Home Articles Windows Phone Physical Imaging Without JTAG and Chip-off

Windows Phone Physical Imaging Without JTAG and Chip-off

Comments Off on Windows Phone Physical Imaging Without JTAG and Chip-off

Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to security researchers, this time Heathcliff, now we have a tool, which can help digital forensics professionals to create physical dumps of a number of WP models. And this tool is WPinternals.

The tool allows to unlock bootloader and gain root access to the phone. It’s important to note, that this technique works even with locked phones. For example, we had a locked phone, and there were more than 1 000 000 seconds for the next unlock try, but we successfully created a physical image with WPinternals and decoded it with Oxygen Forensic Detective.

Once you connect the phone to you workstation, the tool will automatically detect its model. First of all, you should download two or more files the tool will need to unlock the phone. The first one is FFU or Windows Full Flash Update file, the second – emergency files for the model you are working with. By the way, WPinternal supports the following models: Lumia 520, 521, 525, 620, 625, 720, 820, 920, 925, 928, 1020 and 1320; and the following operating systems: 8.10.12393.890, 8.10.12397.895, 8.10.14219.341, 8.10.14226.359, 8.10.14234.375, 8.10.15116.125, 8.10.15148.160, 10.0.10512.1000, 10.0.10536.1004, 10.0.10549.4, 10.0.10581.0, 10.0.10586.11, 10.0.10586.36.

Figure 1. Downloading FFU and emergency files

If downloaded FFU contains unsupported OS version, the tool will download another FFU and extract files it needs from it.

Figure 2. Using another FFU because of unsupported OS version

During unlocking process Windows Phone Internals will scan for flashing profile, the phone may appear to be in a reboot-loop, but it’s expected behavior:

Figure 3. Scanning for flashing profile

Once it’s found, WPinternals will flash unlocked bootloader:

Figure 4. Flashing unlocked bootloader

Now the phone should be in Mass Storage Mode:

Figure 5. Mass Storage Mode

That’s what we need! It’s time to image it. You can use any tool you like from those you use for HDD imaging, for example, FTK Imager:

Figure 6. Imaging a Windows Phone with FTK Imager

So this is this easy, now we have full physical image of our phone’s internal memory:

Figure 7. Windows Phone image partition structure

Now it’s ready to be processed with a mobile forensic tool of your choice, or can be examined manually. There are a lot of partitions, but the most interesting from a forensic perspective are MainOS and Data.

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles
Comments are closed.