Windows Mobile LiveSD Forensics

More and more often, smartphones are relevant targets of civil and criminal investigations. Currently, there are several tools available to acquire forensic evidence from smartphones. Unfortunately, most of these tools require to connect the smartphone under investigation through a cable to an external device, like a computer or a multimeter. Some tools even require to disassemble the chips from the smartphone board.In this paper, we propose LiveSD Forensics, an on-device live data acquisition solution, to acquire evidence from both the Random-Access Memory (RAM) and the Electronically Erasable Programmable Read Only Memory (EEPROM) of Windows Mobile Devices.To the best of our knowledge, LiveSD Forensics is the only tool that performs on-device live data acquisition of the RAM and the EEPROM of Windows Mobile Devices. LiveSD Forensics uses a standard SD-Card equipped with tailored code to perform the data acquisition. Compared to other existing tools, LiveSD also generates the smallest memory alteration. Finally, to assess the effectiveness of the proposed methodology, we test LiveSD in a practical scenario, that is retrieving from the RAM the cryptographic key used by a known on-the-fly encryption tool. Results support the quality and effectiveness of our proposal.