1. PDA Forensics Presented by: Yusra Shams

2. Agenda Purpose Challenges Generic structure of PDA Common Operating Systems Where to look for data Tools available

3. Purpose PDAs are a relatively recent sensation Widely used to cope up with busy schedules Contains personal and business information and happenings Portable Individuals carry it all the time and record important stuff and stay connected. Higher probability of finding some useful information PDAs are of high interest for investigators

4. Challenges PDA technology and design is rapidly evolving. Forensic experts should be up to date with  New software technologies  New Hardware designs  Peripheral devices

5. PDA Structure/Hardware Microprocessor Read only memory (ROM)‏ Holds Operating System for the device Varieties include Flash ROM, which can be erased and reprogrammed with OS updates Random access memory (RAM)‏ Contains user data Kept active by batteries Data lost when powered off Interface/ variety of hardware keys Touch sensitive, liquid crystal display  Image source: http://electronics.howstuffworks.com/gadgets/travel/pda4.htm

6. PDA Structure/Hardware contd.. Additional Features Wireless  IrDA, Bluetooth Card Slots  SD/ MMD slot, Compact Flash(CF) slot etc Expansions  accessories Battery  Removable, rechargeable batteries

7. PDA - Softwares/OS Palm OS Pocket PC Linux

8. Palm OS Microprocessor StrongArm or XScale Battery Older models – Alkaline battery Recent models - Lithium ion battery ROM Stores OS and built in applications RAM Application & user data Dynamic RAM  Working space for temp. allocations  Re-initializes on boot Storage RAM  Analogous to disk storage in desktops  Retains data on boot Memory Storage In chunks called “Records” Records are grouped in DBs DBs can be thought of as “Files”

9. Palm OS contd.. PFF (Palm File Format) Palm DB  Application data (contact lists etc)  User specific data Palm Resources  Application code  UI objects Palm Query Application  www content Palm Universal Connector system Allows GPS connectors, wireless modems, keyboards etc. Interact with the device via USB port Palm Expansion card slots Allows  Multi-media cards (MMC)  Secure Digital cards (SD)

10. Pocket PC Features More processing and networking capabilities Microsoft entered the market with WinCE OS WinCE + added functionality = Pocket PC Microprocessor XScale ARM SHx WinCE Registry Stores data of Applications, Drivers, Sys Config, User Preferences etc.

11. Pocket PC contd.. 4 types of Memory RAM Expansion RAM ROM Persistent Storage

12. Pocket PC contd.. Additional Security Features Power-ON Password 4 digit numeric to 29 char long Time-out To lock the device after a period of inactivity Finger Print Biometric

13. PDA Generic States Nascent State Active State Quiescent State Semi-Active State

14. Forensic Considerations What to Report Make, Model, Colour, Condition, Serial Number IMEI number, SIM card number (if applicable)‏ Hardware/software used Data recovered Where to look for data Depends on PDA model, Identify characteristics first Calendar Internet cache, settings Text, Audio, Video Messages sent/received Call logs, Phone-book Hex dump, file system

15. Forensic Considerations contd.. Left ON or OFF?? Depends on the case at hand and the device If left ON  Isolate the device from network  Battery will drain more quickly if the device searches for network. If turned OFF  PDA may be password protected  May lose some useful information in the Dynamic RAM Look around.. Take charger and data cable (if applicable)‏ Look for manuals, PDA documentations

16. Forensic Tools for PDAs PDA Seizure Palm OS and Pocket PC  Acquisition  Analysis  Reporting EnCase Palm OS  Acquisition  Analysis  Reporting Linux PDA  Analysis and reporting Pdd (acquisition)‏ Pilot-Link (acquisition)‏ POSE (Examination and reporting)‏ Dd (Acquisition for Linux PDA)‏

17. PDA Seizure  Commercially available forensic software toolkit  Used for: Palm OS Pocket PC (PPC)‏  Features: Acquire Forensic Image Perform examiner-defined searches Generate hash values Generate a report of findings Book-marking to organize information Graphic library to assemble found images  60 day free trial can be downloaded from http://www.softpedia.com/progDownload/PDA-Seizure- Download-19201.html

18. PDA Seizure – Demo version

20. Palm OS emulator  New emulator session  Previous session  Download a ROM image from Palm OS device  Leave the Palm OS Emulator

21. PDA Seizure – Data snapshot

22. Where else to look.. Peripheral devices May contain more useful information than the actual device Attachments/ Accessories, hardware or software and their manuals

23. Traps Removing the logo from the device Changing the logo Running another OS on top of the original

24. Questions?? Thank you for your interest and time!!

25. References http://csrc.nist.gov Nebraska CERT Conference 2007 http://www.softpedia.com/progDownload/PDA-Seizure-Download- 19201.html