File000148

Module XXXV – PDA Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Verizon Wireless to Host PDA and Smartphone Workshops at Union County Communications Store

Source: http://www.itnewsonline.com/showprnstory.php?storyid=8112



Module Objective

• Personal Digital Assistants (PDAs)• Information Stored in PDAs• PDA Components • PDA Generic States• PDA Security Issues• PDA Forensics Steps• PDA Forensics Tools• Countermeasures

This module will familiarize you with:



Module Flow

Personal Digital Assistants (PDAs)

Information Stored in PDAs

PDA Components

PDA Generic States

PDA Security Issues

PDA Forensics Steps

PDA Forensics Tools

Countermeasures



Personal Digital Assistants (PDAs)

• Notes, calculator, clock, calendar, address book, and spreadsheet

• Emails and Internet access• Video and audio recording• Built in infrared (i.e., IrDA), Bluetooth, and Wi-Fi ports• Radio and music players • Games

Features:

PDA is a handheld device that combines computing, telephone/fax, Internet, and networking features



Information Stored in PDAs

Percentages of PDA vs. Type of Information stored

While PDAs and smartphones can greatly enhance the employee’s productivity, the amount of sensitive and confidential information stored in PDAs increases the risk of information theft and potential losses to the organization



PDA Components



PDA Characteristics

Most types of PDAs have a microprocessor, read only memory (ROM), random access memory (RAM), a variety of hardware keys and interfaces, and a touch sensitive, liquid crystal display

The operating system (OS) of the device is held in ROM

PDAs use different varieties of ROM, including Flash ROM, which can be erased and reprogrammed electronically

RAM, which normally contains user data, is kept active by batteries failure or exhaustion of which may cause information loss



PDA Characteristics (cont’d)

Latest PDAs come equipped with system-level microprocessors that reduce the number of supporting chips required and include considerable memory capacity

Built-in Compact Flash (CF) and combination Secure Digital (SD) /MultiMedia Card (MMC) slots support memory cards and peripherals, such as a digital camera or wireless card

Wireless communications such as infrared (i.e., IrDA), Bluetooth, and WiFi may also be built in



Generic PDA Hardware Diagram

System-level processor chip and the generic core components of most PDAs



Palm OS

Palm OS is an embedded operating system initially developed by U.S. Robotics’ owned Palm Computing, Inc. for personal digital assistants (PDAs) in 1996

Early Palm OS devices used 16- and 32-bit processors based on the Motorola DragonBall MC68328-family of microprocessors but recent devices use ARM architecture-based StrongArm and XScale microprocessors

Palm OS and built-in applications are stored in ROM, while application and user data are stored in RAM

Palm OS system software logically organizes ROM and RAM for a handheld device into one or more memory modules known as a card



Palm OS (cont’d)

Total available RAM store is divided into two logical areas:

• Dynamic RAM is used as working space for temporary allocations• Storage RAM which is analogous to disk storage on a typical desktop system

Palm OS storage memory is arranged in chunks called “records,” which are grouped into “databases”

Palm file format (PFF) conforms to one of the three types defined below :

• Palm Database – A record database used to store application data, such as contact lists, or user specific data

• Palm Resource – A database similar to the Palm Database that contains application code and user interface objects

• Palm Query Application – A database that contains World Wide Web content for use with Palm OS wireless devices



Architecture of Palm OS Devices

• Application• Operating System• Software API and Hardware Drivers• Hardware

Architecture of Palm OS devices consists of the following layers:

Application

Operating System

Hardware

Hardware DriversSoftware API



Architecture of Palm OS Devices (cont’d)

The software Application Programming Interface (API) gives a degree of hardware independence to software developers, allowing applications to be executed under different hardware environments by recompiling the application

Developers have the freedom to bypass the API and directly access the processor, providing more control of the processor and its functionality

The Palm OS does not implement permissions on code and data, so any application can access and modify data



Pocket PC

Windows CE (WinCE) is the operating system for the handheld devices which is augmented with additional functionality to produce Pocket PC (PPC)

Pocket PC supports a multitasking and multithreaded environment

Pocket PC runs on a number of processors, but primarily appears on devices having Xscale, ARM, or SHx processors

Various Pocket PC devices have ROM ranging from 32 to 64MB and RAM ranging from 32 to 128MB



Pocket PC (cont’d)

PIM and other user data normally reside in RAM, while the operating system and support applications reside in ROM

