An overview and examination of digital PDA devices under forensics toolkits.

Please download to get full document.

View again

of 17
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Internet & Technology

Published:

Views: 0 | Pages: 17

Extension: PDF | Download: 0

Share
Related documents
Description
An overview and examination of digital PDA devices under forensics toolkits. Krishnun Sansurooah School of Computer and Information Science (SCIS) Edith Cowan University Perth, Western Australia.
Transcript
An overview and examination of digital PDA devices under forensics toolkits. Krishnun Sansurooah School of Computer and Information Science (SCIS) Edith Cowan University Perth, Western Australia. Abstract Personal Digital Assistants most commonly known as PDAs are becoming more and more fashionable and affordable in the working environment. With the advent and rapidly increasing technology these handled devices are now targeted by a lot of person with criminal intentions. But unfortunately crime does not choose its technology and nowadays those ultra light handhelds are getting more and more involved in crimes. This therefore become an onerous task for the forensics examiners who needs the proper forensics tools to investigate the information held on these devices. The purpose of this report will browse the current forensics toolkits available and analyze some targeted PDAs. Keywords PDA, Forensics Analysis, Encase, PDA Seizure, Image Acquisition, PDA Memory INTRODUCTION Today s technology is advancing rapidly and when it comes to handheld devices it s even growing quicker especially in their capabilities and in their use. With this increasing technology, it is not a surprise to come across those devices be either PDAs or smart phones which can contain as much processing power as would have held a normal desktop couple of years ago. With those amazing handheld devices, their storage capacities are phenomenon and keep increasing even though these digital devices are getting ultra light in weight. Being concerned by this evolution, it is therefore necessary that nowadays, the analysis of those handheld devices be combined with the existing digital forensic procedures and methodologies already in place to keep up with the technology. However, most PDAs that are on the market follow similar basic designs, but obviously differs in their operating system (OS), and their hardware components which in turn, unfortunately does not facilitate the forensic data acquisition on the handheld devices without modifying their actual or current state. Having therefore mentioned that this process is not quite easy to performed, the data acquisition can still be performed on the PDAs through some of the currently existing forensic software for that type of acquisition. To narrow the focus of this research paper, the digital handheld devices looked after would be Palm devices running the Palm OS. This paper will also take into consideration of the different forensic tools available for the acquisition on Palm OS and will not emphasizes on data acquisition on WinCE or Windows mobile phone or Microsoft Pocket. BACKGROUND According to Kruse & Heiser (2002) the preservation, identification, acquisition, documentation, interpretation and reporting of computer or digital data is defined as digital forensics. The field of digital forensics has long emphasizes on the seizing and recovering of evidence from a personal computer. But nowadays, criminal are running in parallel with the technology and are hence using the latest up to date devices to achieve to their need in committing illegal activities. With this evolution, the life of forensic experts have become more complicated and forensically acquire these handheld digital devices be either smart phones, pagers, and PDAs have unfortunately become an onerous task. According to Kruse and Heiser (2002) there are three stages in the acquisition of data for the basic methodology which are as described below: 1. The acquisition of evidence should be performed without modifying or corrupting the original source 2. The acquired evidence needs to be authenticated when raised to the original evidence. 1 3. The acquired evidence should be analyzed without any alteration to it. Following Kruse and Heiser (2002) the first stage entails the procedures that need to be observed and fully recorded and documented in the early phases of forensic analysis. These procedures would be a) Gathering and collection of evidence b) The correct handling of evidence c) Maintaining the chain of custody d) Identifying the evidence collected e) The methods of transporting the evidence f) And finally, how the evidence is stored or presented The second stage described by Kruse and Heiser (2002) in the basic methodology demands that the acquired evidence is verified against the original source. This is a very crucial step in the task of a forensic expert or analysis as this will determine whether the piece of evidence is review from a legally acceptable and presentable process with all the necessary documents to support this finding, especially if these