Windows mobile advanced forensics: An alternative to existing tools

In the field of forensic analysis, Windows mobile smartphones are a real issue for an IT security expert. When retrieving information from such devices, commercial products or free tools available on the Internet do not prevent alterations from being made to smartphones flash memory. Indeed, all of those tools use ActiveSync to acquire data from the smartphone to the computer. Moreover, in order to implement this acquistion, a DLL agent has to be placed into the memory to enable remote control from the computer. This study is meant to propose an alternative to these methods. This overall purpose is twofold. It tends to prove that some smartphones bootloaders can be used to acquire data to preserve the digital evidence integrity. In addition, it proposes methods to process specific files with specific formats such as registry hives and the cemail.vol file, including the retrieval of deleted data still embedded in this file.