An additional filestore can be allocated in unused ROM and made available for backing up files from RAM

One or more card slots, such as a Compact Flash (CF) or Secure Digital (SD) card slot, are typically supported

To prevent data loss when battery power is low, the lithium-ion battery must be recharged via the cradle, a power cable, or removed and replaced with a charged battery



Architecture for Windows Mobile

The architecture for Windows mobile consists of four layers i.e. Application, Operating System, Original Equipment Manufacturer (OEM), and Hardware

The Original Equipment Manufacturer (OEM) Layer is the layer between the Operating System Layer and the Hardware Layer

It contains the OEM Adaptation Layer (OAL), which consists of a set of functions related to system startup, interrupt handling, power management, profiling, timer, and clock

Application(Internet client services, user interface,…)

Operating System(Kernel, core DLL, object score, GWES, device mgt)

Original Equipment Manufacturer (OEM)(OEM Adaption layer, drivers, configuration files)

Hardware(Processor, memory, I/O,…)



Architecture for Windows Mobile (cont’d)

Within the Operating System Layer are the Windows mobile kernel and device drivers, whose purpose is to manage and interface with hardware devices

Device drivers provide the linkage for the kernel to recognize the device and allow communications to be established between hardware and applications

The Graphics, Windowing, and Events Subsystem (GWES) is also a part of the Operating System Layer and provides the interface between the user, the application, and the operating system

GWES handles messages, events, and the user’s input from keyboard and mouse or stylus

The object store includes three types of persistent storage within the Operating System Layer: file system, registry, and property databases



Linux-based PDAs

Linux is a multitasking, 32-bit operating system that supports multithreading

Linux-based PDAs rests on the open source model and it has the ability to engage the software development community to produce useful applications

Linux based PDA uses Embedix10, an embedded Linux kernel from Lineo, and Qtopia desktop environment from Trolltech for windowing and presentation technology

Embedix is based on a networked kernel with built-in support for WiFi, Bluetooth, and wireless modem technologies, as well as associated security and encryption modules

The device has a StrongARM processor, 16 MB of ROM, 64MB of RAM, and a 3.5-inch 240x320-pixel color LCD



Architecture of the Linux OS for PDAs

The Linux kernel is composed of modular components and subsystems that include device drivers, protocols, and other component types

The kernel also includes the scheduler, the memory manager, the virtual filesystem, and the resource allocator

Processing proceeds from the system call interface to request service from the hardware

The hardware then provides the service to the kernel, returning results through the kernel to the system call interface



PDA Generic States

• Devices are in the nascent state when received from the manufacturer – the device contains no user data and observes factory configuration settings

Nascent State:

• Devices that are in the active state are powered on, performing tasks, and able to be customized by the user and have their filesystems populated with data

Active State:

The following four states provide a simple but comprehensive generic model that applies to most PDAs:



PDA Generic States (cont’d)

• It is a dormant mode where device conserves battery life while maintaining user data and performing other background functions

Quiescent State:

• This state is a state partway between active and quiescent; it is reached by a timer, which is triggered after a period of inactivity allowing battery life to be preserved by dimming the display and taking other appropriate actions

Semi-Active State:



PDA Security Issues

Password theft

Virus attacks

Data corruption

Vulnerabilities in applications running

Data theft

Wireless vulnerabilities

Theft of the device



ActiveSync and HotSync Features

• ActiveSync synchronizes Windows based PDAs and smartphones with the desktop computer

• ActiveSync handheld uses its cradle for connecting to the desktop PC

• It can be protected with the password

ActiveSync:

• HotSync is the process of synchronizing elements between Palm OS devices and desktop PC

• Elements that are synchronized include:• Outlook inbox• Contacts list• Calendar• Tasks and Notes

HotSync:



ActiveSync Attacks

Attacker tries to get the ActiveSync password by:

• Password sniffing• Brute force or dictionary attacks

After accessing the password, an attacker can steal private information or unleash the malicious code



HotSync Attack

When HotSync enables to synchronize elements, the Palm OS opens TCP ports 14237 and 14238 as well as UDP port 14237

Attacker can open connections to these ports and can access private information or send the malicious code



PDA Forensics



PDA Forensic Steps

Make the report

Document everything

Examine and analyze the information

Acquire the information

Preserve the evidence

Identify the evidence

Seize the evidence

Secure and evaluate the scene



Points to Remember while Conducting the Investigation

• Preserve device in an active state with sufficient power• Take a photograph of the device• If charge is low, then replace the battery or charge with a

proper power adaptor• Maintain sufficient charge in the replacement batteries

If the device is switched on:

