence Center! In this release, we’ve added the ability to process, parse, and extract information stored in binary dumps of Windows Phone devices captured with JTAG or Cellebrite UFED hardware. We can fully reconstruct the original file system of the device, allowing experts to browse through the file system and view and extract individual files and folders.

Our signature discovery and analytics are also there for Windows Phone data. The updated Belkasoft Evidence Center will automatically search for, extract and analyze the many types of evidence essential for your investigation. Contacts and address books, call logs, Skype chats and communication histories in third-party messengers, browsing history and cached social network conversations are carefully extracted and added to the list of available evidence.

SQLite database, carved from JTAG dump, is shown in the built-in SQLite Viewer

Windows Phone Uses Page Files

Just like the bigger OS, Windows Phone uses page file to swap memory pages to persistent storage. With many Windows Phone devices featuring only 512 MB of onboard RAM, paging becomes an essential part of how the OS works.

Please register to access full versions of Belkasoft articles

Please provide real information, the access link will be sent to your email.