pda forensics
TRANSCRIPT
PDA FORENSICSPRESENTED BY:MEGHANA J01FM15ECS020M.TECH 3RD SEM
UNDER GUIDANCE OF:Dr. SANCHIKA GUPTA
Agenda
1) Introduction
2) Components of PDA
3) Operating Systems
4) PDAs Generic States
5) Steps in forensic investigation of PDA
6) Forensic Considerations
7) Security Issues
8) PDA Forensic Tools
9) Tool- Device Seizure
10) References
INTRODUCTION PDA Short for personal digital assistant, this is the name given to small
handheld devices that combine computing, telephone/fax, Internet and networking features.
A typical PDA can function as a cellular phone, fax sender, Web browser and personal organizer.
Used for communication, computation, and information storage and retrieval of both personal and business applications.
Contains personal and business information and happenings. Most PDAs include a small keyboard, although many newer devices
instead have an electronic touch-sensitive liquid crystal pad that can receive handwriting as input.
PDA devices are available in many configurations, with various features.
The list of available devices and models changes frequently as the technology improves:
Psion Sharp Wizard
Apple Newton Zaurus
Blackberry Sony CLIE
Hp iPAQ Pocket PC Tapwave Zodiac
Hp Jornada Pocket PC AlphaSmart Dana
Palm Pilot Dell Axim
Tungsten GMate Yopy
LifeDrive Fujitsu Siemens Loox
Treo PocketMail
Zire
Psion Sharp Wizard
Apple Newton Dell Axim
Common PDA features include:• Note taking • Calculator
• Clock
• Calendar • Address book • Spreadsheets
• E-mail and Internet access • Video and audio recording
• Bluetooth, and WiFi • Radio and music players
• Games • GPS (Global Positioning System)
Information Stored in PDAs: PDA devices store the following types of information:
• Business and personal notes • Business and personal contacts
• Documents • Passwords • E-mails
• Bank records • Company information • Images and videos
Because PDAs are used to store sensitive and confidential information, care should be taken to protect them.
PDAs can be synchronized with desktop and notebook computers for data exchange. Synchronization updates data on both systems to reflect the most recent additions and
changes to their shared databases. This prevents data loss if the device is lost, stolen, or destroyed.
PDAs are usually synchronized with the PC by using synchronization software bundled with the handheld, such as HotSync Manager with Palm OS handhelds and Microsoft ActiveSync with Windows Mobile handhelds.
PortableIndividuals carry it all the time and record important stuff and stay connected.Higher probability of finding some useful information.
PDAs are of high interest for investigators
COMPONENTS OF PDA: Microprocessor Read only memory (ROM)
Holds Operating System for the deviceVarieties include Flash ROM, which can be
erased and reprogrammed with OS updates Random access memory (RAM)
Contains user dataKept active by batteriesData lost when powered off
Hardware keys and other user interfaces Liquid crystal display, sometimes touch sensitive
AdditionallyWiFi, BluetoothCard Slots
SD/ MMD slot, Compact Flash(CF) slot etcExpansions SlotsBattery
Removable, rechargeable batteries
OPERATING SYSTEMS PALM OS: Palm OS is a compact operating system developed and licensed by
PalmSource, Inc. • It is designed to be easy to use and similar compared with desktop operating
system such as MS Windows. Windows Mobile 5.0: Windows Mobile 5.0 marks the convergence of the phone
Edition and Professional Edition operating systems into one system that contains both phone and PDA capabilities. Windows Mobile 5.0 is compatible with Microsoft's Smartphone operating system and is capable of running Smartphone applications.
Blackberry: RIM develops its own software for its devices, using C++ and Java technology.
PDA GENERIC STATES
Nascent State Active State Quiescent State Semi-Active State
PDAs are always in one of four distinct states
I. Nascent state: The first state of the device when it is received from the manufacturer is the nascent state. In this state, devices do not have any user data, only factory configuration settings. The device returns to the nascent state after a hard reset or battery drain.
II. Active state: In this state, devices are powered on and perform different tasks. Devices can be customized by the user and contain user data. Devices can be turned back to active state by performing a soft reset operation.
III. Quiescent state: This is the sleep mode of the device, which conserves battery power to maintain the user’s data and perform other background activities. The device can be returned back to quiescent state by pressing the power button in the active state.
IV. Semi-active state: This state is partway between active and quiescent. The device usually is sent into this state by a timer. The timer is triggered when the device becomes inactive for some period, and the semi-active state allows battery life to be preserved by dimming the display and taking other appropriate actions. The semi-active state becomes active when a screen tap, button press, or soft reset occurs.
Devices not supporting the semi-active state go straight from the active state to the quiescent state after a certain period of inactivity. If the device is off, then it is considered to be in the quiescent state.
STEPS IN FORENSIC INVESTIGATION OF PDA
1. Identification 2. Collection 3. Examination4. Documentation
STEP 1: IDENTIFICATION
We start the process by identifying the type of device we are investigating.
Identify the operating system that the device is using.
STEP 2: COLLECTION
There are a multitude of these types of devices like: SD, micro-drives and universal serial bus (USB) tokens.
Information collected can be both volatile and dynamic information; We give the volatile information priority while we collect evidence.
Reason: Anything that is classified as volatile information will not survive if the machine is powered off or reset.
Once the information has been captured it is imperative that the PDA be placed into an evidence bag, and maintained at stable power support throughout.