• Leave the device in off state• Switch on the device and record current battery charge• Take a photograph of the device

If device is switched off:



Points to Remember while Conducting the Investigation (cont’d)

• Avoid any further communication activities• Remove USB/Serial connection from PC• Seize cradle and chords

If device is in its cradle:

• Seize cradle and chords

If device is not in its cradle:

• Avoid further communication activities• Eliminate wireless activity by packing the device in an

envelope, anti-static bag, and an isolation envelope• Take away wireless enabled cards

If wireless is on/off:



Points to Remember while Conducting the Investigation (cont’d)

• Do not initiate any further activity inside the device• Do not remove any peripheral/media card

If card is present in expansion card slot:

• Seize related peripheral/media cards.

If card is not present in expansion card slot:

• Seize expansion sleeve• Seize other related peripherals/media cards

If expansion sleeve is removed:



Secure and Evaluate the Scene

Provide security to all the individuals at the scene

Photograph the entire scene and all the evidence

Evaluate the scene and make a search plan

Protect the integrity of the traditional and electronic evidence

Secure all the evidence

Document everything at the scene

Avoid entry of unauthorized person at the scene



Seize the Evidence

Seize handheld and computer devices such as PDA device, device cradle, power supply, associated peripherals, media, and accessories

Seize the memory devices such as SD, MMC, or CF semiconductor cards, microdrives, and USB tokens

Collect non-electronic evidence such as written passwords, handwritten notes, computer printouts, and so on



Identify the Evidence

• Some PDAs may run two operating systems

Identify the type of operating system:

• Cradle Interface• Manufacturer Serial number• The Cradle type• Power Supply

Interfaces that allow identification of a device:

Identify the type of device



Preserve the Evidence

Preserve the evidence at secure place

Keep the PDA in envelop and seal it to restrict physical access

Keep the evidence in a secure area and away from extreme temperatures and high humidity

Store the evidence away from magnetic sources, moisture, dust, physical shock, and static electricity



Acquire the Information

Acquisition is the process of imaging or extracting the information from a digital device or evidence and other peripheral devices

Use the data acquisition tools such as PDA Seizure and techniques to extract and image information in the PDAs

Collect both dynamic and volatile information

• Volatile information must be given priority



Data Acquisition Techniques

Exploits ‘known authentication vulnerabilities’ of the device and system

Apply brute force techniques to access the passwords of the device

Access the device information using inbuilt backdoor by the manufacturers

Extract data from memory chips independently of the device

Reverse engineer the device’s operating system’s code to find and exploit a vulnerability



Examine and Analyze the Information

Recover the hidden information

Use the steganalysis tools such as Stegdetect to extract the hidden information

Check the images, videos, and document files

Check the timing of the files

Find out the author of files

Use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information

Use the password cracking tools such as Cain and Abel and hydra, if the information is password protected

Use various video players to open the video files



Examine and Analyze the Information (cont’d)

From analysis find out:

What exactly happened?

When the event occurred?

Who was involved?

How it occurred?

How to detect and recover hidden information?



Document Everything

Document all the results from examination and analysis

Document the following during labeling:

• Case number• A precise description of the case• Date and time when the evidence was collected

Photograph and document all the devices connected to the PDA

Create a report documenting the state of the device during collection

Maintain a chain of custody

Preserve the documentation in a secure location



Make the Report

• Identity of the reporting agency • Case number• Name of Investigator• Date of report • Descriptive list of items submitted for examination • Identity and signature of the examiner • Devices and set-up used in the examination• Brief description of examination steps• Documentations of the evidence and other supporting items • Details about the following finding:

• Information about the files • Internet related evidence• Data and image analysis• Techniques used for hiding and recovering the data

• Report conclusion

Forensic report may include the following:



PDA Forensics Tools



PDA Forensics Tools

PDA Secure

PDA Seizure

EnCase

SIM Card Seizure

Palm dd (pdd)

Duplicate Disk

Pocket PC Forensic Software

Mobile Phone Inspector

Memory Card Data Recovery Software



PDA Secure

PDA Secure offers the following features:

• Enhanced password protection

• Encryption

• Device locking

• Data wiping

It allows administrators to have greater control over how handheld device are used on networks

