1. Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics

2. © Pearson Education Computer Forensics: Principles and Practices 2 Objectives Recognize and identify types of drives and media storage devices Describe PDA and cellular phone technologies Explain techniques for acquiring and analyzing data from hard drives and other storage media

3. © Pearson Education Computer Forensics: Principles and Practices 3 Objectives (Cont.) Describe techniques for acquiring and analyzing data from PDAs and cellular phones List and describe tools that can be used to analyze disk images, PDA data, and cellular phone data

4. © Pearson Education Computer Forensics: Principles and Practices 4 Introduction It is important to understand how the technology works in order to properly gather evidence from the different media devices. This chapter gives you the requisite understanding and then the tools to help in gathering the evidence from those devices.

5. © Pearson Education Computer Forensics: Principles and Practices 5 Basic Hard Drive Technology Composition of hard drives  Platters  Heads  Cylinders  Sectors Locating hard drive geometry information  Information on label on hard drive contains drive geometry

6. © Pearson Education Computer Forensics: Principles and Practices 6 Basic Hard Drive Technology (Cont.) Hard drive standards  ATA (advanced technology attachment)  ATAPI (advanced technology attachment programmable interface)  EIDE  IDE (integrated drive electronics)  PIO (programmable input/output)  UDMA (ultra direct memory access)  ATA speed rating  SATA (serial advanced technology attachment)

7. © Pearson Education Computer Forensics: Principles and Practices 7 Other Storage Technologies Floppy disks Tape drive technologies  QIC, DAT, DLT ZIP and other high-capacity drives  Optical media structures  Single session vs. multisession CDs  DVDs USB Flash drives

8. © Pearson Education Computer Forensics: Principles and Practices 8 Personal Digital Assistant Devices (PDAs) Five major PDA operating systems:  BlackBerry  Open Embedded (Linux)  PalmSource (Palm OS)  Symbian (Psion)  Windows Mobile (Pocket PC)

9. © Pearson Education Computer Forensics: Principles and Practices 9 Cellular Phones  PDA functionality  Text messaging SMS, EMS, MMS, IM  Single photo and/or movie video capable  Phonebook  Call logs  Subscriber identity module  Global positioning systems  Video streaming  Audio players New phones are low-end computers with the following capabilities:

10. © Pearson Education Computer Forensics: Principles and Practices 10 Drive and Media Analysis Acquiring data from hard drives  Bit-stream transfer  Disk-to-disk imaging

11. © Pearson Education Computer Forensics: Principles and Practices 11 Drive and Media Analysis (Cont.) Acquiring data from removable media  Document the scene  Use static-proof container and label container with Type of media Where media was found Type of reader required for the media  Transport directly to lab  Do not leave any media in a hot vehicle or environment  Store media in a secure and organized area

12. © Pearson Education Computer Forensics: Principles and Practices 12 Drive and Media Analysis (Cont.) Acquiring data from removable media (cont.)  Once at the lab, make a working copy of the drive Make sure the media is write-protected Make a hash of the original drive and the duplicate Make a copy of the duplicate to work from Store the original media in a secure location

13. © Pearson Education Computer Forensics: Principles and Practices 13 Drive and Media Analysis (Cont.) Acquiring data from USB flash drives  Write protect the drive  Software may be needed to write protect  Essentially recognized much like a regular hard drive by the operating system

14. © Pearson Education Computer Forensics: Principles and Practices 14 In Practice: PDA-Configured iPod Reveals Employee Theft Review of bank fees revealed that Joe had been skimming money Suspicion fell on iPod that Joe had on his desk every day iPod had been partitioned to hold both data and music

15. © Pearson Education Computer Forensics: Principles and Practices 15 PDA Analysis Guidelines for seizing PDAs:  If already off, do not turn it on  Seal in an envelope before putting it in an evidence bag to restrict access  Attach the power adapter through the evidence bag to maintain the charge  Keep active state if PDA is on when found

16. © Pearson Education Computer Forensics: Principles and Practices 16 PDA Analysis (Cont.) Guidelines for seizing PDAs (cont.) :  Search should be conducted for associated memory devices  Any power leads, cables, or cradles relating to the PDA should also be seized, as well as manuals  Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings

17. © Pearson Education Computer Forensics: Principles and Practices 17 PDA Chain of Custody Documentation of the chain of custody should answer the following:  Who collected the device, media, and associated peripherals?  How was the e-evidence collected and where was it located?  Who took possession of it?  How was it stored and protected while in storage?  Who took it out of storage and why?

18. © Pearson Education Computer Forensics: Principles and Practices 18 Secured PDA Device Ask the suspect what the password is Contact the manufacturer for backdoors or other useful information Search the Internet for known exploits for either a password crack or an exploit that goes around the password Call in PDA professional who specializes in data recovery

19. © Pearson Education Computer Forensics: Principles and Practices 19 Cellular Phone Analysis Determine which forensic software package will work with the suspect cellular phone Ascertain the connection method Some devices need to have certain protocols in place before acquisition begins Physically connect the cellular phone and the forensic workstation using the appropriate interface

20. © Pearson Education Computer Forensics: Principles and Practices 20 Cellular Phone Analysis (Cont.) Before proceeding, make sure all equipment and basic data are in place Most software packages are GUI based and provide a wizard Once connected, follow the procedures to obtain a bit-stream copy Search for evidence and generate reports detailing findings

21. © Pearson Education Computer Forensics: Principles and Practices 21 Disk Image Forensic Tools Guidance software Paraben ® software FTK™ Logicube

22. © Pearson Education Computer Forensics: Principles and Practices 22 PDA/Cellular Phone Forensic Software Tools for examining PDAs  EnCase and Palm OS software  PDA Seizure  Palm dd (pdd)  POSE (Palm OS Emulator)  PDA memory cards

23. © Pearson Education Computer Forensics: Principles and Practices 23 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining cellular phones  Bit PM  Cell Seizure  Oxygen PM  Pilot-link  Forensic SIM  SIMCon  SIMIS

24. © Pearson Education Computer Forensics: Principles and Practices 24 PDA/Cellular Phone Forensic Software (Cont.) Tools for examining both PDAs and cellular phones  Paraben software  Logicube

25. © Pearson Education Computer Forensics: Principles and Practices 25 Summary You are most likely to encounter media devices such as:  Hard drives  Optical media (CDs)  USB drives  PDAs  Cellular phones

26. © Pearson Education Computer Forensics: Principles and Practices 26 Summary (Cont.) You learned how data is stored on these devices and methods for acquiring the data General guidelines for data acquisition are the same for most devices There are also specific guidelines depending on the type of device

27. © Pearson Education Computer Forensics: Principles and Practices 27 Summary (Cont.) Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software  Some software is specific to PDAs  Some can be used for several different types of data