findings are to be pursued to court of low. In a report on digital forensics, McKemmisk (1999) reported that there are four rules to be observed when acquiring evidence for a criminal investigation to be pursued in a court of law. Those rules to be observed are: i) Minimize the handling of original data source. ii) Account for any changes in the original data iii) Use are follows the rules of evidence, especially when it comes to use of software tools for the acquisition of the evidence To achieve this composition of acquired evidence versus the original source, the best and most current and reliable way would be archived by electronically fingerprinting the evidence and time stamping both calculated by hashes with cryptographic hashing algorithms such as MD5 Sum check or SHA1 Check. This method is quite reliable in ensuring that the digital evidence in ensuring that the digital evidence has been imaged properly and hence allowing and maintaining the chain of evidence due to the high volatility of the digital evidences. Using the hashing algorithms allow the digital evidences to be presented in a court of law on the basic that when the incriminated digital device is initially acquired and stored, it can at a later stage be crossed verified to the original source to show and prove that no alteration has occurred during the acquisition of evidence thus keeping the original source intact. Finally, Kruse and Heiser (2002) elaborate on the analysis of the acquired evidence without any alteration to it by ensuring that the original evidence source has not been found or altered. This process is normally conducted on the imaged copy which is an exact bit wise copy of the original source. This analysis normally starts with examining the files and then a further analysis of physical image or search for either deleted or hidden files. To conduct this process, there are some forensic tools that can be used in the instance of Encase V4, Autopsy, Hexadecimal editors which are toolkits available for refining search though the ASCII and hexadecimal deleted files. DIGITAL HANDHELD DEVICES According to Canalys (2004), the market of digital handheld portable devices has known a considerable growth and keeps growing in the working environment and also for personal use these digital music or mp3 players, smart phones and without excluding the most common personal digital assistants (PDAs). With the growing technology these PDAs have widely evolved and nowadays are equipped with in-built memory with a minimum capacity of 128 MB and some even more whereas Apple Computer (2004) has announced its digital music player with a capacity higher than 40 GB. With all these digital devices, the PDAs have been designed to overcome the physical constraints set by either personal computer (PCS) or even laptops. Some of the major advantages that PDAs offer compared to PC or laptops are illustrated below: i) The are compact and ultra light thus allowing mobility to the uses; ii) They store user data on volatile memory, the Random Access Memory (RAM) and Read Only Memory (ROM) for the operating system (OS) 2 iii) They also suspend processor when powered off, to avoid consuming time when rebooting. iv) They comprise with organizing functionality in the instance of s, calendars and memos. v) The also offer the ability to synchronize data with a personal computer. Having therefore enumerated those major differences of the PDAs, it is therefore very difficult and very challenging to soundly forensic those digital devices without the proper and specialized forensic toolkits and also the proper procedures due to the PDAs architecture. In the PDA family there are at present 3 main OS which shares the market. Those are Palm OS, Microsoft Pocket PC and finally portable Linux-based OS which regardless of their brand or family, those digital devices all support some basic functionalities such as contact, , task management and calendar known as Personal Information Management (PIM) applications. And since we are turning to the new age of technology evolution, the PDAs market share is tending to split into only 2 categories now with are the most 2 dominant ones Palm OS and Microsoft Pocket PC. Another ability of the Palm nowadays is that it has the ability to communicate through wireless medium, surf on the web and even provide editing facilities for electronic document. While those PDAs allow a high level of mobility to their users, they also add up another special aspect to their reputation when it comes to storage of data on the PDAs by introducing the use of removable media such as external media cards with enormous capacities ranging from 128 MB to 4 GB thus making the PDAs more desirable for the users or the criminals. REMOVABLE MEDIA Forensic analysis of these removable media is quite similar in the process of analyzing hard drive. These media can therefore be removed and then inserted in a card reader, then an exact image is performed and then forensically examined as unlike the Random Access Memory (RAM) on a device, the removable media is nonvolatile and therefore requires no source of