Microsoft's Your Phone environment from a digital forensic perspective

Abstract Your Phone is a Microsoft dual mobile/desktop application that links a Windows 10 environment to a smartphone. The Android version provides the smartphone's user with the ability to control the mobile device from Windows 10, allowing to place/receive calls, send/receive text messages such as SMS, MMS and RCS, access up to the last 2000 photos/screenshots of the device and to receive notifications from applications, all through the Windows 10 Your Phone application and, if configured to do so, within Windows 10 notification center. This work analyzes the Your Phone environment, that is, Your Phone Companion for Android and Your Phone for Windows 10. The paper studies the digital forensic artifacts that can be found in a post mortem analysis, focusing on the SQLite3 databases used by both the Android and Windows 10 applications. We also compare the examined version with a previous version of Your Phone, showing that Your Phone newest functionalities bring new valuable artifacts for forensic examiners. The study shows that Your Phone data left on a Windows 10 device can be useful to access a copy of messages, photos, and document interactions, especially when the Android device is inaccessible or even physically unavailable. To ease the task for digital forensic examiners, we have updated our open-source YPA software that collects and analyzes Your Phone data from a Windows 10 system. YPA runs as a module within the digital forensic Autopsy software.

[1]  Kim-Kwang Raymond Choo,et al.  Dropbox analysis: Data remnants on user machines , 2013, Digit. Investig..

[2]  V. K. Pachghare,et al.  Ten years of critical review on database forensics research , 2019, Digit. Investig..

[3]  M. Tahar Kechadi,et al.  Cloud forensics definitions and critical criteria for cloud forensic capability: An overview of survey results , 2013, Digit. Investig..

[4]  Eoghan Casey,et al.  The role of evaluations in reaching decisions using automated systems supporting forensic analysis , 2020 .

[5]  Do Hyun Kim,et al.  Study of identifying and managing the potential evidence for effective Android forensics , 2020, Digit. Investig..

[6]  Tim Storer,et al.  Using Smartphones as a Proxy for Forensic Evidence Contained in Cloud Storage Services , 2013, 2013 46th Hawaii International Conference on System Sciences.

[7]  Eoghan Casey,et al.  The impact of full disk encryption on digital forensics , 2008, OPSR.

[8]  Kim-Kwang Raymond Choo,et al.  Impacts of increasing volume of digital forensic data: A survey and future research challenges , 2014, Digit. Investig..

[9]  Xiaodong Lin,et al.  SQLite Forensic Analysis Based on WAL , 2016, SecureComm.

[10]  Kim-Kwang Raymond Choo,et al.  Cloud Forensic Technical Challenges and Solutions: A Snapshot , 2014, IEEE Cloud Computing.

[11]  Syamimi Mohd Ariff Lim,et al.  Convenience or Nuisance?: The ‘WhatsApp’ Dilemma , 2014 .

[12]  Kim-Kwang Raymond Choo,et al.  Cloud incident handling and forensic‐by‐design: cloud storage as a case study , 2017, Concurr. Comput. Pract. Exp..

[13]  Patricio Domingues,et al.  Digital forensic artifacts of the Your Phone application in Windows 10 , 2019, Digit. Investig..

[14]  Sangjin Lee,et al.  A recovery method of deleted record for SQLite database , 2011, Personal and Ubiquitous Computing.

[15]  Eoghan Casey,et al.  Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd Edition , 2011 .

[16]  D. Bulterman,et al.  SMIL 3.0: Flexible Multimedia for Web, Mobile Devices and Daisy Talking Books , 2004 .

[17]  Harald Baier,et al.  bring2lite: A Structural Concept and Tool for Forensic Data Analysis and Recovery of Deleted SQLite Records , 2019 .

[18]  Manoj Singh Gaur,et al.  A Systematic Survey on Cloud Forensics Challenges, Solutions, and Future Directions , 2019, ACM Comput. Surv..

[19]  Alex Nelson,et al.  Standardization of file recovery classification and authentication , 2019, Digit. Investig..

[20]  BarmpatsalouKonstantia,et al.  Current and Future Trends in Mobile Device Forensics , 2018 .

[21]  Xiao Fu,et al.  Recovery of Deleted Record for SQLite3 Database , 2016, 2016 8th International Conference on Intelligent Human-Machine Systems and Cybernetics (IHMSC).