1. Digital Forensics and Hand Held Devices Robert Trimble COSC 480 2-12-2007

2. Road Map  Introduction  PDA Forensics  IPod Forensics  Tracking by Cell Phones  Legal Requirements  Conclusion  Discussion

3. Introduction  The science of applying technologies to legal questions.  90% of all data created today is in electronic format.  Consists of mining Hardware Hardware Software Software  It is estimated that 85% of all crimes committed contain a digital signature.  With new technology such as cell phones, PDAs, and MP3 players, criminal activity is not limited to a computer or network.

4. PDA Forensics  Still in the infant stage  Few tools limited to popular items  Problems Two consecutive scans would be different Two consecutive scans would be different Frequent garbage collection and memory organization Frequent garbage collection and memory organization Power Requirements Power Requirements No standardization No standardization  Return to company for analysis

5. Music Player Forensics  Very popular in today's society  Holds Data as well as Music  Can also be used to load additional OS Linux Linux “Live CD” “Live CD” Boot Disk Boot Disk

6. IPOD Features  GB Data Storage  Stored Data Music Music Data Data Voice Voice Video Video  Calendar  Contacts

7. IPOD Forensics  File Structure Apple HFS+ Apple HFS+ Windows FAT32 Windows FAT32  VCard format for contacts and Calendar  Music MP3 MP3 AAC AAC others others

8. IPOD Forensics (cont)  When found at crime scene: Document location Document location Determine Connectivity Determine Connectivity What format What format Possible Trap Possible Trap  Storage is same as other components  Power Concerns

9. Testing and Results  Testing Tests done with both file formats Tests done with both file formats Full system restore tests as well Full system restore tests as well  Results EnCase EnCase Full System Restore ≠ Erased Completely Full System Restore ≠ Erased Completely Initialization record Initialization record HFS+.trashes.trashes/501 HFS+.trashes.trashes/501 FAT32 deletion FAT32 deletion.trashes evidence corruption.trashes evidence corruption

10. Cell Phone Forensics  SIM Card  Cell phones can track people’s location  When a cell phone is turned on Constant scanning Constant scanning Tower routes Tower routes Triangulation Triangulation GPS GPS  Data is collected and stored by phone provider

11. Cell Phone Forensics (cont)  At least three cases, the government was unsuccessful in acquiring data  Successful attempts unknown.  Records sealed.  Phone Companies cooperate and treated as ISPs

12. Legal Requirements  Pen Register Record of calls Record of calls Time of each call Time of each call Duration Duration  Requirements No expectation of privacy No expectation of privacy Certification records are relevant Certification records are relevant

13. Legal Requirements (cont)  Communication and Subscriber records SMS SMS E-mail E-mail Customer information from account Customer information from account  Requirements Minimal explanation that records are relevant Minimal explanation that records are relevant Transmissions not in route or at destination Transmissions not in route or at destination

14. Legal Requirements (cont)  Tracking Devices Location of people Location of people Location of things Location of things CarCar BoatBoat  Requirements Show that this would likely reveal a crime Show that this would likely reveal a crime Target unaware Target unaware

15. Legal Requirements (cont)  Full interception of transmissions Includes details from previous three Includes details from previous three Voice Voice Electronic Electronic  Requirements Probable cause Probable cause Executive Order Executive Order

16. Conclusion  Criminal Activity with hand held devices is increasing.  PDA Forensics is still young and poses complications  IPods forensics is a necessary part of each investigation  Cell Phones = No Privacy WE KNOW WHERE YOU ARE. WE KNOW WHERE YOU ARE. WE KNOW WHO YOU CALLED LAST SUMMER. WE KNOW WHO YOU CALLED LAST SUMMER.

17. Discussion

18.  Discussion question: Open source digital forensic software; Can it be trusted?

19.  Discussion Question: Should the government have that much power in tracking a cell phone? Should the government have that much power in tracking a cell phone?