±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35647
New Yesterday: 9 Visitors: 132

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

PDA imaging software

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Andy
Senior Member
 

PDA imaging software

Post Posted: May 16, 05 19:17

We are in the process of purchasing Paraben PDA forensics....However I am curious if anyone has experience of using any other software or method of imaging a PDA device - Linux DD for example.. Is it possible? Google isn't my friend on this occasion.

Andy  
 
  

keydet89
Senior Member
 

Re: PDA imaging software

Post Posted: May 17, 05 11:07

Google isn't my friend on this occasion.

Wow. I can't believe that with all of the information I found, that you had any trouble at all.

NIST provides a document that lists other tools (for a chart showing dd, see pg 6):
csrc.nist.gov/publications/ nistir/nistir-7100-PDAForensics.pdf

See also the NIST guidelines for PDA forensics:
csrc.nist.gov/publicat...800-72.pdf

This may be a useful SF post on the subject:
www.securityfocus.com/...03-08-27/0

Then there's this from E-evidence.info:
www.e-evidence.info/sp...html#other

All of this came from a simple "PDA + forensics" search on Google...

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

Andy
Senior Member
 

Re: PDA imaging software

Post Posted: May 17, 05 15:41

Many thanks for the research Harlan, but perhaps I should have elaborated a little more; I am looking for any ‘practical’ guidance for imaging a PDA and conducting an examination of the image perhaps with a Linux CD distro, Knoppix, sleuth kit, or Helix. The PDA I want to image is a HP iPaq 5550 attached to my box via USB. I’ve tried using Helix, but it doesn’t appear to detect the device. Saying that; however I am no Linux forensic expert, merely a Linux enthusiast. I may be doing something fundamentally wrong and missing the obvious. I was hoping someone may have hands on experience with this type of problem, and could give a brief step by step guide.

I’ve previously read a copy of the pdf you linked to PDA Forensics, and although it’s quite good, it doesn’t provide the step by step instructions one hoped for.

www.securityfocus.com/...03-08-27/0

Doesn’t really tell me anything useful regarding imaging.

www.e-evidence.info/sp...html#other

Links to the same information (same thread) as the link above!

Thanks for replying anyway.

Andy  
 
  

Brian
Newbie
 

Re: PDA imaging software

Post Posted: May 18, 05 10:27

Hi Andy,
I believe the iPaq uses Pocket PC and this may be a problem when trying to use free tools as the ones I've found seem to work only with Palm OS (pdd etc).

Here is a link to a handy site that demonstrates Paraben and the author needed to jump through a few hoops even to get this to work.
www.informit.com/guide...6&rl=1

I'll be very interested if you were able to find a free tool that did the job properly.

Regards
Brian C  
 
  

keydet89
Senior Member
 

Re: PDA imaging software

Post Posted: May 18, 05 13:52

Andy,

Thanks for providing more information. Evidently, as Brian quite correctly aludes to, there is a significant difference between PalmOS PDAs and PocketPC PDAs when it comes to forensic imaging...significant enough that knowing the operating system ahead of time will make a huge difference in the responses you receive.

I did a little more research this morning, and the only really definitive thing I found was the same link Brian provided.

Going back to the NIST tool evaluation PDF doc:
csrc.nist.gov/publicat...ensics.pdf

The chart on page 6 shows that none of the tools evaluated were applicable for use with PocketPC.

An option that may be useful to you is the ASRDisp utility mentioned on pg. 9 of the PDF.

Pg 10 of the PDF covers seizure, and has a section for PocketPC...which points to PDA Seizure from Paraben.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 

Page 1 of 1