PDA Forensics

Presented by:Yusra Shams

Agenda

Purpose Challenges Generic structure of PDA Common Operating Systems Where to look for data Tools available

Purpose

PDAs are a relatively recent sensation

Widely used to cope up with busy schedules

Contains personal and business information and happenings

Portable Individuals carry it all the time and record

important stuff and stay connected. Higher probability of finding some useful

information PDAs are of high interest for

investigators

Challenges

PDA technology and design is rapidly evolving.

Forensic experts should be up to date with New software technologies New Hardware designs Peripheral devices

PDA Structure/Hardware

Microprocessor Read only memory (ROM)

Holds Operating System for the device

Varieties include Flash ROM, which can be erased and reprogrammed with OS updates

Random access memory (RAM) Contains user data Kept active by batteries Data lost when powered off

Interface/ variety of hardware keys

Touch sensitive, liquid crystal display

Image source: http://electronics.howstuffworks.com/gadgets/travel/pda4.htm

PDA Structure/Hardware contd..

Additional Features Wireless

IrDA, Bluetooth Card Slots

SD/ MMD slot, Compact Flash(CF) slot etc Expansions

accessories Battery

Removable, rechargeable batteries

PDA - Softwares/OS

Palm OS Pocket PC Linux

Palm OS

Microprocessor StrongArm or XScale

Battery Older models – Alkaline battery Recent models - Lithium ion battery

ROM Stores OS and built in applications

RAM Application & user data Dynamic RAM

Working space for temp. allocations Re-initializes on boot

Storage RAM Analogous to disk storage in desktops Retains data on boot

Memory Storage In chunks called “Records” Records are grouped in DBs DBs can be thought of as “Files”

Palm OS contd..

PFF (Palm File Format) Palm DB

Application data (contact lists etc) User specific data

Palm Resources Application code UI objects

Palm Query Application www content

Palm Universal Connector system Allows GPS connectors, wireless modems, keyboards

etc. Interact with the device via USB port

Palm Expansion card slots Allows

Multi-media cards (MMC) Secure Digital cards (SD)

Pocket PC

Features More processing and networking

capabilities Microsoft entered the market with WinCE

OS WinCE + added functionality = Pocket PC Microprocessor

XScale ARM SHx

WinCE Registry Stores data of Applications, Drivers, Sys

Config, User Preferences etc.

Pocket PC contd..

4 types of Memory RAM Expansion RAM ROM Persistent Storage

Pocket PC contd..

Additional Security Features Power-ON Password

4 digit numeric to 29 char long Time-out

To lock the device after a period of inactivity Finger Print Biometric

PDA Generic States

Nascent State Active State Quiescent State Semi-Active State

Forensic Considerations

What to Report Make, Model, Colour, Condition, Serial

Number IMEI number, SIM card number (if applicable) Hardware/software used Data recovered

Where to look for data Depends on PDA model, Identify

characteristics first Calendar Internet cache, settings Text, Audio, Video Messages sent/received Call logs, Phone-book Hex dump, file system

Forensic Considerations contd..

Left ON or OFF?? Depends on the case at hand and the device If left ON

Isolate the device from network Battery will drain more quickly if the device searches for

network. If turned OFF

PDA may be password protected May lose some useful information in the Dynamic RAM

Look around.. Take charger and data cable (if applicable) Look for manuals, PDA documentations

Forensic Tools for PDAs

PDA Seizure Palm OS and Pocket PC

Acquisition Analysis Reporting

EnCase Palm OS

Acquisition Analysis Reporting

Linux PDA Analysis and reporting

Pdd (acquisition) Pilot-Link (acquisition) POSE (Examination and reporting) Dd (Acquisition for Linux PDA)

PDA Seizure

PDA Seizure Commercially available forensic software toolkit Used for:

Palm OS Pocket PC (PPC)

Features: Acquire Forensic Image Perform examiner-defined searches Generate hash values Generate a report of findings Book-marking to organize information Graphic library to assemble found images

60 day free trial can be downloaded from http://www.softpedia.com/progDownload/PDA-Seizure-

Download-19201.html

PDA Seizure – Demo version

PDA Seizure – Demo version

PDA Seizure – Demo version

Palm OS emulator New emulator session Previous session Download a ROM image

from Palm OS device Leave the Palm OS

Emulator

PDA Seizure – Data snapshot

Where else to look..

Peripheral devices May contain more useful

information than the actual device

Attachments/ Accessories, hardware or software and their manuals

Traps

Removing the logo from the device Changing the logo Running another OS on top of the

original

Questions??

Thank you for your interest and time!!

References

http://csrc.nist.gov Nebraska CERT Conference 2007 http://www.softpedia.com/progDownload/PDA-Seizure-Download-

19201.html