By Kevin Cardwell and Craig Wright
Service provider takeaway: Personal digital assistants (PDAs) are an excellent source of alternate storage. Learn how to conduct forensic analysis on the data hidden within tje device in this section of the chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics.
Download the .pdf of the chapter here.
When it comes to the PDA device, there are several things we need to consider while carrying out an investigation. These devices can be managed and maintained by your suspect at all times. Adding further complications is the fact that with PDA devices they have immediate access 24 hours a day, and 7 days a week. Another thing that makes your job as an investigator more challenging is PDAs are immediate boot cycle devices. Having said that, it is important to remember these devices typically contain a plethora of information for the examiner, and are a vault of evidence for the forensic examiner.
Device Switched On
When you are beginning your investigation process, and discover that the PDA that you are wanting to process for evidence is in the "on" mode, it is imperative that you act immediately, and get power to the PDA, so that it will not lose the volatile information that could quite possibly be essential to our evidence collection process.
Device Switched Off
If the device is in the off state, you leave the device in this state then switch the device on and take a picture of the device. Additionally you need to note and record the current battery charge.
Device in its Cradle
Avoid any further communication activities with the device. Remove any connection from the PC device. It is important to note that there is a possibility that a sophisticated suspect might have a "tripwire" device and once you disconnect the PC this could activate the device which in turn could run a script that might erase potential evidence. Despite this possibility, you have to disconnect the device to continue the investigation.
Device not in its Cradle
If the device is not in the cradle our investigative requirements are made much simpler, because there is no danger of a "tripwire" being triggered. With the device being out of its cradle, we simply seize the cradle and any cords associated with it.
Avoid any further communication activities if at all possible. Eliminate any wireless activity by placing the device into an envelope that can isolate the device. This envelope needs to also provide anti-static protection, so that the device is not damaged.
Expansion Card in Slot
Do not initiate any contact that requires taking components off of the device, or requires you to open the device in any way. This includes any and all peripheral devices and/or media types of cards.
Expansion Sleeve Removed
The first thing to accomplish is you have to seize the sleeve itself, additionally, seize any and all related peripherals and media cards.
Deploying PDA Forensic Tools
When we are conducting a forensic investigation, there is no shortage of tools available for us. Investigating handheld, or PDA devices do not offer as many tool choices as a typical forensic investigator will have.
Our first tool to discuss is the tool PDA Secure. This tool offers enhanced password protection, along with encryption, device locking and data wiping. The PDA secure tool allows administrators greater control over how handheld devices are used on networks. Additional features of the tool are it allows you to set a time and date range to monitor information such as; network login traffic, infrared transmissions and any applications being used.
PDA Seizure is a comprehensive tool that assists us in seizing the PDA. It allows the data to be acquired viewed and reported on. The tool works only within a Windows environment. This tool can extract the random access memory (RAM,) and read only memory (ROM). The tool has an easy to use graphical user interface (GUI), and includes the tools that are needed to investigate the files that are contained within the PDA.
PDA Seizure provides multi-platform support, and the forensic examiner can acquire and examine information on PDAs for both the Pocket PC and Palm OS platforms.
The PDA Seizure tool has a significant amount of features, this includes forensic imaging tools, searches on data within acquired files, hashing for integrity protection of acquired files and book-marking capability to assist the examiner in the organization of information.
EnCase is one of the most popular commercial forensic tools available, and this tool can be used to acquire information and evidence from a PDA. The EnCase tool can acquire images, and also consists of tools that allow for us to conduct complex investigations efficiently and accurately.
PDA, BlackBerry and iPod Forensics
PDA Investigative tips
Introduction to the BlackBerry
The iPod and Linux
About the book
Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.
Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)
This was first published in July 2008