• Like
File000148
Upcoming SlideShare
Loading in...5
×

File000148

  • 128 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
128
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module XXXV – PDA Forensics
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Verizon Wireless to Host PDA and Smartphone Workshops at Union County Communications Store Source: http://www.itnewsonline.com/showprnstory.php?storyid=8112
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Personal Digital Assistants (PDAs) • Information Stored in PDAs • PDA Components • PDA Generic States • PDA Security Issues • PDA Forensics Steps • PDA Forensics Tools • Countermeasures This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Personal Digital Assistants (PDAs) Information Stored in PDAs PDA Components PDA Generic States PDA Security Issues PDA Forensics Steps PDA Forensics Tools Countermeasures
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Personal Digital Assistants (PDAs) • Notes, calculator, clock, calendar, address book, and spreadsheet • Emails and Internet access • Video and audio recording • Built in infrared (i.e., IrDA), Bluetooth, and Wi-Fi ports • Radio and music players • Games Features: PDA is a handheld device that combines computing, telephone/fax, Internet, and networking features
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Stored in PDAs Percentages of PDA vs. Type of Information stored While PDAs and smartphones can greatly enhance the employee’s productivity, the amount of sensitive and confidential information stored in PDAs increases the risk of information theft and potential losses to the organization
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Components
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Characteristics Most types of PDAs have a microprocessor, read only memory (ROM), random access memory (RAM), a variety of hardware keys and interfaces, and a touch sensitive, liquid crystal display The operating system (OS) of the device is held in ROM PDAs use different varieties of ROM, including Flash ROM, which can be erased and reprogrammed electronically RAM, which normally contains user data, is kept active by batteries failure or exhaustion of which may cause information loss
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Characteristics (cont’d) Latest PDAs come equipped with system-level microprocessors that reduce the number of supporting chips required and include considerable memory capacity Built-in Compact Flash (CF) and combination Secure Digital (SD) /MultiMedia Card (MMC) slots support memory cards and peripherals, such as a digital camera or wireless card Wireless communications such as infrared (i.e., IrDA), Bluetooth, and WiFi may also be built in
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Generic PDA Hardware Diagram System-level processor chip and the generic core components of most PDAs
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Palm OS Palm OS is an embedded operating system initially developed by U.S. Robotics’ owned Palm Computing, Inc. for personal digital assistants (PDAs) in 1996 Early Palm OS devices used 16- and 32-bit processors based on the Motorola DragonBall MC68328-family of microprocessors but recent devices use ARM architecture-based StrongArm and XScale microprocessors Palm OS and built-in applications are stored in ROM, while application and user data are stored in RAM Palm OS system software logically organizes ROM and RAM for a handheld device into one or more memory modules known as a card
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Palm OS (cont’d) Total available RAM store is divided into two logical areas: • Dynamic RAM is used as working space for temporary allocations • Storage RAM which is analogous to disk storage on a typical desktop system Palm OS storage memory is arranged in chunks called “records,” which are grouped into “databases” Palm file format (PFF) conforms to one of the three types defined below : • Palm Database – A record database used to store application data, such as contact lists, or user specific data • Palm Resource – A database similar to the Palm Database that contains application code and user interface objects • Palm Query Application – A database that contains World Wide Web content for use with Palm OS wireless devices
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Architecture of Palm OS Devices • Application • Operating System • Software API and Hardware Drivers • Hardware Architecture of Palm OS devices consists of the following layers: Application Operating System Hardware Hardware DriversSoftware API
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Architecture of Palm OS Devices (cont’d) The software Application Programming Interface (API) gives a degree of hardware independence to software developers, allowing applications to be executed under different hardware environments by recompiling the application Developers have the freedom to bypass the API and directly access the processor, providing more control of the processor and its functionality The Palm OS does not implement permissions on code and data, so any application can access and modify data
