Transcript PDA Forensics

PDA Forensics
Presented by:
Yusra Shams
Agenda






Purpose
Challenges
Generic structure of PDA
Common Operating Systems
Where to look for data
Tools available
Purpose




PDAs are a relatively recent
sensation
Widely used to cope up with busy
schedules
Contains personal and business
information and happenings
Portable



Individuals carry it all the time and record
important stuff and stay connected.
Higher probability of finding some useful
information
PDAs are of high interest for
investigators
Challenges


PDA technology and design is
rapidly evolving.
Forensic experts should be up to
date with



New software technologies
New Hardware designs
Peripheral devices
PDA Structure/Hardware


Microprocessor
Read only memory (ROM)



Random access memory (RAM)





Holds Operating System for the
device
Varieties include Flash ROM,
which can be erased and
reprogrammed with OS updates
Contains user data
Kept active by batteries
Data lost when powered off
Interface/ variety of hardware
keys
Touch sensitive, liquid crystal
display

Image source: http://electronics.howstuffworks.com/gadgets/travel/pda4.htm
PDA Structure/Hardware contd..

Additional Features

Wireless


Card Slots


SD/ MMD slot, Compact Flash(CF) slot etc
Expansions


IrDA, Bluetooth
accessories
Battery

Removable, rechargeable batteries
PDA - Softwares/OS



Palm OS
Pocket PC
Linux
Palm OS

Microprocessor


Battery



Older models – Alkaline battery
Recent models - Lithium ion battery
ROM


StrongArm or XScale
Stores OS and built in applications
RAM


Application & user data
Dynamic RAM



Storage RAM



Working space for temp. allocations
Re-initializes on boot
Analogous to disk storage in desktops
Retains data on boot
Memory Storage



In chunks called “Records”
Records are grouped in DBs
DBs can be thought of as “Files”
Palm OS contd..

PFF (Palm File Format)




Palm Resources
 Application code
 UI objects
Palm Query Application
 www content
Palm Universal Connector system



Palm DB
 Application data (contact lists etc)
 User specific data
Allows GPS connectors, wireless modems, keyboards
etc.
Interact with the device via USB port
Palm Expansion card slots

Allows
 Multi-media cards (MMC)
 Secure Digital cards (SD)
Pocket PC

Features




More processing and networking
capabilities
Microsoft entered the market with WinCE
OS
WinCE + added functionality = Pocket PC
Microprocessor




XScale
ARM
SHx
WinCE Registry

Stores data of Applications, Drivers, Sys
Config, User Preferences etc.
Pocket PC contd..

4 types of Memory




RAM
Expansion RAM
ROM
Persistent Storage
Pocket PC contd..

Additional Security Features

Power-ON Password


Time-out


4 digit numeric to 29 char long
To lock the device after a period of inactivity
Finger Print Biometric
PDA Generic States




Nascent State
Active State
Quiescent State
Semi-Active State
Forensic Considerations

What to Report





Make, Model, Colour, Condition, Serial
Number
IMEI number, SIM card number (if applicable)
Hardware/software used
Data recovered
Where to look for data







Depends on PDA model, Identify
characteristics first
Calendar
Internet cache, settings
Text, Audio, Video
Messages sent/received
Call logs, Phone-book
Hex dump, file system
Forensic Considerations contd..

Left ON or OFF??


Depends on the case at hand and the device
If left ON



If turned OFF



Isolate the device from network
Battery will drain more quickly if the device searches for
network.
PDA may be password protected
May lose some useful information in the Dynamic RAM
Look around..


Take charger and data cable (if applicable)
Look for manuals, PDA documentations
Forensic Tools for PDAs

PDA Seizure

Palm OS and Pocket PC




EnCase

Palm OS







Acquisition
Analysis
Reporting
Linux PDA


Acquisition
Analysis
Reporting
Analysis and reporting
Pdd (acquisition)
Pilot-Link (acquisition)
POSE (Examination and reporting)
Dd (Acquisition for Linux PDA)
PDA Seizure

PDA Seizure


Commercially available forensic software toolkit
Used for:



Features:







Palm OS
Pocket PC (PPC)
Acquire Forensic Image
Perform examiner-defined searches
Generate hash values
Generate a report of findings
Book-marking to organize information
Graphic library to assemble found images
60 day free trial can be downloaded from

http://www.softpedia.com/progDownload/PDA-SeizureDownload-19201.html
PDA Seizure – Demo version
PDA Seizure – Demo version
PDA Seizure – Demo version

Palm OS emulator




New emulator session
Previous session
Download a ROM image
from Palm OS device
Leave the Palm OS
Emulator
PDA Seizure – Data snapshot
Where else to look..

Peripheral devices


May contain more useful
information than the actual
device
Attachments/ Accessories,
hardware or software and their
manuals
Traps



Removing the logo from the device
Changing the logo
Running another OS on top of the
original
Questions??
Thank you
for your interest and time!!
References



http://csrc.nist.gov
Nebraska CERT Conference 2007
http://www.softpedia.com/progDownload/PDA-Seizure-Download19201.html