In this chapter, we will describe several types mobile device collections, including Palm OS and Mobile Windows. We’ll look at various tools and discuss their analyzing and reporting capabilities.
COLLECTING AND ANALYZING
MOBILE DEVICE EVIDENCE
Before you can collect anything you must take physical custody of it, a topic that has already been covered in this book. Mobile devices are just like any other piece of electronic evidence and require all the same chain of custody, documentation, and proper handling procedures. However, you must meet additional requirements for PDAs that are not required for desktops, laptops, or servers.
The first requirement is power. Remember that, unlike other types of systems discussed in this book, some older mobile devices without nonvolatile (flash) memory store user-created files in RAM. The data on the ROM chip will survive if power is lost to the device, but data in RAM (that is, your evidence) will not survive. Therefore, you must ensure a constant supply of power to the device for as long as it’s in your custody. A great many people have endured the collection process, stored these devices in their evidence lockers, and left them in there with no power for weeks, only to find out that the batteries are dead when they get around to the acquisition stage. “Boss, I’ve got some bad news…” and the conversation can go only downhill from there.
Next are the peripherals. It’s important that you include entries in your collection checklists for the additional items you’ll need when dealing with mobile devices, such as the following:
• Cradle
• Power supply
• Cables
• Secure digital cards
• Compact flash memory
Just as you must think about collecting CDs from a desk where you seize a PC, you must think about collecting the storage media that mobile devices use.
If collecting the cradle and power supply at the scene is not possible for whatever reason, you must keep in mind that you don’t know exactly how long the device has been off the charger, and the device is running out of battery time. Therefore, you should include some mobile device peripherals as part of your standard deployment kit. If, however, you don’t have the budget to build an inventory of cradles and power supplies, vendors such as Paraben distribute collection kits that have all the cables and other items you’ll likely need.
If you are concerned about continued outside interaction with a mobile device, such as the remote deletion capabilities of a Blackberry device, you might consider obtaining a Paraben StrongHold Bag, an evidence bag that blocks all electronic signals from entering or exiting the device.
Collecting Evidence Using Device Seizure
In mid-2006, Paraben Corporation replaced the separate Device Seizure and Cell Seizure products that were documented in the first edition of this book with the new combined Device Seizure 1.0 product. The company realized that, with the converging technologies used for these types of devices, PDAs and cell phones no longer needed to be treated as separate entities. Device Seizure has evolved over the years and now supports a much broader group of devices than those highlighted in the first edition of this book. Today, the list includes the following:
• PDAs
• Smart phones
• Cell phones
• GPS receivers
• Subscriber Identity Module (SIM)/memory cards
The Device Seizure product was designed with the realization that consumers have choices regarding what kind of mobile device and carrier services they can buy. Think about how many different phone choices you have when you go to the phone store today versus the choices available in 2004. Because so many different types of devices are supported by this tool, and the fact that manufacturers process data and functions differently from device to device, accessing information will probably require that you use a specific plug-in to get the job done; in fact, some devices require the use of multiple plug-ins.
The following basic types of plug-ins are used by Device Seizure:
• Logical plug-in Acquires certain types of data, typically whole files and databases.
• Physical plug-in Contains all the data that is stored on the memory card.
For each type of device that’s supported, a specific plug-in has been created, although some plug-ins can be used for several types of devices. Plug-ins are located in the plugins subfolder of the Device Seizure installation folder. Table 13-1 lists some available plug-ins and their purposes.
Table 13-1 Plug-ins for Mobile Device Data Acquisition
That’s 37, and counting, that are available now, and more plug-ins are being created all the time. Although I originally intended to document each type and its proper acquisition method, I soon realized that would not be practical when the page count hit 50-plus and I wasn’t even two-thirds of the way through my descriptions. Not wanting to bore you with too much information, I will instead review two common systems: Palm-based and Windows-based devices.
I want to take this opportunity to reiterate something that hopefully became painfully evident to you if you bothered to read the table of plug-ins, as it did me as I wrote it: You can use least 37 different methods, each with its own little nuances and procedures, to deal with an ever-growing number of mobile devices used by almost everyone on the planet. Consider a quick comparison: How many different methods can be used to acquire a hard drive? How many different things do you have to keep in mind to acquire a hard drive?
Acquisition of a Palm-based Device
Make sure the device is powered, is in the appropriate cradle, and is correctly connected to your acquisition system via either USB or a serial port. Then do the following:
1. Start Paraben’s Device Seizure Acquisition Wizard by clicking the Data Acquisition button or by choosing Tools | Data Acquisition.
2. When the Acquisition Wizard appears, click the Next button.
3. In the list, select Palm OS Based Devices. Click Next.
4. Select Autodetect. Click Next.
5. Select the port to which your device is connected. Click Next.
6. Select the type of data you want to acquire. Click Next.
If you are acquiring a Palm-based device for the first time, it’s strongly recommended that you select only Databases. If you do not choose this option, the device may become locked during the driver installation process before acquisition.
