1 / 7

PDAs and Forensic Science

PDAs and Forensic Science CGS5132 – Computer Forensics II 04.16.02 Aaron Weiss What will be covered? PDA Overview – What is a PDA? What Operating Systems are used? What are some popular brand names? Why should we learn about PDAs?

andrew
Download Presentation

PDAs and Forensic Science

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PDAs and Forensic Science CGS5132 – Computer Forensics II 04.16.02 Aaron Weiss

  2. What will be covered? • PDA Overview – What is a PDA? What Operating Systems are used? What are some popular brand names? Why should we learn about PDAs? • Data Imaging – Memory and file system structure; Imaging methods; Is an exact image possible? • Forensic Analysis – Recovery of deleted records; Importance of timing; Timestamps; Password Retrieval; • Relevant Software – ppd; CodeWarrior for Palm OS; PDA Defense;

  3. PDA Overview • PDA is acronym for “Personal Digital Assistant”; Also, commonly referred to as “Palm device” or “handheld.” • Common Name Brands: 3Com Palm (www.semi.org shows Palm leads industry), Handspring Visor, Casio Cassiopeia, Compaq iPaq, HP Jornada. • Operating Systems – Palm OS (Palm, Sony, Handspring), Windows for Palm (HP); MS Pocket PC (Compaq), Embedix (Sharp); Palm OS is most popular. • Why are PDAs important to us as forensic scientists? Annual sales growth expectations for 2001 – 2005 are between 15% and 30% (www.informationweek.com)

  4. Data Imaging • File Structure – (Palm OS) PDB, PRC, PQA; These databases are stored like files on a disk, using resource pointers. These “records” can be recovered. • Memory structure – Tied directly into file system; user data, program stack, pen strokes, key presses, and system events are stored in the dynamic portion of the memory. This memory has a different starting point for each processor. • Making an exact image – Specifically using ppd (most popular method); A MD5 hash applied to subsequent acquisitions of the same device will not match, due to the re-initialization of heaps.

  5. Forensic Analysis • Deleted records can be recovered. The Palm OS does not completely erase records until a successful HotSync has been completed. • Importance of timing – Deleted files; viewed encrypted files leaves the cleartext component on the system for some time; imaging success on first attempt is important because after a soft reset, some data can be lost. • Timestamps – 3 Timestamps: 4-Byte Value; creation date, modification date, and last backup date (if ever); These dates can be easily modified. • Password Retrieval – Passwords are transmitted through imaging into “Unsaved Preferences.”

  6. Relevant Software • ppd – Palm dd; based off of the Unix dd; This is the most popular Palm forensics software; http://www.@stake.com/research/tools/pdd-1.10.zip • CodeWarrior for Palm OS – Used to put Palm devices into “Debug Mode.” This allows communication via serial port, imaging, and can be used to overcome lockout protection. http://www.codewarrior.com/products/palm • PDA Defense – 3rd Party Lockout software; Difficult to bypass. http://www.pdadefense.com/palm.asp

  7. References • http://www.pdadefense.com/palm.asp • TUCOFS - The Ultimate Collection of Forensic Software • Psion Place: Message Boards: Developers: Forensic Analysis of Psion Devices • @stake Research Labs - Research Reports • http://www.informationweek.com • http://www.semi.org

More Related