PDAs and Forensic Science

1
PDAs and Forensic Science

• CGS5132 Computer Forensics II
• 04.16.02
• Aaron Weiss

2
What will be covered?

• PDA Overview What is a PDA? What Operating
  Systems are used? What are some popular brand
  names? Why should we learn about PDAs?
• Data Imaging Memory and file system structure
  Imaging methods Is an exact image possible?
• Forensic Analysis Recovery of deleted records
  Importance of timing Timestamps Password
  Retrieval
• Relevant Software ppd CodeWarrior for Palm OS
  PDA Defense

3
PDA Overview

• PDA is acronym for Personal Digital Assistant
  Also, commonly referred to as Palm device or
  handheld.
• Common Name Brands 3Com Palm (www.semi.org
  shows Palm leads industry), Handspring Visor,
  Casio Cassiopeia, Compaq iPaq, HP Jornada.
• Operating Systems Palm OS (Palm, Sony,
  Handspring), Windows for Palm (HP) MS Pocket PC
  (Compaq), Embedix (Sharp) Palm OS is most
  popular.
• Why are PDAs important to us as forensic
  scientists?
• Annual sales growth expectations for 2001 2005
  are between 15 and 30 (www.informationweek.com)

4
Data Imaging

• File Structure (Palm OS) PDB, PRC, PQA These
  databases are stored like files on a disk, using
  resource pointers. These records can be
  recovered.
• Memory structure Tied directly into file
  system user data, program stack, pen strokes,
  key presses, and system events are stored in the
  dynamic portion of the memory. This memory has a
  different starting point for each processor.
• Making an exact image Specifically using ppd
  (most popular method) A MD5 hash applied to
  subsequent acquisitions of the same device will
  not match, due to the re-initialization of heaps.

5
Forensic Analysis

• Deleted records can be recovered. The Palm OS
  does not completely erase records until a
  successful HotSync has been completed.
• Importance of timing Deleted files viewed
  encrypted files leaves the cleartext component on
  the system for some time imaging success on
  first attempt is important because after a soft
  reset, some data can be lost.
• Timestamps 3 Timestamps 4-Byte Value
  creation date, modification date, and last backup
  date (if ever) These dates can be easily
  modified.
• Password Retrieval Passwords are transmitted
  through imaging into Unsaved Preferences.

6
Relevant Software

• ppd Palm dd based off of the Unix dd This
  is the most popular Palm forensics software
  http//www._at_stake.com/research/tools/pdd-1.10.zip
• CodeWarrior for Palm OS Used to put Palm
  devices into Debug Mode. This allows
  communication via serial port, imaging, and can
  be used to overcome lockout protection.
  http//www.codewarrior.com/products/palm
• PDA Defense 3rd Party Lockout software
  Difficult to bypass. http//www.pdadefense.com/pal
  m.asp

7
References

• http//www.pdadefense.com/palm.asp
• TUCOFS - The Ultimate Collection of Forensic
  Software
• Psion Place Message Boards Developers Forensic
  Analysis of Psion Devices
• _at_stake Research Labs - Research Reports
• http//www.informationweek.com
• http//www.semi.org