PDA%20Forensics

1
PDA Forensics

• Presented by
• Yusra Shams

2
Agenda

• Purpose
• Challenges
• Generic structure of PDA
• Common Operating Systems
• Where to look for data
• Tools available

3
Purpose

• PDAs are a relatively recent sensation
• Widely used to cope up with busy schedules
• Contains personal and business information and
  happenings
• Portable
• Individuals carry it all the time and record
  important stuff and stay connected.
• Higher probability of finding some useful
  information
• PDAs are of high interest for investigators

4
Challenges

• PDA technology and design is rapidly evolving.
• Forensic experts should be up to date with
• New software technologies
• New Hardware designs
• Peripheral devices

5
PDA Structure/Hardware

• Microprocessor
• Read only memory (ROM)?
• Holds Operating System for the device
• Varieties include Flash ROM, which can be erased
  and reprogrammed with OS updates
• Random access memory (RAM)?
• Contains user data
• Kept active by batteries
• Data lost when powered off
• Interface/ variety of hardware keys
• Touch sensitive, liquid crystal display

• Image source http//electronics.howstuffworks.com
  /gadgets/travel/pda4.htm

6
PDA Structure/Hardware contd..

• Additional Features
• Wireless
• IrDA, Bluetooth
• Card Slots
• SD/ MMD slot, Compact Flash(CF) slot etc
• Expansions
• accessories
• Battery
• Removable, rechargeable batteries

7
PDA - Softwares/OS

• Palm OS
• Pocket PC
• Linux

8
Palm OS

• Microprocessor
• StrongArm or XScale
• Battery
• Older models Alkaline battery
• Recent models - Lithium ion battery
• ROM
• Stores OS and built in applications
• RAM
• Application user data
• Dynamic RAM
• Working space for temp. allocations
• Re-initializes on boot
• Storage RAM
• Analogous to disk storage in desktops
• Retains data on boot
• Memory Storage
• In chunks called Records
• Records are grouped in DBs

9
Palm OS contd..

• PFF (Palm File Format)
• Palm DB
• Application data (contact lists etc)
• User specific data
• Palm Resources
• Application code
• UI objects
• Palm Query Application
• www content
• Palm Universal Connector system
• Allows GPS connectors, wireless modems, keyboards
  etc.
• Interact with the device via USB port
• Palm Expansion card slots
• Allows
• Multi-media cards (MMC)

10
Pocket PC

• Features
• More processing and networking capabilities
• Microsoft entered the market with WinCE OS
• WinCE added functionality Pocket PC
• Microprocessor
• XScale
• ARM
• SHx
• WinCE Registry
• Stores data of Applications, Drivers, Sys Config,
  User Preferences etc.

11
Pocket PC contd..

• 4 types of Memory
• RAM
• Expansion RAM
• ROM
• Persistent Storage

12
Pocket PC contd..

• Additional Security Features
• Power-ON Password
• 4 digit numeric to 29 char long
• Time-out
• To lock the device after a period of inactivity
• Finger Print Biometric

13
PDA Generic States

• Nascent State
• Active State
• Quiescent State
• Semi-Active State

14
Forensic Considerations

• What to Report
• Make, Model, Colour, Condition, Serial Number
• IMEI number, SIM card number (if applicable)?
• Hardware/software used
• Data recovered
• Where to look for data
• Depends on PDA model, Identify characteristics
  first
• Calendar
• Internet cache, settings
• Text, Audio, Video
• Messages sent/received
• Call logs, Phone-book
• Hex dump, file system

15
Forensic Considerations contd..

• Left ON or OFF??
• Depends on the case at hand and the device
• If left ON
• Isolate the device from network
• Battery will drain more quickly if the device
  searches for network.
• If turned OFF
• PDA may be password protected
• May lose some useful information in the Dynamic
  RAM
• Look around..
• Take charger and data cable (if applicable)?
• Look for manuals, PDA documentations

16
Forensic Tools for PDAs

• PDA Seizure
• Palm OS and Pocket PC
• Acquisition
• Analysis
• Reporting
• EnCase
• Palm OS
• Acquisition
• Analysis
• Reporting
• Linux PDA
• Analysis and reporting
• Pdd (acquisition)?
• Pilot-Link (acquisition)?
• POSE (Examination and reporting)?
• Dd (Acquisition for Linux PDA)?

17
PDA Seizure

• PDA Seizure
• Commercially available forensic software toolkit
• Used for
• Palm OS
• Pocket PC (PPC)?
• Features
• Acquire Forensic Image
• Perform examiner-defined searches
• Generate hash values
• Generate a report of findings
• Book-marking to organize information
• Graphic library to assemble found images
• 60 day free trial can be downloaded from
• http//www.softpedia.com/progDownload/PDA-Seizure-
  Download-19201.html

18
PDA Seizure Demo version
19
PDA Seizure Demo version
20
PDA Seizure Demo version

• Palm OS emulator
• New emulator session
• Previous session
• Download a ROM image from Palm OS device
• Leave the Palm OS Emulator

21
PDA Seizure Data snapshot
22
Where else to look..

• Peripheral devices
• May contain more useful information than the
  actual device
• Attachments/ Accessories, hardware or software
  and their manuals

23
Traps

• Removing the logo from the device
• Changing the logo
• Running another OS on top of the original

24
Questions??

• Thank you
• for your interest and time!!

25
References

• http//csrc.nist.gov
• Nebraska CERT Conference 2007
• http//www.softpedia.com/progDownload/PDA-Seizure-
  Download-19201.html