Weitere ähnliche Inhalte
Ähnlich wie File000148 (20)
Mehr von Desmond Devendran
Mehr von Desmond Devendran (19)
Kürzlich hochgeladen (20)
File000148
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Verizon Wireless to Host PDA and
Smartphone Workshops at Union County
Communications Store
Source: http://www.itnewsonline.com/showprnstory.php?storyid=8112
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Personal Digital Assistants (PDAs)
• Information Stored in PDAs
• PDA Components
• PDA Generic States
• PDA Security Issues
• PDA Forensics Steps
• PDA Forensics Tools
• Countermeasures
This module will familiarize you with:
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Personal Digital Assistants
(PDAs)
Information Stored in PDAs
PDA Components
PDA Generic States
PDA Security Issues
PDA Forensics Steps
PDA Forensics Tools
Countermeasures
- 5. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personal Digital Assistants (PDAs)
• Notes, calculator, clock, calendar, address book, and
spreadsheet
• Emails and Internet access
• Video and audio recording
• Built in infrared (i.e., IrDA), Bluetooth, and Wi-Fi ports
• Radio and music players
• Games
Features:
PDA is a handheld device that combines computing, telephone/fax, Internet,
and networking features
- 6. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Stored in PDAs
Percentages of PDA vs. Type of Information stored
While PDAs and smartphones can greatly enhance the employee’s
productivity, the amount of sensitive and confidential information stored in
PDAs increases the risk of information theft and potential losses to the
organization
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Characteristics
Most types of PDAs have a microprocessor, read only memory (ROM),
random access memory (RAM), a variety of hardware keys and
interfaces, and a touch sensitive, liquid crystal display
The operating system (OS) of the device is held in ROM
PDAs use different varieties of ROM, including Flash ROM, which can
be erased and reprogrammed electronically
RAM, which normally contains user data, is kept active by batteries
failure or exhaustion of which may cause information loss
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Characteristics (cont’d)
Latest PDAs come equipped with system-level microprocessors that
reduce the number of supporting chips required and include
considerable memory capacity
Built-in Compact Flash (CF) and combination Secure Digital (SD)
/MultiMedia Card (MMC) slots support memory cards and
peripherals, such as a digital camera or wireless card
Wireless communications such as infrared (i.e., IrDA), Bluetooth,
and WiFi may also be built in
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Generic PDA Hardware Diagram
System-level processor chip and the generic core components of most PDAs
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Palm OS
Palm OS is an embedded operating system initially developed by U.S.
Robotics’ owned Palm Computing, Inc. for personal digital assistants
(PDAs) in 1996
Early Palm OS devices used 16- and 32-bit processors based on the
Motorola DragonBall MC68328-family of microprocessors but recent
devices use ARM architecture-based StrongArm and XScale
microprocessors
Palm OS and built-in applications are stored in ROM, while application
and user data are stored in RAM
Palm OS system software logically organizes ROM and RAM for a
handheld device into one or more memory modules known as a card
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Palm OS (cont’d)
Total available RAM store is divided into two logical areas:
• Dynamic RAM is used as working space for temporary allocations
• Storage RAM which is analogous to disk storage on a typical desktop system
Palm OS storage memory is arranged in chunks called “records,” which are grouped
into “databases”
Palm file format (PFF) conforms to one of the three types defined below :
• Palm Database – A record database used to store application data, such as contact lists, or user
specific data
• Palm Resource – A database similar to the Palm Database that contains application code and
user interface objects
• Palm Query Application – A database that contains World Wide Web content for use with Palm
OS wireless devices
- 13. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Architecture of Palm OS Devices
• Application
• Operating System
• Software API and Hardware Drivers
• Hardware
Architecture of Palm OS devices consists of the
following layers:
Application
Operating System
Hardware
Hardware DriversSoftware API
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Architecture of Palm OS Devices (cont’d)
The software Application Programming Interface (API) gives a
degree of hardware independence to software developers, allowing
applications to be executed under different hardware environments
by recompiling the application
Developers have the freedom to bypass the API and directly access
the processor, providing more control of the processor and its
functionality
The Palm OS does not implement permissions on code and data, so
any application can access and modify data
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pocket PC
Windows CE (WinCE) is the operating system for the
handheld devices which is augmented with additional
functionality to produce Pocket PC (PPC)
Pocket PC supports a multitasking and multithreaded
environment
Pocket PC runs on a number of processors, but primarily
appears on devices having Xscale, ARM, or SHx
processors
Various Pocket PC devices have ROM ranging from 32 to
64MB and RAM ranging from 32 to 128MB
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pocket PC (cont’d)
PIM and other user data normally reside in RAM, while the
operating system and support applications reside in ROM
An additional filestore can be allocated in unused ROM and
made available for backing up files from RAM
One or more card slots, such as a Compact Flash (CF) or Secure
Digital (SD) card slot, are typically supported
To prevent data loss when battery power is low, the lithium-ion
battery must be recharged via the cradle, a power cable, or
removed and replaced with a charged battery
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Architecture for Windows Mobile
The architecture for Windows mobile consists of four layers i.e. Application, Operating
System, Original Equipment Manufacturer (OEM), and Hardware
The Original Equipment Manufacturer (OEM) Layer is the layer between the Operating
