We are in the process of purchasing Paraben PDA forensics….However I am curious if anyone has experience of using any other software or method of imaging a PDA device - Linux DD for example.. Is it possible? Google isn't my friend on this occasion.
Andy
Google isn't my friend on this occasion.
Wow. I can't believe that with all of the information I found, that you had any trouble at all.
NIST provides a document that lists other tools (for a chart showing dd, see pg 6):
See also the NIST guidelines for PDA forensics:
This may be a useful SF post on the subject:
Then there's this from E-evidence.info:
All of this came from a simple "PDA + forensics" search on Google…
H. Carvey
"Windows Forensics and Incident Recovery"
Many thanks for the research Harlan, but perhaps I should have elaborated a little more; I am looking for any ‘practical’ guidance for imaging a PDA and conducting an examination of the image perhaps with a Linux CD distro, Knoppix, sleuth kit, or Helix. The PDA I want to image is a HP iPaq 5550 attached to my box via USB. I’ve tried using Helix, but it doesn’t appear to detect the device. Saying that; however I am no Linux forensic expert, merely a Linux enthusiast. I may be doing something fundamentally wrong and missing the obvious. I was hoping someone may have hands on experience with this type of problem, and could give a brief step by step guide.
I’ve previously read a copy of the pdf you linked to PDA Forensics, and although it’s quite good, it doesn’t provide the step by step instructions one hoped for.
Doesn’t really tell me anything useful regarding imaging.
Links to the same information (same thread) as the link above!
Thanks for replying anyway.
Andy
Hi Andy,
I believe the iPaq uses Pocket PC and this may be a problem when trying to use free tools as the ones I've found seem to work only with Palm OS (pdd etc).
Here is a link to a handy site that demonstrates Paraben and the author needed to jump through a few hoops even to get this to work.
I'll be very interested if you were able to find a free tool that did the job properly.
Regards
Brian C
Andy,
Thanks for providing more information. Evidently, as Brian quite correctly aludes to, there is a significant difference between PalmOS PDAs and PocketPC PDAs when it comes to forensic imaging…significant enough that knowing the operating system ahead of time will make a huge difference in the responses you receive.
I did a little more research this morning, and the only really definitive thing I found was the same link Brian provided.
Going back to the NIST tool evaluation PDF doc:
The chart on page 6 shows that none of the tools evaluated were applicable for use with PocketPC.
An option that may be useful to you is the ASRDisp utility mentioned on pg. 9 of the PDF.
Pg 10 of the PDF covers seizure, and has a section for PocketPC…which points to PDA Seizure from Paraben.
H. Carvey
"Windows Forensics and Incident Recovery"