Windows Phone 7: implications for digital forensic investigators
Windows Phone 7 (WP7) is the latest smart phone Operating System (OS) from Microsoft (MS) replacing the previous MS smart phone OS Windows Mobile (WM) 6.5. WP7 was redesigned completely and was not based on a previous version, unlike WM6 which was based on WM5 and so on. Because WP7 was redesigned and not based on WM, WP7 has many differences compared with WM in terms of underlying hardware and software as well as the user interface and how the phone communicates with a PC. Much research has been done on WM forensics and as a result forensics tools and techniques for WM have been established. Due to the changes implemented in WP7, the established WM forensic tools and techniques may be unable to work with WP7.
Literature on WM forensics and WP7 were reviewed and identified the compatibility of the WM forensic tools and techniques with WP7 was not known, and hence leaving a gap between the WM forensics literature and WP7. The research question of "What forensic data can be extracted from a WP7 phone using current tools and techniques used to extract forensic data from WM phones?" and a hypothesis was defined. A methodology was defined in order to conduct the research to answer the research question and test the hypothesis. The research was conducted in five phases. Phase one uses the literature review and the reviews of similar published studies to establish the current WM forensic tools and techniques, and what data can be extracted from a WM phone using the WM forensic tools and techniques. Phase two used the data extracted from the WM phone as a template to generate test data which was loaded onto a WP7 phone. Phase three applied the established WM forensic tools and techniques to the WP7 phone in order to extract the test data from the phone. Phase four compared the results of the data extracted from the WP7 phone with the data extracted from the WM phone. Phase five evaluated the compatibility of the WM forensic tools and techniques based on the results from Phase four. The research findings showed that of the WM forensic tools and techniques tested, only one tool was able to successfully acquire any data from the WP7 phone. However the data acquired from the WP7 phone is much less than what could be acquired from a WM phone using the same tool. The remaining WM forensic tools and techniques tested were either unable to acquire data from the WP7 phone or yielded inconclusive results. Based on the research findings, the majority of the WM forensic tools and techniques are not able to extract any data from WP7, and the WM forensic tool which can extract data from WP7 is able to extract much less data than from WM