Windows Mobile advanced forensics

Windows CE (at this moment sold as Windows Mobile) is on the market for more than 10 years now. In the third quarter of 2009, Microsoft reached a market share of 8.8% of the more than 41 million mobile phones shipped worldwide in that quarter. This makes it a relevant subject for the forensic community. Most commercially available forensic tools supporting Windows CE deliver logical acquisition, yielding active data only. The possibilities for physical acquisition are increasing as some tool vendors are starting to implement forms of physical acquisition. This paper introduces the forensic application of freely available tools and describes how known methods of Physical Acquisition can be applied to Windows CE devices. Furthermore it introduces a method to investigate isolated Windows CE database volume files for both active and deleted data.