7. Define the additional parameters of data acquisition:
• Sort Images After Finish If this is checked, images from the acquired device will be added to the sorter automatically after the acquisition.
• Acquire Structure And Contents Of Files This checkbox appears for some types of PDAs and smart phones. If it is checked, all selected data will be acquired at once. Otherwise, only the structure of the data will be read.
8. To acquire a memory image, you need to put your device into console mode, also known as debug mode. To put the device in the console mode, do one of the following:
• If the device has a graffiti area, write the following combination there: 1..2 (a shortcut, with cursive lowercase L + dot + dot + 2). It should look like what’s shown in Figure 13-1.
• If the device is a Handspring Visor using a serial connection, instead of the 1..2 command, write the shortcut l. (cursive lowercase L + dot), and then hold down the Up button while writing the number 2 (that is, l.2). Devices using a USB connection do not require this additional step.
• If the device has no graffiti area (which is the case with the Treo 650), use the special key combination, such as Search (shift)+Sync Mode, to put the device in console mode. Please note that this combination will depend on the model of your device, so check the documentation on the Web for the correct sequence if not specified here.
9. To acquire a logical image (databases), you need to put your device into the sync mode. Press the Sync button on the cradle or activate the sync mode through the screen dialog on the device.
If you’re acquiring a Palm-based device for the
first time, the driver installation for it begins at this time and may lock the device. If you’re acquiring the databases and the device becomes locked, click Cancel. If acquiring memory and the device becomes locked, power cycle the device. If the data acquisition finishes correctly, you will see the last page of the data Acquisition Wizard. Click Finish.
Figure 13-1 Device Seizure Acquisition Wizard console mode dialog
How you get the Palm-based device into debug mode depends on the particular generation of the device. In some of the newer models, the process involves holding the DOWN scroll button and performing a soft reset, while continuing to hold the DOWN scroll button for another 10 seconds. If you happen to be working on a model that slides open to reveal the reset button on the back, you’ve got some extra fun in store. You’ll have to juggle the cradle, coordinate your finger on the DOWN scroll button, and stick a really small object in the reset hole without looking like a complete fool.
It is fairly easy to determine when the device is in debug mode based on the model. For older systems, you’ll hear a long tone, followed by a shorter tone. Newer systems show a blinking square in the upper-left corner of the screen.
After the acquisition is complete, a .PDS file is created and you can begin the analysis portion of the process.
Acquisition of a Windows-based Device
Unlike with Palm-based systems, with Windows CE/Mobile Windows devices, Device Seizure does not load drivers to communicate with the system. Instead, it uses, and you will need to load, Microsoft ActiveSync to acquire the device. Before you begin acquisition, make sure the device is powered and correctly connected to your acquisition system using the Guest partnership.
If you don’t use the Guest partnership, you will start synchronizing the PDA with your acquisition system’s own data, which is a bad thing.
1. Depending on the version of Windows CE/Mobile Windows loaded on the device you are acquiring, you will need to load the appropriate version of Microsoft ActiveSync:
• Windows CE 3.0 and lower: ActiveSync 3.7
• Windows CE 5.0 and higher: ActiveSync 4.5
• Mobile Windows: Latest version
2. Connect the device to the acquisition system.
3. ActiveSync starts automatically. If it does not, start it manually.
4. Select a Guest Partnership, and click Next to finish.
To begin Data Acquisition, follow these steps:
1. Tap the Data Acquisition toolbar button or choose Tools | Data Acquisition in the Device Seizure interface to start data acquisition process.
2. The Device Seizure Acquisition Wizard will guide you through the process. Click Next.
3. In the drop-down pick list, select the model of the device to acquire and type of acquisition, physical or logical, and then click Next.
4. Select which data types you want to acquire from the device and click Next.
5. In the Summary of Your Selections dialog, as shown in Figure 13-2, you have one last chance to double-check the parameters for the acquisition. You’ll see two checkboxes:
• Fill the Sorter After Acquisition If checked, data from the acquired device will be added to the sorter automatically after acquisition.
• Acquire Structure And Contents Of Files This checkbox is available only for some device types. If checked, all selected data will be acquired at once. If it’s not checked, only the structure of the file system will be acquired and not the contents of the files.
Another difference from a Palm OS acquisition is the device seizure client file, a 4K .DLL file that is placed on the device in the first available block of memory and removed at the end of the acquisition. Although the insertion of this file seems to violate one of the cornerstone rules of forensics, which is don’t alter the original media, the architecture of a Windows CE/Mobile Windows device requires the use of this approach to obtain a copy of the physical memory.
To counter a possible argument that key files you might find during your analysis could have been altered as a result of the .DLL installation, you might want to do a logical file acquisition first. Since the .DLL is required only to obtain the physical memory, if you have a copy of the logical files with their corresponding MD5 hash values in a completely separate Device Seizure image taken prior to the physical acquisition, you can compare those hash values. Armed with the MD5s prior to the installation of the .DLL, you’ll be able to prove to a mathematical certainty that files found during the analysis were not altered.
