Despite the fact that Windows Phones are not so widely used nowadays, they may still be encountered during forensic investigations. These devices are the most affordable on the market, so understanding how to acquire, analyze, and decode data from Windows Phones is important. Locating and interpreting digital evidence present on these devices requires specialized knowledge of the Windows Phone operating system, and may not always be possible. Commercial forensic and open source tools provide limited support for acquiring user data from Windows devices. As Windows Phones do not occupy much of the mobile market space, most forensic practitioners are unfamiliar with the data formats, embedded databases that are used, and other artifacts that exist on the device. This chapter provides an overview of Windows Phone forensics, describing various methods of acquiring and examining data on Windows mobile devices.

In this chapter, we will cover the following topics:

• Windows Phone OS
• Windows 10 Mobile security model
• Windows Phone filesystem
• Data acquisition
• Commercial forensic tool acquisition methods
• Extracting data without the use of commercial tools
• Key artifacts for examination