It allows administrators to set a time and date range to monitor network log-in attempts, infrared transmissions, and application usage



PDASecure: Screenshot



Device Seizure

Device Seizure has its roots in digital forensics with such things as PDD (Palm DD command line acquisition), deleted data recovery, full data dumps of certain cell phone models, logical and physical acquisitions of PDAs, data cable access, and advanced reporting

• SMS History (Text Messages) • Deleted SMS (Text Messages) • Phonebook (both stored in the memory of the phone and on the SIM card) • Call History • Received Calls • Dialed Numbers • Missed calls • Call Dates & Durations• Datebook • Scheduler

It can acquire the following data:



Device Seizure: Screenshot



DS Lite

Paraben's DS Lite is a device seizure and CSI Stick file viewing and analysis tool

Palm OS console mode is used to acquire memory card information and create a bit-for-bit image of the selected memory region

It can retrieve all user applications and databases



DS Lite: Screenshot



EnCase

EnCase is used for acquiring or imaging the evidence

EnCase software provides tools for the investigators to conduct complex investigations with accuracy and efficiency

It stores evidence files on shared media for either data retention or examination



EnCase: Screenshot



SIM Card Seizure

SIM Card Seizure recovers deleted sms/text messages and performs comprehensive analysis of SIM card data

It takes the SIM Card acquisition and analysis components from Paraben's Device Seizure and puts it into a specialized SIM Card forensic acquisition and analysis tool

Data acquired from SIM cards:

Phase ID FDN fixed numbers

SST SIM service table LND last dialed numbers

ICCID serial number EXT1, EXT2 dialing extensions

LP preferred languages variable SMSP text message parameters

SPN service provider name CBMI preferred network messages

MSISDN subscriber phone number LOCI location information

Short dial number BCCH broadcast control channels



SIM Card Seizure: Screenshot



Palm dd (pdd)

Palm dd is a Windows-based tool for Palm OS memory imaging and forensic acquisition

Palm OS console mode is used to acquire memory card information and create a bit-for-bit image of the selected memory region

It can retrieve all user applications and databases



Palm dd: Screenshot



Duplicate Disk

Duplicate Disk is an UNIX based utility which creates a bit-by-bit image of the device

It executes directly on the PDA and can be invoked via a remote connection



Pocket PC Forensic Software

• Shows details of software and hardware architecture of Pocket PC like OS type, version, processor architecture, memory usage, and related information

• Extracts phonebook number, appointments, task, IMEI number, SIM information, contact details, phone model, manufacturer ‘s details, and other related information

Features:

Pocket PC Forensic Software is an investigator utility that allows to examine Windows based Pocket PC and PDA mobile device

It extracts files, database records, operating system registry records, and phone information



Pocket PC Forensic Software: Screenshot



Mobile Phone Inspector

Mobile Phone Inspector provides the detailed information of any mobile phone memory and Sim memory status

Information includes mobile manufacture’s name, mobile model number, mobile IMEI number, Sim IMSI number, signal quality and battery status of any supported mobile phone

It also extracts the phonebook entries



Mobile Phone Inspector: Screenshot



Memory Card Data Recovery Software

Memory card data recovery software recovers and restores images, documents, pictures, photos, audio, video files, and folders from all major memory card storage media

• Recovers data from PC Card, Compact Flash (I, II), Smart Media, Multimedia Card (MMC), Secure Digital card, Mini-SD card, Micro-SD card, and xD-Picture Card

• Recover data after formats, accidental deletion, or any other type of logical corruption

• Data Retrieval Support for Compact Flash Memory card, Mobile Pocket PC, PDA, Handheld Computers, External mobile phone memory, Pen Drive, Memory Stick, Multimedia card, and other similar devices

Features:



Memory Card Data Recovery Software: Screenshot



PDA Security Countermeasures

Install a firewall

Disable all HotSync and ActiveSync features when there is no use

Give a strong password

Do not keep the passwords in desktop PC

Install anti-virus on the device

Encrypt the critical data in the device

Do not use un-trusted Wi-Fi access points



Summary

PDA is a handheld device that combines computing, telephone/fax, Internet, and networking features

PDAs can function as a cellular phone, fax sender, web browser, and a personal organizer

PDA forensics include examination, identification, collection, and documentation

While investigating PDA, it is necessary to secure, acquire, examine, present, and maintain the evidence

File000148

Technology

Transcript of File000148