PowerPoint Introduction to Windows Mobile...
Transcript of PowerPoint Introduction to Windows Mobile...
![Page 1: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/1.jpg)
1
Introduction to Windows Mobile Forensics
Eoghan Casey, Michael Bann, John Doyle. Digital Investigation 6. 2010. 136-146
By
Mr. Samajan Kasana
Advisor
Pol.Col. Siripong Timula
![Page 2: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/2.jpg)
2
Introduction
• The personal nature of the information on
these devices can provide digital
investigators with valuable insights into
the modus operandi of suspects and
activities of victims.
![Page 3: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/3.jpg)
3
Introduction (to…)
HTC S620 (Dash) Window Mobile 6 Standard,5.2.1236 17741.0.2.1 4.1.13.61_03.21.90
Motorola Q Window Mobile 5.0,5.1.195 14960.2.4.0 Q2-BP_C_06.OB.11P,Q2 Portable
Samsung i607(Blackjack) Window Mobile 5.0 with Messaging 15100.3.0.2and Security Feature Pack,5.1.342
Manufacturer/model OS version OS build Radio version
Table 1-Summary of test device characteristics.
![Page 4: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/4.jpg)
4
Introduction (to…)
• The remainder of this paper describes
where useful information is stored
and how to examine these important
data sources.
![Page 5: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/5.jpg)
5
Windows Mobile overview
• Windows Mobile uses a variation of the
FAT file system called the Transaction-
safe FAT (TFAT) file system, which has
some recovery features in the event of a
sudden device shutdown.
![Page 6: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/6.jpg)
6
Windows Mobile overview (to…)
![Page 7: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/7.jpg)
7
Locations of Usage Artifacts
on Windows Mobile Devices
![Page 8: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/8.jpg)
8
Forensic Processing of Windows Mobile Devices
![Page 9: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/9.jpg)
9
Forensic Acquisition
• The forensic acquisition tools that are
available to most forensic analysts do not
have direct access to flash memory on
Windows Mobile devices and are limited
to acquiring data through a hardware
abstraction layer.
![Page 10: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/10.jpg)
10
Forensic Acquisition (to…)
![Page 11: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/11.jpg)
11
Deleted File Recovery
![Page 12: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/12.jpg)
12
Examining Embedded Databases
• Windows Mobile devices store some
significant information in volume files
that encapsulate multiple embedded
databases that include details about
communications, contacts, and calls.
![Page 13: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/13.jpg)
13
Examining Embedded Databases (to…)
![Page 14: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/14.jpg)
14
Examining Embedded Databases (to…)
![Page 15: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/15.jpg)
15
Examining Embedded Databases (to…)
![Page 16: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/16.jpg)
16
Tools and Interpretation
![Page 17: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/17.jpg)
17
Examining Registry Hives
![Page 18: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/18.jpg)
18
Examining Registry Hives (to…)
HKCU\ControlPanel\Owner Contact details entered by user
HKCU\System\State\Shell Most recently used (MRU) itemsHKCU\Software\Microsoft\ Windows Live ID
pMSN\SavedUsers
HKCU\ControlPanel\Home\ Home screen background imageCurBgImageName
HKCU\Comm\EAPOL\Config WiFi access point information
Registry key Description
Table 5-Items in the user Registry hive on Windows
Mobile devices of potential interest.
![Page 19: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/19.jpg)
19
Examining E-mail and MMS Remnants
![Page 20: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/20.jpg)
20
Examining E-mail and MMS Remnants
![Page 21: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/21.jpg)
21
Malicious Eavesdropping Case Study
![Page 22: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/22.jpg)
22
Malicious Eavesdropping Case Study
![Page 23: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/23.jpg)
23
Conclusions
• As Windows Mobile devices become
more prevalent, there is a growing
need for forensic analysts who can
acquire evidence from these devices.
![Page 24: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/24.jpg)
24
Introduction to Windows Mobile Forensics
Discussion
![Page 25: PowerPoint Introduction to Windows Mobile Forensicsforensic.sc.su.ac.th/seminar/seminari53/ppt/52312338.pdf · 1 Introduction to Windows Mobile Forensics Eoghan Casey, Michael Bann,](https://reader033.fdocuments.net/reader033/viewer/2022041414/5e1a577152a3396b012ae38c/html5/thumbnails/25.jpg)
25
QUESTION ?