System Layer and the Hardware Layer
It contains the OEM Adaptation Layer (OAL), which consists of a set of functions related
to system startup, interrupt handling, power management, profiling, timer, and clock
Application
(Internet client services, user interface,…)
Operating System
(Kernel, core DLL, object score, GWES, device mgt)
Original Equipment Manufacturer (OEM)
(OEM Adaption layer, drivers, configuration files)
Hardware
(Processor, memory, I/O,…)
- 18. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Architecture for Windows Mobile
(cont’d)
Within the Operating System Layer are the Windows mobile
kernel and device drivers, whose purpose is to manage and
interface with hardware devices
Device drivers provide the linkage for the kernel to recognize the
device and allow communications to be established between
hardware and applications
The Graphics, Windowing, and Events Subsystem (GWES) is also
a part of the Operating System Layer and provides the interface
between the user, the application, and the operating system
GWES handles messages, events, and the user’s input from
keyboard and mouse or stylus
The object store includes three types of persistent storage within
the Operating System Layer: file system, registry, and property
databases
- 19. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux-based PDAs
Linux is a multitasking, 32-bit operating system that supports
multithreading
Linux-based PDAs rests on the open source model and it has the ability to
engage the software development community to produce useful
applications
Linux based PDA uses Embedix10, an embedded Linux kernel from Lineo,
and Qtopia desktop environment from Trolltech for windowing and
presentation technology
Embedix is based on a networked kernel with built-in support for WiFi,
Bluetooth, and wireless modem technologies, as well as associated security
and encryption modules
The device has a StrongARM processor, 16 MB of ROM, 64MB of RAM,
and a 3.5-inch 240x320-pixel color LCD
- 20. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Architecture of the Linux OS for
PDAs
The Linux kernel is composed of modular
components and subsystems that include device
drivers, protocols, and other component types
The kernel also includes the scheduler, the memory
manager, the virtual filesystem, and the resource
allocator
Processing proceeds from the system call interface
to request service from the hardware
The hardware then provides the service to the
kernel, returning results through the kernel to the
system call interface
- 21. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Generic States
• Devices are in the nascent state when
received from the manufacturer – the
device contains no user data and
observes factory configuration settings
Nascent State:
• Devices that are in the active state are
powered on, performing tasks, and able
to be customized by the user and have
their filesystems populated with data
Active State:
The following four states provide a simple but comprehensive generic model that applies
to most PDAs:
- 22. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Generic States (cont’d)
• It is a dormant mode where device conserves battery life
while maintaining user data and performing other
background functions
Quiescent State:
• This state is a state partway between active and quiescent; it
is reached by a timer, which is triggered after a period of
inactivity allowing battery life to be preserved by dimming
the display and taking other appropriate actions
Semi-Active State:
- 23. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Security Issues
Password theft
Virus attacks
Data corruption
Vulnerabilities in applications running
Data theft
Wireless vulnerabilities
Theft of the device
- 24. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ActiveSync and HotSync
Features
• ActiveSync synchronizes Windows based PDAs and
smartphones with the desktop computer
• ActiveSync handheld uses its cradle for connecting to the
desktop PC
• It can be protected with the password
ActiveSync:
• HotSync is the process of synchronizing elements
between Palm OS devices and desktop PC
• Elements that are synchronized include:
• Outlook inbox
• Contacts list
• Calendar
• Tasks and Notes
HotSync:
- 25. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ActiveSync Attacks
Attacker tries to get the ActiveSync password by:
• Password sniffing
• Brute force or dictionary attacks
After accessing the password, an attacker can steal private
information or unleash the malicious code
- 26. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HotSync Attack
When HotSync enables to synchronize elements, the
Palm OS opens TCP ports 14237 and 14238 as well as
UDP port 14237
Attacker can open connections to these ports and can
access private information or send the malicious code
- 28. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Forensic Steps
Make the report
Document everything
Examine and analyze the information
Acquire the information
Preserve the evidence
Identify the evidence
Seize the evidence
Secure and evaluate the scene
- 29. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Points to Remember while
Conducting the Investigation
• Preserve device in an active state with sufficient power
• Take a photograph of the device
• If charge is low, then replace the battery or charge with a
proper power adaptor
• Maintain sufficient charge in the replacement batteries
If the device is switched on:
• Leave the device in off state
• Switch on the device and record current battery charge
• Take a photograph of the device
If device is switched off:
- 30. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Points to Remember while
Conducting the Investigation (cont’d)
• Avoid any further communication activities
• Remove USB/Serial connection from PC
• Seize cradle and chords
If device is in its cradle:
• Seize cradle and chords
If device is not in its cradle:
• Avoid further communication activities
• Eliminate wireless activity by packing the device in an
envelope, anti-static bag, and an isolation envelope
• Take away wireless enabled cards
If wireless is on/off:
- 31. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Points to Remember while
Conducting the Investigation (cont’d)
• Do not initiate any further activity inside the device
• Do not remove any peripheral/media card
If card is present in expansion card
slot:
• Seize related peripheral/media cards.
