pda forensics presented by: yusra shams. agenda purpose challenges generic structure of pda common...
TRANSCRIPT
PDA Forensics
Presented by:Yusra Shams
Agenda
Purpose Challenges Generic structure of PDA Common Operating Systems Where to look for data Tools available
Purpose
PDAs are a relatively recent sensation
Widely used to cope up with busy schedules
Contains personal and business information and happenings
Portable Individuals carry it all the time and record
important stuff and stay connected. Higher probability of finding some useful
information PDAs are of high interest for
investigators
Challenges
PDA technology and design is rapidly evolving.
Forensic experts should be up to date with New software technologies New Hardware designs Peripheral devices
PDA Structure/Hardware
Microprocessor Read only memory (ROM)
Holds Operating System for the device
Varieties include Flash ROM, which can be erased and reprogrammed with OS updates
Random access memory (RAM) Contains user data Kept active by batteries Data lost when powered off
Interface/ variety of hardware keys
Touch sensitive, liquid crystal display
Image source: http://electronics.howstuffworks.com/gadgets/travel/pda4.htm
PDA Structure/Hardware contd..
Additional Features Wireless
IrDA, Bluetooth Card Slots
SD/ MMD slot, Compact Flash(CF) slot etc Expansions
accessories Battery
Removable, rechargeable batteries
PDA - Softwares/OS
Palm OS Pocket PC Linux
Palm OS
Microprocessor StrongArm or XScale
Battery Older models – Alkaline battery Recent models - Lithium ion battery
ROM Stores OS and built in applications
RAM Application & user data Dynamic RAM
Working space for temp. allocations Re-initializes on boot
Storage RAM Analogous to disk storage in desktops Retains data on boot
Memory Storage In chunks called “Records” Records are grouped in DBs DBs can be thought of as “Files”
Palm OS contd..
PFF (Palm File Format) Palm DB
Application data (contact lists etc) User specific data
Palm Resources Application code UI objects
Palm Query Application www content
Palm Universal Connector system Allows GPS connectors, wireless modems, keyboards
etc. Interact with the device via USB port
Palm Expansion card slots Allows
Multi-media cards (MMC) Secure Digital cards (SD)
Pocket PC
Features More processing and networking
capabilities Microsoft entered the market with WinCE
OS WinCE + added functionality = Pocket PC Microprocessor
XScale ARM SHx
WinCE Registry Stores data of Applications, Drivers, Sys
Config, User Preferences etc.
Pocket PC contd..
4 types of Memory RAM Expansion RAM ROM Persistent Storage
Pocket PC contd..
Additional Security Features Power-ON Password
4 digit numeric to 29 char long Time-out
To lock the device after a period of inactivity Finger Print Biometric
PDA Generic States
Nascent State Active State Quiescent State Semi-Active State
Forensic Considerations
What to Report Make, Model, Colour, Condition, Serial
Number IMEI number, SIM card number (if applicable) Hardware/software used Data recovered
Where to look for data Depends on PDA model, Identify
characteristics first Calendar Internet cache, settings Text, Audio, Video Messages sent/received Call logs, Phone-book Hex dump, file system
Forensic Considerations contd..
Left ON or OFF?? Depends on the case at hand and the device If left ON
Isolate the device from network Battery will drain more quickly if the device searches for
network. If turned OFF
PDA may be password protected May lose some useful information in the Dynamic RAM
Look around.. Take charger and data cable (if applicable) Look for manuals, PDA documentations
Forensic Tools for PDAs
PDA Seizure Palm OS and Pocket PC
Acquisition Analysis Reporting
EnCase Palm OS
Acquisition Analysis Reporting
Linux PDA Analysis and reporting
Pdd (acquisition) Pilot-Link (acquisition) POSE (Examination and reporting) Dd (Acquisition for Linux PDA)
PDA Seizure
PDA Seizure Commercially available forensic software toolkit Used for:
Palm OS Pocket PC (PPC)
Features: Acquire Forensic Image Perform examiner-defined searches Generate hash values Generate a report of findings Book-marking to organize information Graphic library to assemble found images
60 day free trial can be downloaded from http://www.softpedia.com/progDownload/PDA-Seizure-
Download-19201.html
PDA Seizure – Demo version
PDA Seizure – Demo version
PDA Seizure – Demo version
Palm OS emulator New emulator session Previous session Download a ROM image
from Palm OS device Leave the Palm OS
Emulator
PDA Seizure – Data snapshot
Where else to look..
Peripheral devices May contain more useful
information than the actual device
Attachments/ Accessories, hardware or software and their manuals
Traps
Removing the logo from the device Changing the logo Running another OS on top of the
original
Questions??
Thank you for your interest and time!!
References
http://csrc.nist.gov Nebraska CERT Conference 2007 http://www.softpedia.com/progDownload/PDA-Seizure-Download-
19201.html