PDA imaging softwar...
 
Notifications
Clear all

PDA imaging software

5 Posts
3 Users
0 Likes
744 Views
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

We are in the process of purchasing Paraben PDA forensics….However I am curious if anyone has experience of using any other software or method of imaging a PDA device - Linux DD for example.. Is it possible? Google isn't my friend on this occasion.

Andy

 
Posted : 16/05/2005 7:17 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Google isn't my friend on this occasion.

Wow. I can't believe that with all of the information I found, that you had any trouble at all.

NIST provides a document that lists other tools (for a chart showing dd, see pg 6):
csrc.nist.gov/publications/ nistir/nistir-7100-PDAForensics.pdf

See also the NIST guidelines for PDA forensics:
http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf

This may be a useful SF post on the subject:
http://www.securityfocus.com/archive/104/335363/2003-08-21/2003-08-27/0

Then there's this from E-evidence.info:
http://www.e-evidence.info/specific.html#other

All of this came from a simple "PDA + forensics" search on Google…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 17/05/2005 11:07 am
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Many thanks for the research Harlan, but perhaps I should have elaborated a little more; I am looking for any ‘practical’ guidance for imaging a PDA and conducting an examination of the image perhaps with a Linux CD distro, Knoppix, sleuth kit, or Helix. The PDA I want to image is a HP iPaq 5550 attached to my box via USB. I’ve tried using Helix, but it doesn’t appear to detect the device. Saying that; however I am no Linux forensic expert, merely a Linux enthusiast. I may be doing something fundamentally wrong and missing the obvious. I was hoping someone may have hands on experience with this type of problem, and could give a brief step by step guide.

I’ve previously read a copy of the pdf you linked to PDA Forensics, and although it’s quite good, it doesn’t provide the step by step instructions one hoped for.

http://www.securityfocus.com/archive/104/335363/2003-08-21/2003-08-27/0

Doesn’t really tell me anything useful regarding imaging.

http://www.e-evidence.info/specific.html#other

Links to the same information (same thread) as the link above!

Thanks for replying anyway.

Andy

 
Posted : 17/05/2005 3:41 pm
Brian
(@brian)
Posts: 9
Active Member
 

Hi Andy,
I believe the iPaq uses Pocket PC and this may be a problem when trying to use free tools as the ones I've found seem to work only with Palm OS (pdd etc).

Here is a link to a handy site that demonstrates Paraben and the author needed to jump through a few hoops even to get this to work.
http://www.informit.com/guides/content.asp?g=security&seqNum=106&rl=1

I'll be very interested if you were able to find a free tool that did the job properly.

Regards
Brian C

 
Posted : 18/05/2005 10:27 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Andy,

Thanks for providing more information. Evidently, as Brian quite correctly aludes to, there is a significant difference between PalmOS PDAs and PocketPC PDAs when it comes to forensic imaging…significant enough that knowing the operating system ahead of time will make a huge difference in the responses you receive.

I did a little more research this morning, and the only really definitive thing I found was the same link Brian provided.

Going back to the NIST tool evaluation PDF doc:
http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf

The chart on page 6 shows that none of the tools evaluated were applicable for use with PocketPC.

An option that may be useful to you is the ASRDisp utility mentioned on pg. 9 of the PDF.

Pg 10 of the PDF covers seizure, and has a section for PocketPC…which points to PDA Seizure from Paraben.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 18/05/2005 1:52 pm
Share: