PDA%20Forensics - PowerPoint PPT Presentation

About This Presentation
Title:

PDA%20Forensics

Description:

PDA Forensics Presented by: Yusra Shams – PowerPoint PPT presentation

Number of Views:179
Avg rating:3.0/5.0
Slides: 26
Provided by: yus88
Category:

less

Transcript and Presenter's Notes

Title: PDA%20Forensics


1
PDA Forensics
  • Presented by
  • Yusra Shams

2
Agenda
  • Purpose
  • Challenges
  • Generic structure of PDA
  • Common Operating Systems
  • Where to look for data
  • Tools available

3
Purpose
  • PDAs are a relatively recent sensation
  • Widely used to cope up with busy schedules
  • Contains personal and business information and
    happenings
  • Portable
  • Individuals carry it all the time and record
    important stuff and stay connected.
  • Higher probability of finding some useful
    information
  • PDAs are of high interest for investigators

4
Challenges
  • PDA technology and design is rapidly evolving.
  • Forensic experts should be up to date with
  • New software technologies
  • New Hardware designs
  • Peripheral devices

5
PDA Structure/Hardware
  • Microprocessor
  • Read only memory (ROM)?
  • Holds Operating System for the device
  • Varieties include Flash ROM, which can be erased
    and reprogrammed with OS updates
  • Random access memory (RAM)?
  • Contains user data
  • Kept active by batteries
  • Data lost when powered off
  • Interface/ variety of hardware keys
  • Touch sensitive, liquid crystal display
  • Image source http//electronics.howstuffworks.com
    /gadgets/travel/pda4.htm

6
PDA Structure/Hardware contd..
  • Additional Features
  • Wireless
  • IrDA, Bluetooth
  • Card Slots
  • SD/ MMD slot, Compact Flash(CF) slot etc
  • Expansions
  • accessories
  • Battery
  • Removable, rechargeable batteries


7
PDA - Softwares/OS
  • Palm OS
  • Pocket PC
  • Linux


8
Palm OS
  • Microprocessor
  • StrongArm or XScale
  • Battery
  • Older models Alkaline battery
  • Recent models - Lithium ion battery
  • ROM
  • Stores OS and built in applications
  • RAM
  • Application user data
  • Dynamic RAM
  • Working space for temp. allocations
  • Re-initializes on boot
  • Storage RAM
  • Analogous to disk storage in desktops
  • Retains data on boot
  • Memory Storage
  • In chunks called Records
  • Records are grouped in DBs

9
Palm OS contd..
  • PFF (Palm File Format)
  • Palm DB
  • Application data (contact lists etc)
  • User specific data
  • Palm Resources
  • Application code
  • UI objects
  • Palm Query Application
  • www content
  • Palm Universal Connector system
  • Allows GPS connectors, wireless modems, keyboards
    etc.
  • Interact with the device via USB port
  • Palm Expansion card slots
  • Allows
  • Multi-media cards (MMC)

10
Pocket PC
  • Features
  • More processing and networking capabilities
  • Microsoft entered the market with WinCE OS
  • WinCE added functionality Pocket PC
  • Microprocessor
  • XScale
  • ARM
  • SHx
  • WinCE Registry
  • Stores data of Applications, Drivers, Sys Config,
    User Preferences etc.

11
Pocket PC contd..
  • 4 types of Memory
  • RAM
  • Expansion RAM
  • ROM
  • Persistent Storage

12
Pocket PC contd..
  • Additional Security Features
  • Power-ON Password
  • 4 digit numeric to 29 char long
  • Time-out
  • To lock the device after a period of inactivity
  • Finger Print Biometric

13
PDA Generic States
  • Nascent State
  • Active State
  • Quiescent State
  • Semi-Active State

14
Forensic Considerations
  • What to Report
  • Make, Model, Colour, Condition, Serial Number
  • IMEI number, SIM card number (if applicable)?
  • Hardware/software used
  • Data recovered
  • Where to look for data
  • Depends on PDA model, Identify characteristics
    first
  • Calendar
  • Internet cache, settings
  • Text, Audio, Video
  • Messages sent/received
  • Call logs, Phone-book
  • Hex dump, file system

15
Forensic Considerations contd..
  • Left ON or OFF??
  • Depends on the case at hand and the device
  • If left ON
  • Isolate the device from network
  • Battery will drain more quickly if the device
    searches for network.
  • If turned OFF
  • PDA may be password protected
  • May lose some useful information in the Dynamic
    RAM
  • Look around..
  • Take charger and data cable (if applicable)?
  • Look for manuals, PDA documentations

16
Forensic Tools for PDAs
  • PDA Seizure
  • Palm OS and Pocket PC
  • Acquisition
  • Analysis
  • Reporting
  • EnCase
  • Palm OS
  • Acquisition
  • Analysis
  • Reporting
  • Linux PDA
  • Analysis and reporting
  • Pdd (acquisition)?
  • Pilot-Link (acquisition)?
  • POSE (Examination and reporting)?
  • Dd (Acquisition for Linux PDA)?

17
PDA Seizure
  • PDA Seizure
  • Commercially available forensic software toolkit
  • Used for
  • Palm OS
  • Pocket PC (PPC)?
  • Features
  • Acquire Forensic Image
  • Perform examiner-defined searches
  • Generate hash values
  • Generate a report of findings
  • Book-marking to organize information
  • Graphic library to assemble found images
  • 60 day free trial can be downloaded from
  • http//www.softpedia.com/progDownload/PDA-Seizure-
    Download-19201.html

18
PDA Seizure Demo version
19
PDA Seizure Demo version
20
PDA Seizure Demo version
  • Palm OS emulator
  • New emulator session
  • Previous session
  • Download a ROM image from Palm OS device
  • Leave the Palm OS Emulator

21
PDA Seizure Data snapshot
22
Where else to look..
  • Peripheral devices
  • May contain more useful information than the
    actual device
  • Attachments/ Accessories, hardware or software
    and their manuals

23
Traps
  • Removing the logo from the device
  • Changing the logo
  • Running another OS on top of the original

24
Questions??
  • Thank you
  • for your interest and time!!

25
References
  • http//csrc.nist.gov
  • Nebraska CERT Conference 2007
  • http//www.softpedia.com/progDownload/PDA-Seizure-
    Download-19201.html
Write a Comment
User Comments (0)
About PowerShow.com