Data, PDA and Cell Phone Forensics

2

Introduction

It is important to understand how the technology works in order to properly gather evidence from the different media devices.

This chapter gives you • the requisite understanding and • the tools to help in gathering the evidence from those devices.

CMOS Jumpers

3

4

Basic Hard Drive Technology

Composition of hard drives Platters (made of aluminum, ceramic or even glass. Heads (read/write heads- Every platter has two

heads to read/write both the top and bottom of platter)

Cylinders (Vertical grouping of tracks) Sectors

Locating hard drive geometry information Information on label on hard drive

contains drive geometry

Hard Drives

© Pearson Education Computer Forensics: Principles and Practices 5

Cylinders

© Pearson Education Computer Forensics: Principles and Practices 6

7

Basic Hard Drive Technology (Cont.) Hard drive standards

ATA (advanced technology attachment) (Standardizes everything from connections to hard drive speeds) (ATA 1-7)

ATAPI (advanced technology attachment programmable interface) (Allows devices other than hard drives such as compact disk or tape drives to use ATA connections).

E IDE (Allows up to four ATA devices) IDE (integrated drive electronics) (Supported only two drives) PIO (programmable input/output) (Used for transferring data

between hard drive and RAM ATA 1) UDMA (ultra direct memory access) (Transfer data between

hard drive and RAM for ATA2 to 5) ATA speed rating SATA (serial advanced technology attachment) (achieves

speeds up to 150MBps)

8

Other Storage Technologies

Floppy disks Tape drive technologies

QIC, DAT, DLT ZIP and other high-capacity drives

Optical media structures Single session vs. multisession CDs DVDs

USB Flash drives

9

Personal Digital Assistant Devices (PDAs) Seven major PDA operating systems:

BlackBerry Open Embedded (Linux) PalmSource (Palm OS) Symbian (Psion) Windows Mobile (Pocket PC) Apple iOS Android

10

Cellular Phones

PDA functionality Text messaging

SMS, EMS, MMS, IM Single photo and/or

movie video capable Phonebook Call logs

Subscriber identity module

Global positioning systems

Video streaming Audio players

New phones are low-end computers with the following capabilities:

11

Drive and Media Analysis

Acquiring data from hard drives Bit-stream transfer Disk-to-disk imaging

12

Drive and Media Analysis (Cont.)

Acquiring data from removable media Document the scene Use static-proof container and label container with

Type of media Where media was found Type of reader required for the media

Transport directly to lab Do not leave any media in a hot vehicle or

environment Store media in a secure and organized area

13

Drive and Media Analysis (Cont.)

Acquiring data from removable media (cont.) Once at the lab, make a working copy of the drive

Make sure the media is write-protected Make a hash to document of the original drive and the

duplicate Make a copy of the duplicate to work from Store the original media in a secure location

14

Drive and Media Analysis (Cont.)

Acquiring data from USB flash drives Write protect the drive Software may be needed to write protect Essentially recognized much like a regular hard

drive by the operating system

15

In Practice: PDA-Configured iPod Reveals Employee Theft Review of bank fees revealed that Joe had

been skimming money Suspicion fell on iPod that Joe had on his

desk every day iPod had been partitioned to hold both data

and music

16

PDA Analysis

Guidelines for seizing PDAs: If already off, do not turn it on Seal in an envelope before putting it in an

evidence bag to restrict access Attach the power adapter through the evidence

bag to maintain the charge Keep active state if PDA is on when found

17

PDA Analysis (Cont.)

Guidelines for seizing PDAs (cont.): Search should be conducted for associated

memory devices Any power leads, cables, or cradles relating to the

PDA should also be seized, as well as manuals Anyone handling PDAs before their examination

should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings

18

PDA Chain of Custody

Documentation of the chain of custody should answer the following: Who collected the device, media, and associated

peripherals? How was the e-evidence collected and where was

it located? Who took possession of it? How was it stored and protected while in storage? Who took it out of storage and why?

19

Secured PDA Device

Ask the suspect what the password is Contact the manufacturer for backdoors or

other useful information Search the Internet for known exploits for

either a password crack or an exploit that goes around the password

Call in PDA professional who specializes in data recovery

20

Cellular Phone Analysis

Determine which forensic software package will work with the suspect cellular phone

Ascertain the connection method Some devices need to have certain protocols

in place before acquisition begins Physically connect the cellular phone and the

forensic workstation using the appropriate interface

21

Cellular Phone Analysis (Cont.)

Before proceeding, make sure all equipment and basic data are in place

Most software packages are GUI based and provide a wizard

Once connected, follow the procedures to obtain a bit-stream copy

Search for evidence and generate reports detailing findings

22

Disk Image Forensic Tools

Guidance software Paraben® software FTK™ Logicube

23

PDA/Cellular Phone Forensic Software Tools for examining PDAs

EnCase and Palm OS software PDA Seizure Palm dd (pdd) POSE (Palm OS Emulator) PDA memory cards (sd-cf-ms)

24

PDA/Cellular Phone Forensic Software (Cont.)

Tools for examining cellular phones Bit PM CDMA Cable Cell Seizure GSM-TDMA-CDMA Cable Oxygen PM GSM Cable Pilot-link PALM OS Cable Forensic SIM External SIM acq. Cable SIMCon Ext. SIM acq. Ext. card reader SIMIS Ext. SIM acq. Ext. card reader

OxyGen PM Supports more than 2000 mobile device Extract

SIM card data, contacts list, caller groups, call logs, calendar events, etc.

Keyword and filter Devices used:

iPhone 4 (ver.4.2.1; jailbroken), iPhone 3G (ver.2.7; jailbroken), and HTC Evo

25

OxyGen PM Iphone

Provide easy and manageable way to view the entire file structure

View device information, images, attachments and previously deleted messages

HTC Not Recognized.

26

Others BitPIM (LG Env3)

Likewise OxyGen except for the SMS text messages

Cell Seizure (LG Env3, HTC DROID, RIM BlackBerry Bold 9700) Is able to extract all information from all the

phones, but costs more than 2K

27

28

PDA/Cellular Phone Forensic Software (Cont.) Tools for examining both PDAs and cellular

phones Paraben software Logicube

29

Summary

You are most likely to encounter media devices such as: Hard drives Optical media (CDs) USB drives PDAs Cellular phones

30

Summary (Cont.)

You learned how data is stored on these devices and methods for acquiring the data

General guidelines for data acquisition are the same for most devices

There are also specific guidelines depending on the type of device

31

Summary (Cont.)

Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software Some software is specific to PDAs Some can be used for several different types of

data