If card is not present in expansion card
slot:
• Seize expansion sleeve
• Seize other related peripherals/media cards
If expansion sleeve is removed:
- 32. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Secure and Evaluate the Scene
Provide security to all the individuals at the scene
Photograph the entire scene and all the evidence
Evaluate the scene and make a search plan
Protect the integrity of the traditional and electronic evidence
Secure all the evidence
Document everything at the scene
Avoid entry of unauthorized person at the scene
- 33. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Seize the Evidence
Seize handheld and computer devices such as PDA device, device cradle,
power supply, associated peripherals, media, and accessories
Seize the memory devices such as SD, MMC, or CF semiconductor cards,
microdrives, and USB tokens
Collect non-electronic evidence such as written passwords, handwritten
notes, computer printouts, and so on
- 34. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify the Evidence
• Some PDAs may run two operating systems
Identify the type of operating
system:
• Cradle Interface
• Manufacturer Serial number
• The Cradle type
• Power Supply
Interfaces that allow
identification of a device:
Identify the type of device
- 35. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserve the Evidence
Preserve the evidence at secure place
Keep the PDA in envelop and seal it to restrict physical
access
Keep the evidence in a secure area and away from
extreme temperatures and high humidity
Store the evidence away from magnetic sources,
moisture, dust, physical shock, and static electricity
- 36. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire the Information
Acquisition is the process of imaging or extracting
the information from a digital device or evidence
and other peripheral devices
Use the data acquisition tools such as PDA Seizure
and techniques to extract and image information in
the PDAs
Collect both dynamic and volatile information
• Volatile information must be given priority
- 37. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Acquisition Techniques
Exploits ‘known authentication vulnerabilities’ of the device
and system
Apply brute force techniques to access the passwords of the
device
Access the device information using inbuilt backdoor by the
manufacturers
Extract data from memory chips independently of the device
Reverse engineer the device’s operating system’s code to find
and exploit a vulnerability
- 38. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine and Analyze the Information
Recover the hidden information
Use the steganalysis tools such as Stegdetect to extract the hidden information
Check the images, videos, and document files
Check the timing of the files
Find out the author of files
Use cryptanalysis tools such as Crank and Jipher to reveal the encrypted information
Use the password cracking tools such as Cain and Abel and hydra, if the information is
password protected
Use various video players to open the video files
- 39. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine and Analyze the Information
(cont’d)
From analysis find out:
What exactly happened?
When the event occurred?
Who was involved?
How it occurred?
How to detect and recover hidden information?
