Service provider takeaway: Learn how to pull digital fingerprints and conduct other forensic analysis on alternate data storage devices in this chapter excerpt from Syngress Publishing's Alternate Data Storage Forensics.
Download the .pdf of the chapter here.
In this chapter we will discuss the concept of conducting a forensic investigation on data that has been read, stored or manipulated on some type of mobile device. The techniques for investigating a mobile device are similar to that of our more traditional storage devices; however, there are some notable differences that we need to be aware of while collecting potential evidence.
PDA Background Information
A PDA is a handheld computing device that combines a multitude of functions and features. These features include things like computing, telephone, fax and Internet.
Additionally, the PDA can and most often does contain some form of networking or other form of connectivity capabilities. Today a PDA is a powerful device it can function as a cellular phone, fax sender, web browser and a personal organizer. These devices have reached such a level of power, and functionality they are in essence a mini-computer.
Components of a PDA
The PDA device has several components that we will discuss now. There are many components that can be part of the PDA. Our intent here is to just discuss some of the more common ones. The first component of the PDA is the Micro-Processor; all PDA devices have to have some form of a Micro-Processor. This is similar to any micro processor, the only difference is the processor has a restriction on the size it can be. Another component of the PDA is some form of input device, one of the most common means of input is the touch screen. In addition to these components, an essential component is the operating system that is running the software for the PDA device.
As discussed previously the concept of PDA forensics is very similar to the procedures and methodologies that are used with any form of forensics. When we discuss PDA forensics there are investigative methods that you should use when it comes to performing a forensic investigation of a PDA.
There are four main steps when it comes to performing a forensic investigation of a PDA. These four steps are identified as follows:
We start off be securing the evidence. It is essential that we follow a process that has been approved by some form of' legal counsel to secure the PDA. When we seize the PDA we have to ensure we take the PDA, docking cradle and external memory cards. This is probably one of the most difficult things to control and requires that you conduct a thorough search for any and all memory cards. With the size of memory cards today there is an extensive amount of evidence that you would be missing if you miss just one memory card. Once you secure the evidence the next step is to acquire the evidence as with any collection of evidence you will have to create an exact image to preserve the crime scene. Once we have acquired the image t is time for us to examine the evidence. This is where we can apply our tools on he evidence and look for potential evidence for our investigation. Once we have examined the evidence then we have to present the evidence, this step is usually completed by compiling an extensive report based on our investigation thus far. Our job as a forensic examiner is not over, because it is your responsibility as the examiner to maintain the evidence, this consists of keeping it in a secure location, and unlike other devices, you have to ensure the PDA remains charged so that data and information is maintained in a constant state. Now let's discuss the four main steps in more detail.
Step 1: Examination
In the examination step of PDA forensics we first need to understand the potential sources of the evidence, with a PI)A these sources can be the device, the device cradle, power supply and any other peripherals or media that the device being examined has came into contact with. In addition to these sources you should also investigate any device that has synchronized with the PDA you are examining.
Step 2: Identification
In the identification step of PDA forensics we start the process by identifying the type of device we are investigating. Once we have identified the device we then have to identify the operating system that the device is using. It is critical to our investigative process that we determine the operating system; furthermore, once we have identified the operating system it is important to note that it is possible, that the device could be running two operating systems. During the identification process there are several interfaces that can assist us; these are the cradle interface, the manufacturer serial number, the cradle type and the power supply itself.
Step 3: Collection
During this part of our forensic investigation it is imperative that we collect data and potential evidence from the memory devices that are part of or suspected to be part of the PDA we are investigating. There are a multitude of these types of devices, so we will limit our discussion to just a few. The SD, MMC semiconductor cards, micro-drives and universal serial bus (USB) tokens. These SD cards range in size from a few Megabytes (MB) all the way up to several Gigabytes (GB). Today, the USB tokens can range from a few MBs themselves all the way up to multiple GBs.
In addition to seizing and collecting the memory devices we also have to collect the power leads, cables and any cradles that exist for the PDA. Extending our investigation process further it is imperative that we collect all the types of information. This information consists of both volatile and dynamic information; consequently, it is imperative we give the volatile information priority while we collect evidence. The reason for giving this information priority is because anything that is classified as volatile information will not survive if the machine is powered off or reset. Once the information has been captured it is imperative that the PDA be placed into an evidence bag, and maintained at stable power support throughout.
Step 4: Documentation
As with any component in the forensic process, it is critical that we maintain our documentation and "chain of custody." As we collect our information and potential evidence, we need to record all visible data. Our records must document the case number, and the date and time it was collected. Additionally the entire investigation area needs to be photographed. This includes any devices that can be connected to the PDA, or currently are connected to the PDA. Another part of the documentation process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing. Within this report you need to annotate the state and status of the device in question during your collection process. The final step of the collection process consists of accumulating all of the information and storing it in a secure and safe location.
PDA, BlackBerry and iPod Forensic Analysis
PDA Investigative Tips
Introduction to the BlackBerry
The iPod and Linux
About the book
Alternate Data Storage Forensics explores forensic investigative analysis methods when dealing with alternate storage options. The book presents cutting-edge investigative methods from cyber-sleuths professionals. Purchase the book from Syngress Publishing.
Reprinted with permission from Syngress Publishing from Alternate Data Storage Forensics by Amber Schroader and Tyler Cohen (Syngress, 2007)
This was first published in July 2008