Windows Phones are not frequent guests of our digital forensic lab, especially now, as Microsoft stopped developing the platform. Nevertheless, sometimes we have to forensicate such devices, so it’s very important to have methods of fast and simple data extraction. For quite a long time the only option of physical extraction has been JTAG or Chip-off techniques, but thanks to security researchers, this time Heathcliff, now we have a tool, which can help digital forensics professionals to create physical dumps of a number of WP models. And this tool is WPinternals.
The tool allows to unlock bootloader and gain root access to the phone. It’s important to note, that this technique works even with locked phones. For example, we had a locked phone, and there were more than 1 000 000 seconds for the next unlock try, but we successfully created a physical image with WPinternals and decoded it with Oxygen Forensic Detective.
Once you connect the phone to you workstation, the tool will automatically detect its model. First of all, you should download two or more files the tool will need to unlock the phone. The first one is FFU or Windows Full Flash Update file, the second – emergency files for the model you are working with. By the way, WPinternal supports the following models: Lumia 520, 521, 525, 620, 625, 720, 820, 920, 925, 928, 1020 and 1320; and the following operating systems: 8.10.12393.890, 8.10.12397.895, 8.10.14219.341, 8.10.14226.359, 8.10.14234.375, 8.10.15116.125, 8.10.15148.160, 10.0.10512.1000, 10.0.10536.1004, 10.0.10549.4, 10.0.10581.0, 10.0.10586.11, 10.0.10586.36.
Figure 1. Downloading FFU and emergency files
If downloaded FFU contains unsupported OS version, the tool will download another FFU and extract files it needs from it.
Figure 2. Using another FFU because of unsupported OS version
During unlocking process Windows Phone Internals will scan for flashing profile, the phone may appear to be in a reboot-loop, but it’s expected behavior:
Figure 3. Scanning for flashing profile
Once it’s found, WPinternals will flash unlocked bootloader:
Figure 4. Flashing unlocked bootloader
Now the phone should be in Mass Storage Mode:
Figure 5. Mass Storage Mode
That’s what we need! It’s time to image it. You can use any tool you like from those you use for HDD imaging, for example, FTK Imager:
Figure 6. Imaging a Windows Phone with FTK Imager
So this is this easy, now we have full physical image of our phone’s internal memory:
Figure 7. Windows Phone image partition structure
Now it’s ready to be processed with a mobile forensic tool of your choice, or can be examined manually. There are a lot of partitions, but the most interesting from a forensic perspective are MainOS and Data.
Happy forensicating!
About the authors
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.