Monday, 7 April 2014

Windows Phone 8 - Nokia Lumia 920 Forensics

Having heard that Windows Phone 8 was a bit of a pain to analyse forensically, I took it upon myself to get hold of a trial version of Oxygen Forensics Suite 2014 and make an image of the Lumia 920.

Figure 1

I have to say that the suite looks (and is) brilliant. Figure 1 shows the Sherlock Holmes type figure with his magnifying glass, which really sums up what we're trying to do here. The logo makes it look as if Oxygen only works with Apple, Android and Blackberry, however, it does work with Windows Phone. 

For some reason unbeknownst to me, Oxygen Forensics Suite 2014 would crash whenever I tried to make it detect the phone which was attached by USB. I had to manually select the phone from the list which Oxygen provides. Once imaged, Oxygen creates a file with an OFB extention (Oxygen Forensic Backup, I believe it stands for).

Figure 2

Format to de-crypt the root of the evidence tree:  N-A (serial-number-of-phone) date-image-was-taken.ofb

As you can see in Figure 2, I had opened the OFB file in FTK. There is a long string in brackets which is the serial number of the phone and the date and time that the imaging process took place: 18:30 (GMT) and the subdirectories we're most interested in are called: 'Files' and '_glrThumbs'.

Important Note: When a user is on the home screen of a Lumia 920, the 'photos' live tile shows photographs that are sitting in the 'Photo Albums'. The Nokia Lumia 920 creates a thumbnail of these photographs and puts them into the _glrThumbs folder.

Figure 3


The thumbnail quality varies, as the pictures often don't keep their quality as they increase in size, however, they do provide extremely good evidential value and the quality is excellent in some cases, see Figure 3. Each thumbnail is provided with a filename, although the unique naming system is unknown to me at this moment in time: tmb_xxxxxxxx.jpg (where X is either a number or letter).

Sitting inside the directory immediately under [ZIP] seen in Figure 3, there is a database ending with the extention FDB. The FDB file may be something to do with Oxygen Forensics Suite, or the only other option is that it's a Firebird Database. Whatever it is, my one is 5280 bytes and may contain something of interest. I may look at this another time.

Finally, we come to Figure 4. Figure 4 shows the 'Files' folder, which contains photographs from 'Photo Albums', word documents, excel documents etc. This is a very useful folder for examination.

Figure 4

The photographs appear here with the same resolution they were taken at, or if they were cropped, they appear as the size post-crop.

It seems that there is alot of evidence to be found on a Windows Phone 8, but unfortunately, not near as much as on Androids or iPhones. The Windows OS is locked down and you're not likely to see much apart from the mp3's, documents and photographs. On my initial look at the image, I couldn't see (or find) the likes of IMEI just by looking at the files sitting on the phone. A physical investigation of the phone would probably be required to get that sort of information.

In part 2, we will look at what more evidential value we can get from docx files.

Thank you for reading.


No comments:

Post a Comment