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pocket PC Windows CE (WinCE) is the operating system for the handheld devices which is augmented with additional functionality to produce Pocket PC (PPC) Pocket PC supports a multitasking and multithreaded environment Pocket PC runs on a number of processors, but primarily appears on devices having Xscale, ARM, or SHx processors Various Pocket PC devices have ROM ranging from 32 to 64MB and RAM ranging from 32 to 128MB
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pocket PC (cont’d) PIM and other user data normally reside in RAM, while the operating system and support applications reside in ROM An additional filestore can be allocated in unused ROM and made available for backing up files from RAM One or more card slots, such as a Compact Flash (CF) or Secure Digital (SD) card slot, are typically supported To prevent data loss when battery power is low, the lithium-ion battery must be recharged via the cradle, a power cable, or removed and replaced with a charged battery
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Architecture for Windows Mobile The architecture for Windows mobile consists of four layers i.e. Application, Operating System, Original Equipment Manufacturer (OEM), and Hardware The Original Equipment Manufacturer (OEM) Layer is the layer between the Operating System Layer and the Hardware Layer It contains the OEM Adaptation Layer (OAL), which consists of a set of functions related to system startup, interrupt handling, power management, profiling, timer, and clock Application (Internet client services, user interface,…) Operating System (Kernel, core DLL, object score, GWES, device mgt) Original Equipment Manufacturer (OEM) (OEM Adaption layer, drivers, configuration files) Hardware (Processor, memory, I/O,…)
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Architecture for Windows Mobile (cont’d) Within the Operating System Layer are the Windows mobile kernel and device drivers, whose purpose is to manage and interface with hardware devices Device drivers provide the linkage for the kernel to recognize the device and allow communications to be established between hardware and applications The Graphics, Windowing, and Events Subsystem (GWES) is also a part of the Operating System Layer and provides the interface between the user, the application, and the operating system GWES handles messages, events, and the user’s input from keyboard and mouse or stylus The object store includes three types of persistent storage within the Operating System Layer: file system, registry, and property databases
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux-based PDAs Linux is a multitasking, 32-bit operating system that supports multithreading Linux-based PDAs rests on the open source model and it has the ability to engage the software development community to produce useful applications Linux based PDA uses Embedix10, an embedded Linux kernel from Lineo, and Qtopia desktop environment from Trolltech for windowing and presentation technology Embedix is based on a networked kernel with built-in support for WiFi, Bluetooth, and wireless modem technologies, as well as associated security and encryption modules The device has a StrongARM processor, 16 MB of ROM, 64MB of RAM, and a 3.5-inch 240x320-pixel color LCD
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Architecture of the Linux OS for PDAs The Linux kernel is composed of modular components and subsystems that include device drivers, protocols, and other component types The kernel also includes the scheduler, the memory manager, the virtual filesystem, and the resource allocator Processing proceeds from the system call interface to request service from the hardware The hardware then provides the service to the kernel, returning results through the kernel to the system call interface
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Generic States • Devices are in the nascent state when received from the manufacturer – the device contains no user data and observes factory configuration settings Nascent State: • Devices that are in the active state are powered on, performing tasks, and able to be customized by the user and have their filesystems populated with data Active State: The following four states provide a simple but comprehensive generic model that applies to most PDAs:
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Generic States (cont’d) • It is a dormant mode where device conserves battery life while maintaining user data and performing other background functions Quiescent State: • This state is a state partway between active and quiescent; it is reached by a timer, which is triggered after a period of inactivity allowing battery life to be preserved by dimming the display and taking other appropriate actions Semi-Active State:
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Security Issues Password theft Virus attacks Data corruption Vulnerabilities in applications running Data theft Wireless vulnerabilities Theft of the device
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ActiveSync and HotSync Features • ActiveSync synchronizes Windows based PDAs and smartphones with the desktop computer • ActiveSync handheld uses its cradle for connecting to the desktop PC • It can be protected with the password ActiveSync: • HotSync is the process of synchronizing elements between Palm OS devices and desktop PC • Elements that are synchronized include: • Outlook inbox • Contacts list • Calendar • Tasks and Notes HotSync:
