A comparison of forensic evidence recovery techniques for a windows mobile smart phone

George Grispos, Tim Storer, William Bradley Glisson

Research output: Contribution to journalArticlepeer-review

37 Scopus citations

Abstract

Acquisition, decoding and presentation of information from mobile devices is complex and challenging. Device memory is usually integrated into the device, making isolation prior to recovery difficult. In addition, manufacturers have adopted a variety of file systems and formats complicating decoding and presentation. A variety of tools and methods have been developed (both commercially and in the open source community) to assist mobile forensics investigators. However, it is unclear to what extent these tools can present a complete view of the information held on a mobile device, or the extent the results produced by different tools are consistent. This paper investigates what information held on a Windows Mobile smart phone can be recovered using several different approaches to acquisition and decoding. The paper demonstrates that no one technique recovers all information of potential forensic interest from a Windows Mobile device; and that in some cases the information recovered is conflicting.

Original languageEnglish (US)
Pages (from-to)23-36
Number of pages14
JournalDigital Investigation
Volume8
Issue number1
DOIs
StatePublished - Jul 2011
Externally publishedYes

Keywords

  • Digital forensics
  • File carver
  • Logical acuquisition
  • Physical acquisition
  • Smart phone
  • Windows mobile

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Fingerprint Dive into the research topics of 'A comparison of forensic evidence recovery techniques for a windows mobile smart phone'. Together they form a unique fingerprint.

Cite this