PDA Forensics Presented by Yusra Shams Agenda Purpose
PDA Forensics Presented by: Yusra Shams
Agenda Purpose Challenges Generic structure of PDA Common Operating Systems Where to look for data Tools available
Purpose PDAs are a relatively recent sensation Widely used to cope up with busy schedules Contains personal and business information and happenings Portable Individuals carry it all the time and record important stuff and stay connected. Higher probability of finding some useful information PDAs are of high interest for investigators
Challenges PDA technology and design is rapidly evolving. Forensic experts should be up to date with New software technologies New Hardware designs Peripheral devices
PDA Structure/Hardware Microprocessor Read only memory (ROM) Random access memory (RAM) Holds Operating System for the device Varieties include Flash ROM, which can be erased and reprogrammed with OS updates Contains user data Kept active by batteries Data lost when powered off Interface/ variety of hardware keys Touch sensitive, liquid crystal display Image source: http: //electronics. howstuffworks. com/gadgets/travel/pda 4. htm
PDA Structure/Hardware contd. . Additional Features Wireless Card Slots SD/ MMD slot, Compact Flash(CF) slot etc Expansions Ir. DA, Bluetooth accessories Battery Removable, rechargeable batteries
PDA - Softwares/OS Palm OS Pocket PC Linux
Palm OS Microprocessor Battery ROM Strong. Arm or XScale RAM Older models – Alkaline battery Recent models - Lithium ion battery Stores OS and built in applications Application & user data Dynamic RAM Storage RAM Working space for temp. allocations Re-initializes on boot Analogous to disk storage in desktops Retains data on boot Memory Storage In chunks called “Records” Records are grouped in DBs can be thought of as “Files”
Palm OS contd. . PFF (Palm File Format) Palm Resources Application code UI objects Palm Query Application www content Palm Universal Connector system Palm DB Application data (contact lists etc) User specific data Allows GPS connectors, wireless modems, keyboards etc. Interact with the device via USB port Palm Expansion card slots Allows Multi-media cards (MMC) Secure Digital cards (SD)
Pocket PC Features More processing and networking capabilities Microsoft entered the market with Win. CE OS Win. CE + added functionality = Pocket PC Microprocessor XScale ARM SHx Win. CE Registry Stores data of Applications, Drivers, Sys Config, User Preferences etc.
Pocket PC contd. . 4 types of Memory RAM Expansion RAM ROM Persistent Storage
Pocket PC contd. . Additional Security Features Power-ON Password Time-out 4 digit numeric to 29 char long To lock the device after a period of inactivity Finger Print Biometric
PDA Generic States Nascent State Active State Quiescent State Semi-Active State
Forensic Considerations What to Report Make, Model, Colour, Condition, Serial Number IMEI number, SIM card number (if applicable) Hardware/software used Data recovered Where to look for data Depends on PDA model, Identify characteristics first Calendar Internet cache, settings Text, Audio, Video Messages sent/received Call logs, Phone-book Hex dump, file system
Forensic Considerations contd. . Left ON or OFF? ? Depends on the case at hand the device If left ON If turned OFF Isolate the device from network Battery will drain more quickly if the device searches for network. PDA may be password protected May lose some useful information in the Dynamic RAM Look around. . Take charger and data cable (if applicable) Look for manuals, PDA documentations
Forensic Tools for PDAs PDA Seizure Palm OS and Pocket PC En. Case Palm OS Acquisition Analysis Reporting Linux PDA Acquisition Analysis Reporting Analysis and reporting Pdd (acquisition) Pilot-Link (acquisition) POSE (Examination and reporting) Dd (Acquisition for Linux PDA)
PDA Seizure Commercially available forensic software toolkit Used for: Features: Palm OS Pocket PC (PPC) Acquire Forensic Image Perform examiner-defined searches Generate hash values Generate a report of findings Book-marking to organize information Graphic library to assemble found images 60 day free trial can be downloaded from http: //www. softpedia. com/prog. Download/PDA-Seizure-Download -19201. html
PDA Seizure – Demo version
PDA Seizure – Demo version
PDA Seizure – Demo version Palm OS emulator New emulator session Previous session Download a ROM image from Palm OS device Leave the Palm OS Emulator
PDA Seizure – Data snapshot
Where else to look. . Peripheral devices May contain more useful information than the actual device Attachments/ Accessories, hardware or software and their manuals
Traps Removing the logo from the device Changing the logo Running another OS on top of the original
Questions? ? Thank you for your interest and time!!
References http: //csrc. nist. gov Nebraska CERT Conference 2007 http: //www. softpedia. com/prog. Download/PDA-Seizure-Download 19201. html
- Slides: 25