The Development Of A Forensics Tool For Windows Mobile Devices

The ubiquity of mobile computing devices (e.g. smartphones), our society's ever increasing use of these devices, and the continual appearance of these devices at crimes scenes has created a need for tools to aid in the acquisition of critical, time-sensitive evidence. The term “mobile forensics” is used to describe the acquisition and analysis of data found on mobile computing devices, as well as the data on the SIM/USIM cards and other memory cards they contain. The retrieved data can then be used in the aid of an investigation or in a court of law. Multiple documented procedures are in place and must be adhered to in the forensics acquisition and analysis of mobile phone data. One of the largest issues surrounding mobile phone forensics is the proprietary methods of storage used by each phone manufacturer. Many different mobile devices are based on the Windows Mobile operating system from Microsoft. In addition to basic voice capabilities, Windows Mobile devices can be used to store contacts, calendar appointments, emails, text messages, and call histories. Additionally, because these devices frequently include a digital camera, they can store digital photos and video files. Currently, there is just one software tool designed to help law enforcement officers with the acquisition of information contained on Windows Mobile devices. However, this tool is part of a larger forensic software package and its price puts it out of the reach of many potential users. In this paper we first provide an overview of the trials and tribulations associated with mobile forensics. Secondly, we describe our reasoning for developing our proof of concept software tool which can be used to acquire nearly all data from Windows Mobile devices. Data retrieved from the device can be displayed on a connected laptop computer, saved for later analysis, or printed. Third, we list the technologies used for its development. Finally, we conclude with a demonstration of the software and our future plans for its continued development. The Ubiquity of Mobile Computing Devices Following in the steps of PDAs, smartphones are becoming personal oracles of information 1, . While early generation cellular telephones were used only for voice communications, modern digital mobile phones have quickly become societal necessities for daily existence. Not only do smartphones support voice communications, these devices provide technologies for Short Message Service (SMS) messaging, Multi-Media Messaging Service (MMS) messaging, Instant Messaging (IM), electronic mail, Web browsing, multimedia capturing and playback, electronic document previewing, basic Personal Information Management (PIM) applications (e.g., contacts, calendar, etc.) and financial transactions. The use of smartphones by consumers continues to grow. Consider these recent data points: ‚ For the July to September 2007 quarter, market research group NPD reported US sales of 4.2 million smartphones, a 180% increase over the same quarter last year. P ge 13212.2 ‚ A recent Bloomberg report shows the sales of smartphones almost tripled last quarter and made up 11 percent of all phones sold in the U.S. Shoppers spent $3.2 billion on phones, or $83 each, up from $2.2 billion a year earlier. ‚ Apple claims to have sold four million iPhone smartphones during 2007 which is about half of their goal of selling 10 million iPhones by the end of 2008. Additional entries into the smartphone space by Google with their Android smartphone platform, and Yahoo! with their Yahoo! Go 3.0 beta are additional key indicators that the industry heavyweights are expecting huge increases in the number of smartphone users. The Need for Forensic Tools As society gravitates towards the adoption of such technologies, so does the criminal population. Mobile computing devices have been found at numerous crimes scenes around the world, usually as corroborative evidence or investigative leads. In the world of digital forensics, law enforcement investigators are just now realizing the potential of the evidence that can be gleaned from smartphones. Such evidence includes contacts, calendar appointments, emails, text messages, call histories, digital photos, and videos. Smartphones are used by drug dealers to manage contacts, child pornographers to store digital photos, and sexual predators as an instant messaging device. Furthermore, digital photos found on smartphones have helped convict suspected criminals. For example, murderers and rapists have used smartphones to take so-called “trophy shot” digital photos of their victims, and youths have recorded videos of themselves committing acts of sexual assault and vandalism. Digital forensic examiners need a toolkit that specifically acquires and accurately presents digital evidence from mobile computing devices. Primarily there are two types of digital evidence collection that are instrumental in any investigation, “On Scene” and “In the Lab.” On scene, from any mobile phone, it is imperative to collect contacts, call history, and text messages. These sources of personal information give contextual clues to the next steps of any investigation; it identifies who you know and to whom you talk. The other set of digital evidence comes from a more lengthy process conducted later in a forensic lab. This information comes from the images, videos, web browser cache, and other document files found on the device. Finally, the means to report and export the analyzed evidence collected is important for the investigation. Unfortunately, the currently available digital forensic examiners toolkits are light on tools to aid in the acquisition of information from smartphones. To advance the mobile device forensics field out of its current infant stage, numerous challenges must be addressed by the makers of forensics tools. These challenges can be classified into six general categories: 1) the many manufacturers of mobile phones, 2) preserving data on the device, 3) the nuisance created by the need to carry to every investigation the many varieties of power and data connectors, 4) the various operating systems and communication protocols used by the device vendors, 5) security mechanisms on the mobile device, and 6) the unique data formats used to store information on the device. Finally, to add to this frustration, some phones, notably pre-paid or “Pay As You Go” phones, do not provide the means for data connectivity. P ge 13212.3 Even though the number of smartphone device models and manufacturers is very large, they all are based on only a handful of operating system (OS) options. In the third quarter of 2007, more than 75% of all smartphones sold in North America were either RIM’s Blackberry, Apple’s iPhone, or smartphones based on Microsoft’s Windows Mobile OS. (Note, because the Windows Mobile OS is based on the Microsoft Windows CE general-purpose OS, some statistics group market share by Windows CE devices rather than Windows Mobile devices.) The Blackberry still leads the pack, but the iPhone has quickly gained 27% of the market in North America to claim the number two spot, while Windows Mobile devices remain a respectful third with approximately 24% of the market. Given the sizable market held by Windows Mobile smartphones and the need for forensics tools by law enforcement agencies, one might imagine many such forensics tools would be available. However, only one tool is currently available that includes software specifically made to acquire information from Windows Mobile devices. Paraben Corporation offers a commercial product named Device Seizure that can acquire and analyze information from many mobile phones and other handheld computing devices, including those running the Windows CE and Windows Mobile OSs. However, because the Paraben tool is made to work with many different types of mobile devices, including non-Windows devices, it suffers from not always forensically acquiring and analyzing any one device completely. Additionally, the Paraben tool’s high price of ~$900 puts it out of the reach of many potential users. WinMoFo Conceptualization We authors both work in the Department of Computer and Information Technology at Purdue University. Kyle Lutes joined the faculty in 1998, teaches software development courses, has over 25 years experience in the software development field, and has most recently been specializing in application software development for mobile computing devices. Rick Mislan joined the faculty in 2006 and is well known as a national expert in the emerging field of small scale digital device forensics. Both authors share a common interest in mobile computing device and have collaborated on several mobile computing related projects. During one of these projects, Professor Mislan discussed the dearth of tools available to help investigators acquire information from smartphone devices. After a few discussions of desired features, and a few “bar napkin design sessions”, Professor Lutes performed a several short experiments to determine the feasibility of the authors developing such a tool themselves. When the experiments proved promising, we decided to proceed with developing a proof of concept forensics tool for Windows Mobile devices. Within four days of heavy coding and testing, Kyle had just over 2,000 lines of hand-typed source code and had created WinMoFo – the working proof of concept Windows Mobile forensics application. The relatively short development time and small number of lines of source code can be attributed to the software development tools used.