- 40. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Document Everything
Document all the results from examination and analysis
Document the following during labeling:
• Case number
• A precise description of the case
• Date and time when the evidence was collected
Photograph and document all the devices connected to the PDA
Create a report documenting the state of the device during collection
Maintain a chain of custody
Preserve the documentation in a secure location
- 41. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Make the Report
• Identity of the reporting agency
• Case number
• Name of Investigator
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Devices and set-up used in the examination
• Brief description of examination steps
• Documentations of the evidence and other supporting items
• Details about the following finding:
• Information about the files
• Internet related evidence
• Data and image analysis
• Techniques used for hiding and recovering the data
• Report conclusion
Forensic report may include the following:
- 43. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Forensics Tools
PDA Secure
PDA Seizure
EnCase
SIM Card Seizure
Palm dd (pdd)
Duplicate Disk
Pocket PC Forensic Software
Mobile Phone Inspector
Memory Card Data Recovery Software
- 44. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Secure
PDA Secure offers the following features:
• Enhanced password protection
• Encryption
• Device locking
• Data wiping
It allows administrators to have greater control over how handheld
device are used on networks
It allows administrators to set a time and date range to monitor
network log-in attempts, infrared transmissions, and application
usage
- 46. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Device Seizure
Device Seizure has its roots in digital forensics with such things as PDD (Palm DD
command line acquisition), deleted data recovery, full data dumps of certain cell phone
models, logical and physical acquisitions of PDAs, data cable access, and advanced
reporting
• SMS History (Text Messages)
• Deleted SMS (Text Messages)
• Phonebook (both stored in the memory of the phone and on the SIM card)
• Call History
• Received Calls
• Dialed Numbers
• Missed calls
• Call Dates & Durations
• Datebook
• Scheduler
It can acquire the following data:
- 48. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DS Lite
Paraben's DS Lite is a device seizure and CSI Stick file viewing and analysis
tool
Palm OS console mode is used to acquire memory card information and create
a bit-for-bit image of the selected memory region
It can retrieve all user applications and databases
- 50. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase
EnCase is used for acquiring or imaging the evidence
EnCase software provides tools for the investigators to conduct complex
investigations with accuracy and efficiency
It stores evidence files on shared media for either data retention or
examination
- 52. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIM Card Seizure
SIM Card Seizure recovers deleted sms/text messages and performs comprehensive
analysis of SIM card data
It takes the SIM Card acquisition and analysis components from Paraben's Device
Seizure and puts it into a specialized SIM Card forensic acquisition and analysis tool
Data acquired from SIM cards:
Phase ID FDN fixed numbers
SST SIM service table LND last dialed numbers
ICCID serial number EXT1, EXT2 dialing extensions
LP preferred languages variable SMSP text message parameters
SPN service provider name CBMI preferred network messages
MSISDN subscriber phone number LOCI location information
Short dial number BCCH broadcast control channels
- 53. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SIM Card Seizure: Screenshot
- 54. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Palm dd (pdd)
Palm dd is a Windows-based tool for Palm OS memory imaging and forensic
acquisition
Palm OS console mode is used to acquire memory card information and
create a bit-for-bit image of the selected memory region
It can retrieve all user applications and databases
- 56. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Duplicate Disk
Duplicate Disk is an UNIX based utility which creates a bit-by-bit image of
the device
It executes directly on the PDA and can be invoked via a remote connection
- 57. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pocket PC Forensic Software
• Shows details of software and hardware architecture of Pocket PC like
OS type, version, processor architecture, memory usage, and related
information
• Extracts phonebook number, appointments, task, IMEI number, SIM
information, contact details, phone model, manufacturer ‘s details, and
other related information
Features:
Pocket PC Forensic Software is an investigator utility that allows to examine
Windows based Pocket PC and PDA mobile device
It extracts files, database records, operating system registry records, and
phone information
- 58. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pocket PC Forensic Software:
Screenshot
- 59. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mobile Phone Inspector
Mobile Phone Inspector provides the detailed information of
any mobile phone memory and Sim memory status
Information includes mobile manufacture’s name, mobile
model number, mobile IMEI number, Sim IMSI number,
signal quality and battery status of any supported mobile
phone
It also extracts the phonebook entries
- 60. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mobile Phone Inspector:
Screenshot
- 61. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Memory Card Data Recovery
Software
Memory card data recovery software recovers and restores images,
documents, pictures, photos, audio, video files, and folders from all major
memory card storage media
• Recovers data from PC Card, Compact Flash (I, II), Smart Media,
Multimedia Card (MMC), Secure Digital card, Mini-SD card, Micro-SD
card, and xD-Picture Card
• Recover data after formats, accidental deletion, or any other type of
logical corruption
• Data Retrieval Support for Compact Flash Memory card, Mobile Pocket
PC, PDA, Handheld Computers, External mobile phone memory, Pen
Drive, Memory Stick, Multimedia card, and other similar devices
Features:
- 62. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Memory Card Data Recovery
Software: Screenshot
- 63. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PDA Security Countermeasures
Install a firewall
Disable all HotSync and ActiveSync features when there is no use
Give a strong password
Do not keep the passwords in desktop PC
Install anti-virus on the device
Encrypt the critical data in the device
Do not use un-trusted Wi-Fi access points
- 64. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
PDA is a handheld device that combines computing, telephone/fax, Internet,
and networking features
PDAs can function as a cellular phone, fax sender, web browser, and a
personal organizer
PDA forensics include examination, identification, collection, and
documentation
While investigating PDA, it is necessary to secure, acquire, examine, present,
and maintain the evidence