Windows Forensics

Remote Forensics Of Windows 10 Mobile Devices

by Oleg Afonin, Elcomsoft

Microsoft has developed Windows 10 as the one OS for all types of devices from servers to wearables. Desktops, laptops, two-in-ones, tablets and smartphones can (and do) run a version of Windows 10. There are countless forensic tools for acquiring evidence from the desktop version of Windows 10, much less for Windows-powered smartphones.

Forensic analysis of Windows 10 Mobile devices can be complicated due to the exotic status of such devices. Due to full-disk encryption, on-device access may not be an option. However, Microsoft collects enormous amounts of information from its users. This information is then stored in the user’s Microsoft Account. Some bits of data are fully accessible to the user, while access to some other bits (such as mobile backups) is restricted.

In this article we’ll have a look at what exactly is available in Microsoft cloud, what can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(c) DobaKung on Flickr

Microsoft Collects Information

Microsoft is notorious for collecting information from Windows 10 users. The amount of data collected by Windows 10 devices increased dramatically compared to the days of Windows 7. This “usage and diagnostics” data, which may include text snippets, app usage data, detailed or approximated location information etc., is automatically collected and transmitted to Microsoft servers unless one explicitly opts out.

Users of Windows-powered handsets (Windows Phone 8.x and Windows 10 Mobile) have access to iOS-style cloud backups created in their Windows Account. Once cloud backups are enabled, things such as application data, call logs, text messages and so on will also be stored in the cloud.

Finally, some information is synchronized by Windows-powered desktop and mobile devices in real-time or close to real-time speed. This includes Web browser history, Bing search history, location data, as well as other things such as notes, calendars, contacts etc.

Microsoft offers ways to access, restrict or delete this information via the Privacy portal.

However, we found that this portal returns very limited amounts of data compared to what’s being actually collected. For this reason we expanded Microsoft Account support in this latest EPB build.

(c) wynpnt on Pixabay

Windows 10 Mobile: What’s In The Cloud?

Browsing and Search History

Windows browsing history can only be extracted from the cloud from Windows 10 Mobile (phones) and regular Windows 10 devices if Microsoft Edge was used as a Web browser. Edge browsing history is automatically synced across desktop and mobile Windows 10 devices logged in to the same Microsoft Account. Windows 10 Mobile devices (phones) have Microsoft Edge as their default (and most commonly adopted) Web browser. Edge adoption is growing slowly but steadily on desktops. Note that we also have tools to extract browsing history from other popular Web browsers such as Chrome and Safari using their respective cloud services.

Search history can be extracted from all types of devices regardless of the Web browser used providing that the searches occurred on Microsoft-owned Bing. Microsoft collects Bing search requests if the user has been logged in to their Microsoft Account in the Web browser while running the search.

Call Logs

The call logs can be important evidence. Since cloud backups are enabled by default for all Windows Phone 8, 8.1 and Windows 10 Mobile smartphones, call logs are one essential bit to extract.

Microsoft does not specify the origins of location data it collects on desktop and laptop computers, tablets and 2-in-1 devices. At very least, location is reported by Cortana and via the Edge browser.

Location History

Microsoft collects location history from all stationary and mobile Windows devices starting with Windows 8.1. While users can review their location history by visiting https://account.microsoft.com/privacy/location and signing in to their Microsoft Account, the amount of data points returned on that Web page is low. Only the last detected location is displayed. However, forensic tools are available allowing to extract the complete location history from the cloud.

Text Messages (SMS) and Other Previously Extractable Data

Users of Windows 10 Mobile handsets enjoy the ability to synchronize text messages (SMS), notes, calendar events, contacts and some other information with the cloud. This data can be extracted.

Accessing the Data

Since Windows 10 (Mobile) data is stored in the cloud, user’s Microsoft Account authentication credentials are required to sign in and extract the data. Note that once you try to access mobile backups, the user will be alerted by email while you will see a request for the secondary authentication factor – even if two-factor authentication is not enabled on the user’s account. This means you will need access to the secondary authentication factor such as the user’s SIM card with trusted phone number, a trusted email address or similar.

Conclusion

Cloud forensics allows extracting information from the user’s Microsoft Account without having physical access to the actual mobile device. Considering the amounts of data collected, synchronized and stored by Microsoft in the cloud, cloud forensic is the way to go when analysing Windows 10 Mobile devices, and can return additional evidence when analysing Windows 10 PCs.

This article was submitted by ElcomSoft, a digital forensics solutions provider specialising in password recovery, mobile and cloud forensics.

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: