Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the.

Published byCaroline Bates Modified over 9 years ago

Similar presentations

Presentation on theme: "Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the."— Presentation transcript:

1 Data, PDA and Cell Phone Forensics

2 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the different media devices. This chapter gives you the requisite understanding and the tools to help in gathering the evidence from those devices.

3 CMOS Jumpers 3

4 4 Basic Hard Drive Technology Composition of hard drives  Platters (made of aluminum, ceramic or even glass.  Heads (read/write heads- Every platter has two heads to read/write both the top and bottom of platter)  Cylinders (Vertical grouping of tracks)  Sectors Locating hard drive geometry information  Information on label on hard drive contains drive geometry

5 Hard Drives © Pearson Education Computer Forensics: Principles and Practices 5

6 Cylinders © Pearson Education Computer Forensics: Principles and Practices 6

7 7 Basic Hard Drive Technology (Cont.) Hard drive standards  ATA (advanced technology attachment) (Standardizes everything from connections to hard drive speeds) (ATA 1-7)  ATAPI (advanced technology attachment programmable interface) (Allows devices other than hard drives such as compact disk or tape drives to use ATA connections).  EIDE (Allows up to four ATA devices)  IDE (integrated drive electronics) (Supported only two drives)  PIO (programmable input/output) (Used for transferring data between hard drive and RAM ATA 1)  UDMA (ultra direct memory access) (Transfer data between hard drive and RAM for ATA2 to 5)  ATA speed rating  SATA (serial advanced technology attachment) (achieves speeds up to 150MBps)

8 8 Other Storage Technologies Floppy disks Tape drive technologies  QIC, DAT, DLT QICDATDLT ZIP and other high-capacity drives  Optical media structures  Single session vs. multisession CDs  DVDs USB Flash drives

9 9 Personal Digital Assistant Devices (PDAs) Seven major PDA operating systems:  BlackBerry  Open Embedded (Linux)  PalmSource (Palm OS)  Symbian (Psion)  Windows Mobile (Pocket PC)  Apple iOS  Android

10 10 Cellular Phones  PDA functionality  Text messaging SMS, EMS, MMS, IM  Single photo and/or movie video capable  Phonebook  Call logs  Subscriber identity module  Global positioning systems  Video streaming  Audio players New phones are low-end computers with the following capabilities:

11 11 Drive and Media Analysis Acquiring data from hard drives  Bit-stream transfer  Disk-to-disk imaging

12 12 Drive and Media Analysis (Cont.) Acquiring data from removable media  Document the scene  Use static-proof container and label container with Type of media Where media was found Type of reader required for the media  Transport directly to lab  Do not leave any media in a hot vehicle or environment  Store media in a secure and organized area

13 13 Drive and Media Analysis (Cont.) Acquiring data from removable media (cont.)  Once at the lab, make a working copy of the drive Make sure the media is write-protected Make a hash to document of the original drive and the duplicate Make a copy of the duplicate to work from Store the original media in a secure location

14 14 Drive and Media Analysis (Cont.) Acquiring data from USB flash drives  Write protect the drive  Software may be needed to write protect  Essentially recognized much like a regular hard drive by the operating system

15 15 In Practice: PDA-Configured iPod Reveals Employee Theft Review of bank fees revealed that Joe had been skimming money Suspicion fell on iPod that Joe had on his desk every day iPod had been partitioned to hold both data and music

16 16 PDA Analysis Guidelines for seizing PDAs:  If already off, do not turn it on  Seal in an envelope before putting it in an evidence bag to restrict access  Attach the power adapter through the evidence bag to maintain the charge  Keep active state if PDA is on when found

17 17 PDA Analysis (Cont.) Guidelines for seizing PDAs (cont.) :  Search should be conducted for associated memory devices  Any power leads, cables, or cradles relating to the PDA should also be seized, as well as manuals  Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings

18 18 PDA Chain of Custody Documentation of the chain of custody should answer the following:  Who collected the device, media, and associated peripherals?  How was the e-evidence collected and where was it located?  Who took possession of it?  How was it stored and protected while in storage?  Who took it out of storage and why?

19 19 Secured PDA Device Ask the suspect what the password is Contact the manufacturer for backdoors or other useful information Search the Internet for known exploits for either a password crack or an exploit that goes around the password Call in PDA professional who specializes in data recovery

20 20 Cellular Phone Analysis Determine which forensic software package will work with the suspect cellular phone Ascertain the connection method Some devices need to have certain protocols in place before acquisition begins Physically connect the cellular phone and the forensic workstation using the appropriate interface

21 21 Cellular Phone Analysis (Cont.) Before proceeding, make sure all equipment and basic data are in place Most software packages are GUI based and provide a wizard Once connected, follow the procedures to obtain a bit-stream copy Search for evidence and generate reports detailing findings

22 22 Disk Image Forensic Tools Guidance software Paraben ® software FTK™ Logicube

23 23 PDA/Cellular Phone Forensic Software Tools for examining PDAs  EnCase and Palm OS software  PDA Seizure  Palm dd (pdd)  POSE (Palm OS Emulator)  PDA memory cards (sd-cf-ms)

24 24 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining cellular phones  Bit PMCDMACable  Cell SeizureGSM-TDMA-CDMACable  Oxygen PMGSMCable  Pilot-linkPALM OSCable  Forensic SIMExternal SIM acq.Cable  SIMConExt. SIM acq.Ext. card reader  SIMISExt. SIM acq.Ext. card reader

25 OxyGen PM Supports more than 2000 mobile device Extract  SIM card data,  contacts list,  caller groups,  call logs,  calendar events, etc. Keyword and filter Devices used:  iPhone 4 (ver.4.2.1; jailbroken),  iPhone 3G (ver.2.7; jailbroken), and HTC Evo 25

26 OxyGen PM Iphone  Provide easy and manageable way to view the entire file structure  View device information, images, attachments and previously deleted messages HTC  Not Recognized. 26

27 Others BitPIM (LG Env3)  Likewise OxyGen except for the SMS text messages Cell Seizure (LG Env3, HTC DROID, RIM BlackBerry Bold 9700)  Is able to extract all information from all the phones, but costs more than 2K 27

28 28 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining both PDAs and cellular phones  Paraben software  Logicube

29 29 Summary You are most likely to encounter media devices such as:  Hard drives  Optical media (CDs)  USB drives  PDAs  Cellular phones

30 30 Summary (Cont.) You learned how data is stored on these devices and methods for acquiring the data General guidelines for data acquisition are the same for most devices There are also specific guidelines depending on the type of device

31 31 Summary (Cont.) Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software  Some software is specific to PDAs  Some can be used for several different types of data

Download ppt "Data, PDA and Cell Phone Forensics. 2 Introduction It is important to understand how the technology works in order to properly gather evidence from the."

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Basic Computer Vocabulary

Basic Computer Vocabulary
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Lesson 3: Working with Storage Systems

Lesson 3: Working with Storage Systems
Section 5a Types of Storage Devices.

Section 5a Types of Storage Devices.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.

F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Chapter 20 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Mobile Devices (online only)

Chapter 20 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Mobile Devices (online only)
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
Computer Parts There are many parts that work together to make a computer work.

Computer Parts There are many parts that work together to make a computer work.
XP Practical PC, 3e Chapter 12 1 Accessing Databases.

XP Practical PC, 3e Chapter 12 1 Accessing Databases.
Hardware of Personal Computers

Hardware of Personal Computers
Computers Storage, storage units & accessing R. S., Elektronika, 10. 12. 2008.

Computers Storage, storage units & accessing R. S., Elektronika,
Storage device.

Storage device.

Similar presentations

Ads by Google