After acquiring the evidence you must create an exact image to preserve the crime scene. Once we have acquired the image it is time for us to examine the evidence.
STEP 3: EXAMINATION
• In the examination step of PDA forensics, we first need to understand the potential sources of the evidence. Source can be another device and any other peripherals devices, that the device being examined has come into contact with.
• Peripheral devices
May contain more useful information than the actual device• Attachments/ Accessories, hardware or software and their manuals • In addition to these sources you should also investigate any device that has
synchronized with the PDA you are examining.
STEP 4: Documentation
• As with any component in the forensic process, it is critical that we maintain our documentation and "chain of custody."
• As we collect our information and potential evidence, we need to record all visible data.
• Our records must document the case number, and the date and time it was collected.
• Additionally, the entire investigation area needs to be photographed. This includes any devices that can be connected to the PDA, or currently are connected to the PDA.
• Another part of the documentation process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing.
• Within this report you need to annotate the state and status of the device in question during your collection process.
• The final step of the collection process consists of accumulating of all the information and storing it in a secure and safe location.
FORENSIC CONSIDERATIONS
What to Report
o Make, Model, Colour, Condition, Serial Number
o IMEI number, SIM card number (if applicable)
o Hardware/software used
o Data recovered
Where to look for data
o Depends on PDA model, Identify characteristics first
o Calendar
o Internet cache, settings
o Text, Audio, Video
o Messages sent/received
o Call logs, Phone-book
FORENSIC CONSIDERATIONS CONTD..
Left ON or OFF??
o Depends on the case at hand and the device
o If left ON
o Isolate the device from network
o Battery will drain more quickly if the device searches for network.
o If turned OFF
o PDA may be password protected
o May lose some useful information in the Dynamic RAM
Look around..
o Take charger and data cable (if applicable)
o Look for manuals, PDA documentations
PDA SECURITY ISSUES• Password theft • Wireless vulnerabilities • Device theft
The major security issue with the PDA is the theft of the device itself.
The best precaution to overcome this threat is by securing the data on the device in standalone mode (a mode in which the device is not connected to a wireless service provider).
Wireless vulnerabilities: PDAs that use wireless services or wireless ports are also vulnerable to wireless attacks. The best solution to protect PDAs from wireless attacks is to install a VPN client on the PDA and encrypt the connection.
Password theft: It can be reduced by using a lengthy secure password containing alphanumeric characters and symbols in order to make it more difficult to crack.
PDA FORENSIC TOOLS Though an investigator can browse the contents of the device using its user interface
to obtain evidence, the approach is highly impractical and problematic, and should be used only as a last resort.
A number of specialized tools are available for PDA forensic examinations.o Device Seizureo Encaseo Plam ddo Pilot linko Palm OS Emulator (POSE)o Duplicate Disk (dd)
PDA FORENSIC TOOLS Device Seizure: A Paraben product that supports forensic acquisition,
examination, and analysis of PDA devices for the PALM, Windows CE, and Blackberry operating systems.
• It provides the capture and reporting of data. It has two step acquisition of PDA device: All files in original structure and memory. Card acquisition.
Palm dd (pdd): A Windows-based tool for memory imaging and forensic acquisition of data form the Palm OS family of PDAs.
• pdd will preserve the crime scene by obtaining a bit-for- bit image or snapshot of the Palm devices memory contents.
PDA FORENSIC TOOLS Palm OS Emulator (POSE): The Palm OS Emulator is a software that emulates
the hardware of various models of Palm powered handhelds making it a valuable tool for writing, testing, and debugging applications.
• It allows a user to create virtual handheld devices on your PC.
Duplicate Disk (dd): A common UNIX program whose primary purpose is the low-level copying and conversion of files.
• Unlike the other tools described above, dd executes directly on the PDA device.
DEVICE SEIZURE Device Seizure: Complete a forensic acquisition, examination & analysis of PDA
devices.
Used for:
The Palm
Windows operating systems.
FEATURES: Acquire Forensic Image
Perform examiner-defined searches
Generate hash values
Generate a report of findings
Depending on the Device and the Model, Device Seizure™ can access the following data:
Phonebook (from the phone’s memory and the SIM card)
Call History including Received, Dialed and Missed Calls
Datebook, Scheduler, and Calendar
Current Text Messages Deleted Text Messages
To-Do Lists Pictures and Videos
Quick-notes RAM/ROM
PDA Databases E-mail
Deleted Data
One amongst the features of the Paraben PDA Seizure is that it can create a forensic image of the handhelds and allow the investigator to conduct searches on the data acquired earlier, and later to execute a report generation of its findings.
PDA Seizure can acquires images of the RAM and/or ROM, and also download the entire individual database off the Palms using Palm OS Emulators.
Works on all types of Windows CE & PALM OS Devices. Perfect for law enforcement, corporate security, or anyone with an interest in computer forensics.
PDA Seizure – Demo version
PDA Seizure – Demo version
REFERENCE1. Sansurooah, Krishnun. "An overview and examination of digital PDA
devices under forensics toolkits."
2. Jansen, Wayne, and Rick Ayers. "An overview and analysis of PDA forensic tools." National Institute of Standards and Technology(NIST).
3. Jansen, Wayne, and Rick Ayers. "Guidelines on PDA forensics." National Institute of Standards and Technology(NIST), Special Publication 800.
