Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics
© Pearson Education Computer Forensics: Principles and Practices 2 Objectives Recognize and identify types of drives and media storage devices Describe PDA and cellular phone technologies Explain techniques for acquiring and analyzing data from hard drives and other storage media
© Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) Describe techniques for acquiring and analyzing data from PDAs and cellular phones List and describe tools that can be used to analyze disk images, PDA data, and cellular phone data
© Pearson Education Computer Forensics: Principles and Practices 4 Introduction It is important to understand how the technology works in order to properly gather evidence from the different media devices. This chapter gives you the requisite understanding and then the tools to help in gathering the evidence from those devices.
© Pearson Education Computer Forensics: Principles and Practices 5 Basic Hard Drive Technology Composition of hard drives Platters Heads Cylinders Sectors Locating hard drive geometry information Information on label on hard drive contains drive geometry
Internal Hard Disk Details © Pearson Education Computer Forensics: Principles and Practices
Disk Geometry Details © Pearson Education Computer Forensics: Principles and Practices 7
Disk Geometry Details © Pearson Education Computer Forensics: Principles and Practices 8
9 Basic Hard Drive Technology (Cont.) Hard drive standards ATA (advanced technology attachment) ATAPI (advanced technology attachment programmable interface) EIDE IDE (integrated drive electronics) PIO (programmable input/output) UDMA (ultra direct memory access) ATA speed rating SATA (serial advanced technology attachment)
© Pearson Education Computer Forensics: Principles and Practices 10 Other Storage Technologies Floppy disks Tape drive technologies QIC, DAT, DLT ZIP and other high-capacity drives Optical media structures Single session vs. multisession CDs DVDs USB Flash drives
© Pearson Education Computer Forensics: Principles and Practices 11 Personal Digital Assistant Devices (PDAs) Five major PDA operating systems: BlackBerry Open Embedded (Linux) PalmSource (Palm OS) Symbian (Psion) Windows Mobile (Pocket PC)
© Pearson Education Computer Forensics: Principles and Practices 12 Cellular Phones PDA functionality Text messaging SMS, EMS, MMS, IM Single photo and/or movie video capable Phonebook Call logs Subscriber identity module Global positioning systems Video streaming Audio players New phones are low-end computers with the following capabilities:
© Pearson Education Computer Forensics: Principles and Practices 13 Drive and Media Analysis Acquiring data from hard drives Bit-stream transfer Disk-to-disk imaging
© Pearson Education Computer Forensics: Principles and Practices 14 Drive and Media Analysis (Cont.) Acquiring data from removable media Document the scene Use static-proof container and label container with Type of media Where media was found Type of reader required for the media Transport directly to lab Do not leave any media in a hot vehicle or environment Store media in a secure and organized area
© Pearson Education Computer Forensics: Principles and Practices 15 Drive and Media Analysis (Cont.) Acquiring data from removable media (cont.) Once at the lab, make a working copy of the drive Make sure the media is write-protected Make a hash of the original drive and the duplicate Make a copy of the duplicate to work from Store the original media in a secure location
© Pearson Education Computer Forensics: Principles and Practices 16 Drive and Media Analysis (Cont.) Acquiring data from USB flash drives Write protect the drive Software may be needed to write protect Essentially recognized much like a regular hard drive by the operating system
© Pearson Education Computer Forensics: Principles and Practices 17 In Practice: PDA-Configured iPod Reveals Employee Theft Review of bank fees revealed that Joe had been skimming money Suspicion fell on iPod that Joe had on his desk every day iPod had been partitioned to hold both data and music
© Pearson Education Computer Forensics: Principles and Practices 18 PDA Analysis Guidelines for seizing PDAs: If already off, do not turn it on Seal in an envelope before putting it in an evidence bag to restrict access Attach the power adapter through the evidence bag to maintain the charge Keep active state if PDA is on when found
© Pearson Education Computer Forensics: Principles and Practices 19 PDA Analysis (Cont.) Guidelines for seizing PDAs (cont.) : Search should be conducted for associated memory devices Any power leads, cables, or cradles relating to the PDA should also be seized, as well as manuals Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings
© Pearson Education Computer Forensics: Principles and Practices 20 PDA Chain of Custody Documentation of the chain of custody should answer the following: Who collected the device, media, and associated peripherals? How was the e-evidence collected and where was it located? Who took possession of it? How was it stored and protected while in storage? Who took it out of storage and why?
© Pearson Education Computer Forensics: Principles and Practices 21 Secured PDA Device Ask the suspect what the password is Contact the manufacturer for backdoors or other useful information Search the Internet for known exploits for either a password crack or an exploit that goes around the password Call in PDA professional who specializes in data recovery
© Pearson Education Computer Forensics: Principles and Practices 22 Cellular Phone Analysis Determine which forensic software package will work with the suspect cellular phone Ascertain the connection method Some devices need to have certain protocols in place before acquisition begins Physically connect the cellular phone and the forensic workstation using the appropriate interface
© Pearson Education Computer Forensics: Principles and Practices 23 Cellular Phone Analysis (Cont.) Before proceeding, make sure all equipment and basic data are in place Most software packages are GUI based and provide a wizard Once connected, follow the procedures to obtain a bit-stream copy Search for evidence and generate reports detailing findings
© Pearson Education Computer Forensics: Principles and Practices 24 Disk Image Forensic Tools Guidance software Paraben ® software FTK™ Logicube
© Pearson Education Computer Forensics: Principles and Practices 25 PDA/Cellular Phone Forensic Software Tools for examining PDAs EnCase and Palm OS software PDA Seizure Palm dd (pdd) POSE (Palm OS Emulator) PDA memory cards
© Pearson Education Computer Forensics: Principles and Practices 26 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining cellular phones Bit PM Cell Seizure Oxygen PM Pilot-link Forensic SIM SIMCon SIMIS
© Pearson Education Computer Forensics: Principles and Practices 27 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining both PDAs and cellular phones Paraben software Logicube
© Pearson Education Computer Forensics: Principles and Practices 28 Summary You are most likely to encounter media devices such as: Hard drives Optical media (CDs) USB drives PDAs Cellular phones
© Pearson Education Computer Forensics: Principles and Practices 29 Summary (Cont.) You learned how data is stored on these devices and methods for acquiring the data General guidelines for data acquisition are the same for most devices There are also specific guidelines depending on the type of device
© Pearson Education Computer Forensics: Principles and Practices 30 Summary (Cont.) Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software Some software is specific to PDAs Some can be used for several different types of data