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited ActiveSync Attacks Attacker tries to get the ActiveSync password by: • Password sniffing • Brute force or dictionary attacks After accessing the password, an attacker can steal private information or unleash the malicious code
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HotSync Attack When HotSync enables to synchronize elements, the Palm OS opens TCP ports 14237 and 14238 as well as UDP port 14237 Attacker can open connections to these ports and can access private information or send the malicious code
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Forensics
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Forensic Steps Make the report Document everything Examine and analyze the information Acquire the information Preserve the evidence Identify the evidence Seize the evidence Secure and evaluate the scene
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Points to Remember while Conducting the Investigation • Preserve device in an active state with sufficient power • Take a photograph of the device • If charge is low, then replace the battery or charge with a proper power adaptor • Maintain sufficient charge in the replacement batteries If the device is switched on: • Leave the device in off state • Switch on the device and record current battery charge • Take a photograph of the device If device is switched off:
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Points to Remember while Conducting the Investigation (cont’d) • Avoid any further communication activities • Remove USB/Serial connection from PC • Seize cradle and chords If device is in its cradle: • Seize cradle and chords If device is not in its cradle: • Avoid further communication activities • Eliminate wireless activity by packing the device in an envelope, anti-static bag, and an isolation envelope • Take away wireless enabled cards If wireless is on/off:
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Points to Remember while Conducting the Investigation (cont’d) • Do not initiate any further activity inside the device • Do not remove any peripheral/media card If card is present in expansion card slot: • Seize related peripheral/media cards. If card is not present in expansion card slot: • Seize expansion sleeve • Seize other related peripherals/media cards If expansion sleeve is removed:
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Secure and Evaluate the Scene Provide security to all the individuals at the scene Photograph the entire scene and all the evidence Evaluate the scene and make a search plan Protect the integrity of the traditional and electronic evidence Secure all the evidence Document everything at the scene Avoid entry of unauthorized person at the scene
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seize the Evidence Seize handheld and computer devices such as PDA device, device cradle, power supply, associated peripherals, media, and accessories Seize the memory devices such as SD, MMC, or CF semiconductor cards, microdrives, and USB tokens Collect non-electronic evidence such as written passwords, handwritten notes, computer printouts, and so on
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identify the Evidence • Some PDAs may run two operating systems Identify the type of operating system: • Cradle Interface • Manufacturer Serial number • The Cradle type • Power Supply Interfaces that allow identification of a device: Identify the type of device
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserve the Evidence Preserve the evidence at secure place Keep the PDA in envelop and seal it to restrict physical access Keep the evidence in a secure area and away from extreme temperatures and high humidity Store the evidence away from magnetic sources, moisture, dust, physical shock, and static electricity
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquire the Information Acquisition is the process of imaging or extracting the information from a digital device or evidence and other peripheral devices Use the data acquisition tools such as PDA Seizure and techniques to extract and image information in the PDAs Collect both dynamic and volatile information • Volatile information must be given priority
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Acquisition Techniques Exploits ‘known authentication vulnerabilities’ of the device and system Apply brute force techniques to access the passwords of the device Access the device information using inbuilt backdoor by the manufacturers Extract data from memory chips independently of the device Reverse engineer the device’s operating system’s code to find and exploit a vulnerability
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine and Analyze the Information Recover the hidden information Use the steganalysis tools such as Stegdetect to extract the hidden information Check the images, videos, and document files Check the timing of the files Find out the author of files Use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information Use the password cracking tools such as Cain and Abel and hydra, if the information is password protected Use various video players to open the video files
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine and Analyze the Information (cont’d) From analysis find out: What exactly happened? When the event occurred? Who was involved? How it occurred? How to detect and recover hidden information?
