1 / 25

PDA Forensics

Presented by: Yusra Shams. PDA Forensics. Agenda. Purpose Challenges Generic structure of PDA Common Operating Systems Where to look for data Tools available. Purpose. PDAs are a relatively recent sensation Widely used to cope up with busy schedules

bulkley
Download Presentation

PDA Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented by: Yusra Shams PDA Forensics

  2. Agenda • Purpose • Challenges • Generic structure of PDA • Common Operating Systems • Where to look for data • Tools available

  3. Purpose • PDAs are a relatively recent sensation • Widely used to cope up with busy schedules • Contains personal and business information and happenings • Portable • Individuals carry it all the time and record important stuff and stay connected. • Higher probability of finding some useful information • PDAs are of high interest for investigators

  4. Challenges • PDA technology and design is rapidly evolving. • Forensic experts should be up to date with • New software technologies • New Hardware designs • Peripheral devices

  5. PDA Structure/Hardware • Microprocessor • Read only memory (ROM)‏ • Holds Operating System for the device • Varieties include Flash ROM, which can be erased and reprogrammed with OS updates • Random access memory (RAM)‏ • Contains user data • Kept active by batteries • Data lost when powered off • Interface/ variety of hardware keys • Touch sensitive, liquid crystal display • Image source: http://electronics.howstuffworks.com/gadgets/travel/pda4.htm

  6. PDA Structure/Hardware contd.. • Additional Features • Wireless • IrDA, Bluetooth • Card Slots • SD/ MMD slot, Compact Flash(CF) slot etc • Expansions • accessories • Battery • Removable, rechargeable batteries

  7. PDA - Softwares/OS • Palm OS • Pocket PC • Linux

  8. Palm OS • Microprocessor • StrongArm or XScale • Battery • Older models – Alkaline battery • Recent models - Lithium ion battery • ROM • Stores OS and built in applications • RAM • Application & user data • Dynamic RAM • Working space for temp. allocations • Re-initializes on boot • Storage RAM • Analogous to disk storage in desktops • Retains data on boot • Memory Storage • In chunks called “Records” • Records are grouped in DBs • DBs can be thought of as “Files”

  9. Palm OS contd.. • PFF (Palm File Format) • Palm DB • Application data (contact lists etc) • User specific data • Palm Resources • Application code • UI objects • Palm Query Application • www content • Palm Universal Connector system • Allows GPS connectors, wireless modems, keyboards etc. • Interact with the device via USB port • Palm Expansion card slots • Allows • Multi-media cards (MMC) • Secure Digital cards (SD)

  10. Pocket PC • Features • More processing and networking capabilities • Microsoft entered the market with WinCE OS • WinCE + added functionality = Pocket PC • Microprocessor • XScale • ARM • SHx • WinCE Registry • Stores data of Applications, Drivers, Sys Config, User Preferences etc.

  11. Pocket PC contd.. • 4 types of Memory • RAM • Expansion RAM • ROM • Persistent Storage

  12. Pocket PC contd.. • Additional Security Features • Power-ON Password • 4 digit numeric to 29 char long • Time-out • To lock the device after a period of inactivity • Finger Print Biometric

  13. PDA Generic States • Nascent State • Active State • Quiescent State • Semi-Active State

  14. Forensic Considerations • What to Report • Make, Model, Colour, Condition, Serial Number • IMEI number, SIM card number (if applicable)‏ • Hardware/software used • Data recovered • Where to look for data • Depends on PDA model, Identify characteristics first • Calendar • Internet cache, settings • Text, Audio, Video • Messages sent/received • Call logs, Phone-book • Hex dump, file system

  15. Forensic Considerations contd.. • Left ON or OFF?? • Depends on the case at hand and the device • If left ON • Isolate the device from network • Battery will drain more quickly if the device searches for network. • If turned OFF • PDA may be password protected • May lose some useful information in the Dynamic RAM • Look around.. • Take charger and data cable (if applicable)‏ • Look for manuals, PDA documentations

  16. Forensic Tools for PDAs • PDA Seizure • Palm OS and Pocket PC • Acquisition • Analysis • Reporting • EnCase • Palm OS • Acquisition • Analysis • Reporting • Linux PDA • Analysis and reporting • Pdd (acquisition)‏ • Pilot-Link (acquisition)‏ • POSE (Examination and reporting)‏ • Dd (Acquisition for Linux PDA)‏

  17. PDA Seizure • PDA Seizure • Commercially available forensic software toolkit • Used for: • Palm OS • Pocket PC (PPC)‏ • Features: • Acquire Forensic Image • Perform examiner-defined searches • Generate hash values • Generate a report of findings • Book-marking to organize information • Graphic library to assemble found images • 60 day free trial can be downloaded from • http://www.softpedia.com/progDownload/PDA-Seizure-Download-19201.html

  18. PDA Seizure – Demo version

  19. PDA Seizure – Demo version

  20. PDA Seizure – Demo version • Palm OS emulator • New emulator session • Previous session • Download a ROM image from Palm OS device • Leave the Palm OS Emulator

  21. PDA Seizure – Data snapshot

  22. Where else to look.. • Peripheral devices • May contain more useful information than the actual device • Attachments/ Accessories, hardware or software and their manuals

  23. Traps • Removing the logo from the device • Changing the logo • Running another OS on top of the original

  24. Thank you for your interest and time!! Questions??

  25. References • http://csrc.nist.gov • Nebraska CERT Conference 2007 • http://www.softpedia.com/progDownload/PDA-Seizure-Download-19201.html

More Related