prove to retain its data. Even though removable media are part of the PDAs, the analysis of such media will not be covered in this report but a brief overview of these removable media are described below even small in size, they can however hide enormous amount of data if not gigabytes of data in relation to an investigation. Compact Flash Cards (CF) Compact Flash memory is a solid-state disk card with a 50-pin connector, consisting of two parallel rows of 25 pins on one side of it. They are designed for PCMCIA-ATA; it normally has a 16-bit data bus, and is used more as a hard drive than as the RAM. The flash memory technology is a non-volatile storage media solution that retains its information once power is suppressed from the card. Compact Flash cards are about the size of a matchbook (length-36mm, width-42.8 mm, thickness-3.3 mm for Type I and 5mm for Type II) and consume a minimum amount of power. Multi-Media Cards (MMC) A Multi-Media Card (MMC) is also a solid-state disk card but with a lower number of pins (7-pin connector). It has a 1-bit data bus and same as the compact card, it is hence designed with flash technology, a non-volatile storage solution that retains information once power is removed from the card. The cards contain no moving parts and provide greater protection of data than conventional magnetic disk drives. Those Multi-Media Cards are about the size of a postage stamp but do have in the same family a reduced size Multi-Media cards (RS- MMC) which is half the size of the standard MMC card. Even though they were designed to fit mobile phones, it can nevertheless be used with PDAs. Hitachi Microdrive Hitachi Microdrive digital media is a rotating mass storage device with high-capacity, contained in a Compact Flash Type II having a 16-bit data bus. A micro glass disk is opted as the storage media, which is obviously more fragile than solid-state memory and which do require energy to rotate. As in for the flash memory cards, the 6GB Microdrive storage card is preloaded with a FAT32 file system required to authorize storage over 2GB. In doing so, more space can be easily accessed according to Hitachi Global Storage Technologies (2004). Secure Digital (SD) Card SD Card Association (2004) mentioned that the Secure Digital (SD) memory cards can be compared to the solidstate design of MMC cards. However, the SD card slots often can accommodate MMC cards as well with their 9- pin connector and 4-bit data bus; it can therefore allow a quicker transfer rate. SD cards do offer an erasing in erasure-prevention option so that data cannot be deleted accidentally. Another option that is offered by the SD card is the security controls for content protection (in other words Content Protection Rights Management). MiniSD cards are also available and do run on the same principle but in a more compact with the same hardware 3 bus and same interface as in SD cards. It does offer the same prevention as SD cards but in a smaller dimension depending on their capacity. Memory Stick: Following Memorystick.com Business Center (2004), memory sticks are also solid-state memory in a smaller size. It has a 10-pin connector and a 1-bit data bus. Same as SD cards, it also has an erasure-prevention switch in build in it to stop the card s content to be erased unintentionally. It therefore offers higher capacity in storage media and quicker transfer rates than standard memory sticks. PDA HARDWARE AND SOFTWARE As mentioned earlier, PDA support a set of core Personal Information Management (PIM) capabilities and most of the PDA allow communicating wirelessly through networks with validation and authentication. Therefore data stored on a PDA can be synchronized with either a laptop or desktop PC and would hence facilitate using a synchronization protocol. These protocols can be used to transfer all kinds of data be either text, audio, jpeg images and archive file format PALM OS ARCHITECTURE According to Grand & Mudge (2001), the Palm OS are built-in applications which are stored into the Read Only Memory (ROM) while both the user and application data rest into the Random Access Memory (RAM). In a report, Tanker B (2004) stated that add-on utilities are also used frequently to back up PIM data onto ROM. In an article published from the Palm OS Programmer s Companion (2004) that Palm OS split the total available RAM into 2 logical areas which are dynamic RAM area and storage RAM area. The Dynamic RAM area is complied into a single heap and therefore used the working areas for temporally allocations, independents of the RAM mounted on a typical desktop system. However, the rest of the RAM is hence designed as storage RAM area to be used by when holding non-volatile user data. In Palm OS the memory storage in compiled into records which in turn are held in database here the equivalence of files. The different layers of the Palm OS architecture comprise of Application, Operating System, Software API & hardware drivers and Hardware. Figure 1 below online the different layers level and their relationship in between when communication is effected Application Operating System (OS) Software API Hardware Drivers Hardware Figure1. Demonstrate the different layers of the Palm OS architecture. With technology increasing at the tremendous rate, the latest PDA comes with so many advantages bundled to it which makes its very likely to be possessed by everyone which have a busy life due to its considerable capacity of memory, its powerful micro processors with wireless communication devices embedded on such as wireless, infrared, and Bluetooth technology. A generic hardware diagram of the system level microprocessor is illustrated in Figure 7 below. 