a r t i c l e i n f o
Article history:
Received 31 December 2009
Received in revised form
9 February 2010
Accepted 10 February 2010
Keywords:
Windows mobile
NAND flash
TFAT file system
Live forensics
Heap
CEDB/EDB database
Logical/physical acquisition
a b s t r a c t
Windows CE (at this moment sold as Windows Mobile) is on the market for more than 10
years now. In the third quarter of 2009, Microsoft reached a market share of 8.8% of the
more than 41 million mobile phones shipped worldwide in that quarter. This makes it
a relevant subject for the forensic community. Most commercially available forensic tools
supporting Windows CE deliver logical acquisition, yielding active data only. The possibilities
for physical acquisition are increasing as some tool vendors are starting to implement
forms of physical acquisition. This paper introduces the forensic application of freely
available tools and describes how known methods of Physical Acquisition can be applied to
Windows CE devices. Furthermore it introduces a method to investigate isolated Windows
CE database volume files for both active and deleted data.
ª 2010 Elsevier Ltd. All rights reserved.