Figure 13-2 Summary of Your Selections dialog
Analysis of a Windows-based Device
The Device Seizure interface includes several panes, as shown in Figure 13-3:
• Case pane Represents data stored in the case in a tree-view structure
• Sorter pane Lets you sort case data by 12 different file types, such as images, documents, multimedia, and so on
• Viewer pane Lets you view data in a Text Viewer, Hex Viewer, Image Viewer, and more
• Properties pane Shows properties of specific files, MD5 hash codes, size, and so on
• Attachments pane Shows files attached to the case
• Bookmarks pane Lists all bookmarked items within the case
• Search Results pane Lists results of searches performed
Figure 13-3 Device Seizure interface
As with other forensic tools, the real work gets done by searching.
To open the Find dialog box, do one of the following: choose Edit | Find, press CTRL-F, or click Find Data on the button bar.
The following options are available in the Find dialog to help you refine search results:
• Search Text You can perform text string searches (including Boolean) across all the acquired data.
• Match Whole Word Only the complete whole word will be returned—for example, a search on “stone” will not return “stones”.
• Match Case Defines whether to take capitalization into account—for example, a search on “stone” will not return “Stone”.
• Code Page Defines the encoding in which data will be searched—ASCII, UTF-8, and so on. You’ll find available encodings defined by choosing Tools | Options | and then opening the Encodings tab. To add more encodings, click the ellipses (...) button to the right of the text field and check the necessary encodings.
Figure 13-4 Text Viewer pane with highlighted entries
• Locale Defines the locale in which data will be searched. You’ll find available encodings—such as en(English) or es(Spanish)—defined by choosing Tools | Options | and then opening the Locales tab. To add more locales, click the ellipses (...) button to the right of the text field and check the necessary locales.
Each row appearing in the Search Results pane represents a different file where the keyword is found, and each instance within the file is highlighted in the Text Viewer pane, as shown in Figure 13-4.
In addition to searching, you can also view files in a directory structure, as shown in Figure 13-5.
Analysis of a Palm-based Device
The naming conventions of Palm OS databases are straightforward and make it easy when you’re performing analysis for the first time. For example, NetworkDB is where network connection information such as Internet service provider (ISP), type of connection, username, and so on, are stored. It’s not difficult to guess what you’re likely to find in ToDoDB, MemoDB, and AddressDB.
The Palm Operating System Emulator (POSE) allows the analyst to interact with and see the data as the original user did. The POSE interface displays a virtual device where you can select menus, open memos, access the calendar, and perform other tasks, as if you were working on a physical device.
Figure 13-5 Files in a directory
The process of launching a POSE session is fairly straightforward and begins by exporting all the files from the Device Seizure image file:
1. Export the ROM binary node into the file. You should export the ROM binary node from the memory images but not the ROM folder from the d
atabases.
2. Choose Tools | Palm Emulator.
3. In the Palm OS Emulator dialog, click New.
4. In the New Session dialog, choose Other from the ROM File drop-down list.
5. In the Choose ROM file dialog, select the appropriate ROM file.
6. Click OK to run the Palm Emulator.
WindowsCE/Mobile Windows-based Devices vs. Palm Devices Some of the differences between Palm and Windows device analysis stem from the differences in the architecture of the devices. If you choose to Acquire Registry, be prepared for the acquisition to take a long time; nevertheless, any good analyst knows the importance of being able to look at registry entries in any Windows-based system.
Other unique facets of Window CE/Mobile Windows analysis include the architecture itself. While Palm keeps everything in databases, Microsoft uses databases and files much like other versions of Windows, including dynamic link libraries (DLLs) and executable files.
If you acquire the memory, it can be searched like unallocated space in a Windows-based PC; however, complete files associated with any search results cannot be reconstructed.
Anyone who has done analysis of a Windows-based PC will be comfortable with a Windows CE/Mobile Windows analysis, so let’s take a closer look at that.
Some older versions of Mobile Windows included installations of Terminal Services client, MSN Messenger, Pocket Internet Explorer, and Pocket versions of Microsoft Office applications, including Word, Excel, and Outlook. However, starting with version 5, the Terminal Services client is no longer included.
Even if you’re comfortable analyzing Windows-based systems, you shouldn’t expect Mobile Windows/Windows CE analysis to be a walk in the park. You’ll find a list of Web sites visited in Index.dat, an Internet cache in the Temporary Internet Files folder, and a Cookies folder, and you’ll able to analyze some of them in the same ways you did in other Windows environments. However, you won’t find e-mail in a .PST file; instead you’ll find it divided among different databases, including attachments that will be in pmailAttachments databases. In addition, e-mail-related folders will be maintained in the pmailFolders database with references therein to the actual folders that will use a naming convention of fldr[NUMBER]—such as fldr1013d4, for example. You won’t find contacts in any .PST or .WAB files; instead you’ll find that information in the Contacts Database, as shown in Figure 13-6.
Hacking Exposed Page 29