4 Figure 2. Illustrates the generic hardware diagram of the system level microprocessor PDA SOFTWARE Together with the purchase of a Palm OS, there is some software that comes along with the handheld digital devices which therefore ease the user to synchronize its Palm OS with its computer system at a later stage. PALM DESKTOP This software which is normally delivered on the purchase of a Palm enable the user to organize and manage the data which they have stored on their PDA earlier and it therefore helps the user to trace back what editor took place where and when. In other words, it looks after date, address and any memo entry at that time thus providing the user with a more convenient way of making his/her entry into the Palm. Together with the Palm Desktop, it also allows to install HotSync Operations. HotSyn has been developed by Palm which enables the user to synchronize the data between a personal computer and the digital handheld device. It therefore, gives the user the capability of transferring data between the digital device and the personal computer, which can be also used on a back in case that data came to be lost with the draining of the battery. PALM DEBUGGER The Palm Debugger used in Palm commands is usually carries out in low-level system debugging. This debugger is attached on all Palm devices and into the Palm OS Emulator According to Fernandes (2003), there are two different modes that Palm PDAs can enter which are Debug Mode and Console Mode The Palm Debugger which is included on all Palm handhelds provides a low-level system debugging for Palm application. This would therefore describe Fernandes (2003) first mode 5 PDA FILE SYSTEM In Palm OS technology, the use of Hot file system differs from the traditional system. According to the Palm memory architecture give a detailed illustration of the Palm OS memory structure and analyzer the essential building blocks of the Palm memory Figure 3 outlines the pattern view of the RAM showing the layer of the dynamic RAM area and the storage RAM area. Interrupt Vectors System Global System Dynamic Allocation Dynamic RAM Application Dynamic Allocation & Globals Remaining Memory Storage RAM Figure 3. outlines the pattern view of the Dynamic RAM and the Storage RAM. Dynamic RAM can be compared to the RAM sitting onto a typical personal computer system but in Palm OS the size of the dynamic RAM area would depends on the version of the OS and on the total available memory onto the device and this would keep changing continuously during the usage of the handheld device whereas the remaining RAM is used as storage RAM area similar to using a disk drive FORENSICS AND PDA With the increase of those powerful digital handheld devices, the methodologies and procedures in place for the analysis of digital forensics is being re-examined, re-considered and re-executed to adapt to the new age of digital handheld devices such as PDAs, portable digital music devices and mobile phones. Having to reconsider the methodological approach to these new handheld devices, the two most crucial parts in soundly forensically examining those devices are the acquisition stage and the authentication stage as in any basic computer forensic analysis. However, in the case of Palms this task would be most delicate and important as it should be delicately and correctly carried out to the maximize accuracy on the Palm which in fact rejoin what have been mentioned earlier that most PDAs depends on transitional storage. A crucial aspect of the PDA vis-à-vis the acquisition and analysis in the use of their memory i.e. both the RAM and the ROM when it comes to the storage of data on the PDA and their OS as RAM storage is volatile, the PDA is powered by a battery that allows the memory to be kept alive and hence conduct the operation needed such as storing of data on the PDA. Yet, carrying forensic analysis or acquisition on this device would be very risky as such operation would definitely required draining the battery power hence causing all data in the RAM to be lost similarly as on a PC when is switched off, which discards the data on the RAM. Therefore much care and consideration should be given in the acquisition of PDAs which are quite delicate handheld devices in comparison to personal computers. FORENSIC TOOLKITS: When it comes to forensic acquisition and analysis of PDA, the variety and number of toolkits are very limited compared with PCs or workstations. The specialized toolkits are very limit
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks