Hacking Exposed
Page 30
Figure 13-6 Mobile Contacts Database
You’ll also have to contend with the fact that Word and Excel documents are converted to and from Mobile/Pocket Word and Mobile/Pocket Excel formats when the PDA is synched. Most Mobile/Pocket Word documents can be opened by MS Word without issue, but that’s not the case for Mobile/Pocket Excel documents. In these cases, you’ll need to take the exported .PXL document and convert it back to Excel format before you can view them outside of the PDA environment in MS Excel.
If you don’t want to export files to look at them with the non-Mobile/Pocket versions for analysis purposes, the Device Seizure File Viewer pane will display the files adequately.
Bookmarking Data with Device Seizure
Bookmarking allows you to comment on part of the evidence you are reviewing. This allows you to quickly come back to that information when you need to continue your work, remember where you left off, or show the evidence to another person. You can bookmark data as you move through an investigation, which allows you to gather your findings and then proceed so when you finish you have the bigger picture in mind.
Figure 13-7 Search Results for 156987
As an example, searching the image based on the fictional project number 156987 has yielded one match, in a single .RTF document titled COMPANY XFZ – Project 156987 – USPTO – Intro Verbiage. That file was then bookmarked, as shown in Figure 13-7, in the Bookmarks pane, with the file contents displayed in the Text Viewer.
By right-clicking any bookmark, you can choose an option from the context menu to review, edit, or delete any bookmark. Figure 13-8 shows the Edit Bookmark dialog that appears if you select Edit from the context menu.
Running Associated Applications with Device Seizure
As with most other forensic tools, Device Seizure lets you view relevant files in their associated applications. It’s always a plus to view files as they were meant to be displayed instead of in plaintext. Obviously, you can’t view files of interest in their associated applications if those programs aren’t loaded on your system, so the built-in viewer in Device Seizure can at least get you most of the way.
To launch an associated program, find a document of interest, right-click it, and choose Open With from the context menu. At this point, the default application associated with the file extension will open and display the file. If no association is found, you can choose the application from a list.
Figure 13-8 Edit Bookmark dialog
Exporting Files with Device Seizure
After reviewing some files, you may need to export copies of them from the image. To do so, in the Case pane, right-click the file and choose Export from the context menu. The file will be saved automatically to the Device Seizure folder.
Reporting with Device Seizure
Because it’s never over until the paperwork is done, let’s look at the Device Seizure reporting capabilities. Here’s how to generate a report:
1. Click the Report icon on the toolbar, or choose File | Generate Report, to start the Device Seizure Report Wizard. Enter information about the case and yourself and click Next.
Figure 13-9 Report Scheme Selection screen
2. In the Report Scheme Selection screen, shown in Figure 13-9, select the format of the report from among the following options, and then click Next:
• CSV: Simple *.csv Report
• Text: Simple Text Report Scheme
• HTML:
• TreeView Report
• Simple Report
• Investigative Report
The Investigative Report is specially designed for convenient printing of case data. It can include only the following information: case information, phone model information, phonebook/address book, SMS history, call logs, datebook/calendar, photos/images, unparsed data, and waypoints (for GPS).
3. In the Report Mode Selection and Options screen, shown in Figure 13-10, select the report mode from the drop-down list that offers the following options, and then click Next:
• Entire Case All data (every file) from the image/case will be included in the report.
• Selected Items Only Only checked items will be included in the report.
After you click Next, the report is generated. Since reports are generated in HTML or simple TXT formats, they can be modified with any HTML editor or imported into other applications to add a logo or verbiage such as confidentiality and handling instructions. Reports are automatically saved in the same directory as the case file.
Figures 13-11 and 13-12 illustrate the default Device Seizure reports in TXT and HTML formats.
Figure 13-10 Report Mode Selection and Options screen
Figure 13-11 Device Seizure report in TXT format
Figure 13-12 Device Seizure report in HTML format
Analyzing Pocket/Mobile Outlook E-mail
As mentioned, with Mobile Windows devices, e-mail is not kept in a container file such as a .PST or .DBX file. Instead, Pocket/Mobile Outlook uses a combination of databases in which to store e-mail.
E-mails are kept in .MPB files, which are uniquely numbered and reside in the Windows | Messaging folder. Filenames look something like this: 0a0013438103102.mpb or 0e0011782810302.mpb. Opening these in Device Seizure will cause the internal File Viewer to open, and you will be able to see associated header information and text of the message.
Attachment information is kept in the pmailAttachs database. Pocket Outlook truncates long e-mails and doesn’t download attachments unless the user goes back and marks the message for download. Then the remainder of the truncated body and any associated attachments will download and appear in the Text tab of the File Viewer, as shown in Figure 13-13. Pocket Outlook also stores Inbox, Outbox, Deleted Items, and other e-mail folders in separate files, which are identified in the pmailFolders file.
Here are some examples of the data contained within an e-mail file:
D.e.l.e.t.e.d. .I.t.e.m.s...f.l.d.r.1.0.0.1.9.7.c
D.e.l.e.t.e.d. .I.t.e.m.s...f.l.d.r.1.0.0.1.3.d.5
D.r.a.f.t.s...f.l.d.r.1.0.0.1.9.7.d
D.r.a.f.t.s...f.l.d.r.1.0.0.1.3.d.6
I.n.b.o.x...f.l.d.r.1.0.0.1.9.7.9
I.n.b.o.x...f.l.d.r.1.0.0.1.3.d.2
O.u.t.b.o.x...f.l.d.r.1.0.0.1.3.d.3
O.u.t.b.o.x...f.l.d.r.1.0.0.1.9.7
S.e.n.t. .I.t.e.m.s...f.l.d.r.1.0.0.1.9.7.b
S.e.n.t. .I.t.e.m.s...f.l.d.r.1.0.0.1.3.d
All you have to do is find the files and examine their contents to see information about the messages.
Finally, we cannot discuss e-mail analysis without including a discussion of Web-based e-mail. More and more people understand that company e-mail systems are monitored, and they believe their private webmail accounts leave behind no traces. However, that’s not the case. Because you will find a Temporary Internet Files folder in a Mobile Windows device, as in other versions of the operating system, you can search across those files for copies of the HTML associated with webmail sessions. If any are found, accessing webmail is as easy as launching the associated web browser on your system directly from Device Seizure, or copying and pasting the HTML to a text editor if you prefer.
Figure 13-13 Analyzing the attachment information
You can also examine the Index.dat file or any cookies for references to webmail sites, as shown in Figure 13-14.
In addition to e-mail, MS Outlook keeps track of appointments and tasks, which is not a feature found in Pocket Outlook. Instead, Mobile Windows keeps track of that information in a set of databases not associated with the Pocket Outlook interface.
The database DB_notify_queue stores information for all timed activities that have not occurred, such as reminders, appointments, and so on, which are stored as well as the application associated with the event. Here are some examples.
This example was entered by my friend Richard when I let him borrow my PDA to “check his e-mail” as we passed the time waiting for Spider-Man 2 to start at midnight on the day it opened:
C.A.L.
E.N.D.A.R...E.X.E...R.i.c.h.a.r.d.s. .b.d.a.y..8.:.0.0. .A.M.-
.1.1.:.3.0. .P.M. .8./.3.0./.0.4. .(.B.u.y.
h.i.m..S.t.a.r.w.a.r.s..T.r.i.l.o.g.y..O.n..D.V.D.)...C.a.l.e.n.d.a.r.
.R.e.m.i.n.d.e.r...A.l.a.r.m.1...w.a.v.
Figure 13-14 Examining cookies with Device Seizure’s File Viewer
This was my alarm to make sure I got my wife, Carol, a birthday gift in 2008 (a few days before her birthday, by the way):
W.i.n.d.o.w.s..c.l.o.c.k...e.x.e...6.:.3.0. .A.M. . .7./.13./.0.8..Alarm ...
A.l.a.r.m...A.l.a.r.m.1..C.A.L.N.O.T...E.X.E...A.p.p.R.u.n.A.t.T.i.m.e...A.p
.p.R.u.n.A.t..T.i.m.e...x.e...6.:.3.0. .A.M. .7./.1.3./.0.8..
Investigating Terminal Services
Investigating possible use of the built-in Terminal Services Client in Mobile Windows is fairly limited to obtaining only the IP address and host name of any servers to which the software has attempted to connect. Because Terminal Services sessions are encrypted by default and the Terminal Services client does not keep a record of the session activities, there is no way to determine what specific actions were taken by a user during the Terminal Services session. However, determining whether a terminal server connection was made could be significant in any case.
You can search the registry for calls to rdpdr.dll, which should identify the host name of the terminal server and its associated license information.
Some people may underemphasize the importance of Terminal Services, but it is actually one of the most powerful features around, because it’s a fully interactive session with the host system. In addition to examining the registry, you can look for an entry in Index.dat for TSWeb; this is the default site created by the Windows 2000 Terminal Services Web interface. This allows the user to interact with a terminal server and conduct a session through Internet Explorer, and it does not require any client software to be installed. Although Pocket Internet Explorer cannot load the Active X control required to run Terminal Services Web Interface, any clues about user server connection attempts can prove valuable.
Investigating MSN Messenger
Investigating possible use of the built-in MSN Messenger client in Mobile Windows can also be done by searching the registry. The local client does not keep a session log; however, the registry does typically store text of the last session.
A typical Messenger session found in the registry will look something like this:
..M.S.N.M.e.s.s.e.n.g.e.r.S.e.r.v.i.c.e....I.d.e.n.t.i.t.y.N.a.m.e...S.P.Y.@
.C.o.m.p.3..c.o.m...S.P.Y.@.C.o.m.p.3...c.o.m. .(.E.-.m.a.i.l.
.A.d.d.r.e.s.s. .N.o.t. .V.e.r.i.f.i.e.d.)...M.S.N. .M.e.s.s.e.n.g.e.r.
S.e.r.v.i.c.e...P.r.e.s.e.t.M.s.g.s....*.I. .l.o.v.e. .m.y. .P.o.c.k.e.t.
.P.C.!..&.C.a.l.l. .m.e. .l.a.t.e.r...
..D.e.f.a.u.l.t ...E.x.c.h.a.n...........M.S.N.S....P.a.s.s..U.s.e..P.U...<.C.o
.m.p.E.m.p.l.1.@.C.o.m.p.a.n.y...c.o.m...........M.S.G.S.....,.m.e.s.s.e.n.g
e.r...h.o.t.m.a.i.l...c.o.m..
This brief bit of data encompasses a complete session between our two fictional characters, Spy and CompEmpl1, which breaks down like this:
• Spy uses the PresetMsgs, which Microsoft refers to as My Text Messages in the user interface.
• The conversation consists of “I love my Pocket PC!” and “Call me later.”
• The server that handled the session was messenger.hotmail.com.
Passwords and Other Security-related Stuff
Investigators must often contend with a suspect who protects his data, or at least tries to do so. Like most everything else in the forensics world, this can be good news and bad news. Typically, if you encounter an encrypted Microsoft Word or Excel document during a PC forensic case, either the suspect must give you the passwords or you must decrypt them yourself.
If the first option is unsuccessful or impossible, you can use one of many good tools to help you decrypt passwords. Luckily for you (at least for now), you don’t have to contend with such issues with PDAs, because Pocket Word and Pocket Excel do not support passwords, and if you attempt to upload a password-protected Word or Excel file to a PDA, you’ll get an error message.
That was the good news, and here’s the bad. Just as third-party security applications exist for PCs, apps exist for PDAs. Obviously, they serve legitimate needs, but that doesn’t make them any easier to love when you’re trying to find data in a case. At the top of any list in this category has to be PGP Mobile. The name says it all: PGP (Pretty Good Privacy) is synonymous with security, and PGP Mobile has complete OpenPGP RFC 2440 compatibility, along with a feature set almost identical to PGP for the desktop. Previous versions of PGP Mobile supported both Palm OS and Windows, but the latest version operates only with Windows Mobile Pocket PC Phone Edition 5 and Windows Mobile Professional 6 environments.
Functionality in this software includes the following:
• E-mail encryption
• File encryption
• Clipboard decryption and verification
• Digital signatures
• Complete interoperability with all current PGP products
• PGP virtual disks
• PGP Zip-compatible with PGP Desktop clients for Windows and Mac OS X
As with other PGP products, the supported list of symmetric algorithms includes Advanced Encryption Standard (AES) up to 256-bit, International Data Encryption Algorithm (IDEA), Triple Data Encryption Standard (Triple DES), and CAST. Supported asymmetric algorithms include RSA up to 4096-bit, Diffie-Hellman, and Data Security Standard (DSS). It also supports both MD5 and SHA-1.
If you encounter files on a PDA that have been secured with PGP Mobile, as with its desktop cousins, you should just ignore them and keep on working, because there is nothing you can do with them at the present time.
In addition to PGP, Hushmail supports mobile devices with its Hushmail Mobile product. The Hushmail Mobile application works similar to regular Hushmail without being Java enabled. All the encryption operations take place on the Hushmail servers, and the connection between the servers and a mobile device is secured using Secure Sockets Layer (SSL) encryption.
To determine whether someone has been using Hushmail, you should examine the index.dat site for references to the hushmail.com Web site.
PASSWORD-PROTECTED WINDOWS DEVICES
Because ActiveSync is required for forensic examinations of a Mobile Windows device, you cannot bypass the Mobile Windows password scheme. When you attempt to connect to a password-protected Mobile Windows device, ActiveSync will prompt you for the device password.
Collecting PDA Evidence on a Palm OS Device Using EnCase
Another tool that can be used for acquisition and analysis of Palm-based devices is EnCase versions 3 and later. EnCase currently supports the following Palm models:
• Palm IIIx, IIIxe
• Palm V series
• Palm VII series
• Palm m series
• Up to Palm OS 3.5
If you’ve used EnCase to conduct forensics investigations in the past, or if you’ve read the preceding chapters in this book, you’ll be familiar with what we’re about to get into.
Acquisition
As with the previous acquisition example, make sure the Palm device is powered up, in the appropriate cradle, and correctly connected to your acquisition system via USB or a serial connection. If the Palm Desktop HotSync is installed on the acquisition system, it should be disabled.
Acquisition of a Palm device in EnCase starts by launching EnCase and putting the device into Console (aka Debug) mode by entering the appropriate characters in the graffiti area. Then do the following:
1. After the device is in Console mode, click the Add Device button.
2. Select Local and click Palm Pilot in the Add Device dialog, as shown next:
3. You will now be able to preview the contents of the device in the Cases tab, and you can navigate throughout the different files and/or apply s
earch terms. If you then need to obtain a forensic image of the device, the process is the same as that with a hard disk.
4. Find the icon of the Palm device in the Cases tab, right-click, and choose Acquire from the context menu.
5. At this point, the wizard allows you to select a password, compression, and evidence file output path just as with any other media. Obviously, the time required to obtain the image will depend on the speed of your connection to the device, the amount of data, and your acquisition systems resources.
Analysis and reporting of a Palm-based device in EnCase is the same as with any other media, as referenced in Chapter 6, so you won’t have to read it all over again.
Collecting Cell Phone Evidence Using Device Seizure
In 2004, I started this section with “Although not conventionally thought of as a PDA by many people, the functionality of cell phones has increased so much over the years that it blurs the clear lines of definition. Yes, some integrated phone/PDAs are running on both the Palm and Mobile Windows platforms. However, most non-combination cell phones today come with many of the standard features that PDAs offer.” In just five years, 2004 has become “the good old days.” Today, the number of phones that don’t include smart phone functionality is the distinct minority and getting smaller every year.