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Document Everything Document all the results from examination and analysis Document the following during labeling: • Case number • A precise description of the case • Date and time when the evidence was collected Photograph and document all the devices connected to the PDA Create a report documenting the state of the device during collection Maintain a chain of custody Preserve the documentation in a secure location
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Make the Report • Identity of the reporting agency • Case number • Name of Investigator • Date of report • Descriptive list of items submitted for examination • Identity and signature of the examiner • Devices and set-up used in the examination • Brief description of examination steps • Documentations of the evidence and other supporting items • Details about the following finding: • Information about the files • Internet related evidence • Data and image analysis • Techniques used for hiding and recovering the data • Report conclusion Forensic report may include the following:
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Forensics Tools
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Forensics Tools PDA Secure PDA Seizure EnCase SIM Card Seizure Palm dd (pdd) Duplicate Disk Pocket PC Forensic Software Mobile Phone Inspector Memory Card Data Recovery Software
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Secure PDA Secure offers the following features: • Enhanced password protection • Encryption • Device locking • Data wiping It allows administrators to have greater control over how handheld device are used on networks It allows administrators to set a time and date range to monitor network log-in attempts, infrared transmissions, and application usage
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDASecure: Screenshot
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Device Seizure Device Seizure has its roots in digital forensics with such things as PDD (Palm DD command line acquisition), deleted data recovery, full data dumps of certain cell phone models, logical and physical acquisitions of PDAs, data cable access, and advanced reporting • SMS History (Text Messages) • Deleted SMS (Text Messages) • Phonebook (both stored in the memory of the phone and on the SIM card) • Call History • Received Calls • Dialed Numbers • Missed calls • Call Dates & Durations • Datebook • Scheduler It can acquire the following data:
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Device Seizure: Screenshot
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DS Lite Paraben's DS Lite is a device seizure and CSI Stick file viewing and analysis tool Palm OS console mode is used to acquire memory card information and create a bit-for-bit image of the selected memory region It can retrieve all user applications and databases
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DS Lite: Screenshot
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EnCase EnCase is used for acquiring or imaging the evidence EnCase software provides tools for the investigators to conduct complex investigations with accuracy and efficiency It stores evidence files on shared media for either data retention or examination
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EnCase: Screenshot
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SIM Card Seizure SIM Card Seizure recovers deleted sms/text messages and performs comprehensive analysis of SIM card data It takes the SIM Card acquisition and analysis components from Paraben's Device Seizure and puts it into a specialized SIM Card forensic acquisition and analysis tool Data acquired from SIM cards: Phase ID FDN fixed numbers SST SIM service table LND last dialed numbers ICCID serial number EXT1, EXT2 dialing extensions LP preferred languages variable SMSP text message parameters SPN service provider name CBMI preferred network messages MSISDN subscriber phone number LOCI location information Short dial number BCCH broadcast control channels
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SIM Card Seizure: Screenshot
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Palm dd (pdd) Palm dd is a Windows-based tool for Palm OS memory imaging and forensic acquisition Palm OS console mode is used to acquire memory card information and create a bit-for-bit image of the selected memory region It can retrieve all user applications and databases
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Palm dd: Screenshot
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Duplicate Disk Duplicate Disk is an UNIX based utility which creates a bit-by-bit image of the device It executes directly on the PDA and can be invoked via a remote connection
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pocket PC Forensic Software • Shows details of software and hardware architecture of Pocket PC like OS type, version, processor architecture, memory usage, and related information • Extracts phonebook number, appointments, task, IMEI number, SIM information, contact details, phone model, manufacturer ‘s details, and other related information Features: Pocket PC Forensic Software is an investigator utility that allows to examine Windows based Pocket PC and PDA mobile device It extracts files, database records, operating system registry records, and phone information
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Pocket PC Forensic Software: Screenshot
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mobile Phone Inspector Mobile Phone Inspector provides the detailed information of any mobile phone memory and Sim memory status Information includes mobile manufacture’s name, mobile model number, mobile IMEI number, Sim IMSI number, signal quality and battery status of any supported mobile phone It also extracts the phonebook entries
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Mobile Phone Inspector: Screenshot
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Memory Card Data Recovery Software Memory card data recovery software recovers and restores images, documents, pictures, photos, audio, video files, and folders from all major memory card storage media • Recovers data from PC Card, Compact Flash (I, II), Smart Media, Multimedia Card (MMC), Secure Digital card, Mini-SD card, Micro-SD card, and xD-Picture Card • Recover data after formats, accidental deletion, or any other type of logical corruption • Data Retrieval Support for Compact Flash Memory card, Mobile Pocket PC, PDA, Handheld Computers, External mobile phone memory, Pen Drive, Memory Stick, Multimedia card, and other similar devices Features:
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Memory Card Data Recovery Software: Screenshot
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDA Security Countermeasures Install a firewall Disable all HotSync and ActiveSync features when there is no use Give a strong password Do not keep the passwords in desktop PC Install anti-virus on the device Encrypt the critical data in the device Do not use un-trusted Wi-Fi access points
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary PDA is a handheld device that combines computing, telephone/fax, Internet, and networking features PDAs can function as a cellular phone, fax sender, web browser, and a personal organizer PDA forensics include examination, identification, collection, and documentation While investigating PDA, it is necessary to secure, acquire, examine, present, and maintain the evidence
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited