Linux PDA Super Que...
 
Notifications
Clear all

Linux PDA Super Question

15 Posts
5 Users
0 Likes
375 Views
Randy-P
(@randy-p)
Posts: 6
Active Member
Topic starter
 

Ok guys and gals I got a very techy question but I am desperate for some help. The main problem is that I need to develop a way to get images, exact copies of all the data, of the ROM and ESPECIALLY the RAM on Linux PDA's. If anyone here is familiar with digital forensics then they understand the complications that can quickly arise. For those who don't, here are the catches:

1) It must NOT destroy the original data in any way.
2) It must accurately gather the data from the device.
3) I am not entirely sure what happens to the RAM when you throw the device into boot loader so I am trying to avoid that.
4) I would really like to have the solution work from a secure box and not require the device to execute commands.
5) The solution CAN NOT use commands from the device…the devices commands may not be secure so I can not use them.

If anyone out there has any helpful advice, please post here. No one can probably solve this in one try so just helpful bits of the solution would be greatly appreciated. Again thank you for your time. 😀

 
Posted : 07/06/2005 2:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Not sure why this is such a big deal, but here goes:

This article mentions pdd, "originally" from GrandIdea…
http://www.informit.com/guides/content.asp?g=security&seqNum=105&rl=1

Paraben
http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=107

Hope that helps…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 07/06/2005 6:45 pm
Randy-P
(@randy-p)
Posts: 6
Active Member
Topic starter
 

Thanks for the reply but unfortunatly neither of those solutions will work. pdd is only for palm PDA's, thus why its (p)alm dd. Also Paraben's software can only acquire and examine Palm and PPC, Windows based handhelds. That is why this is such a tough problem. 😈 Thanks for the reply though. More help would be nice. 😆

 
Posted : 07/06/2005 9:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Well, it seems to me that you're not doing much searching yourself.

For example, go see NIST SP800-72:
csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf

Specifically, see:
- table 2, section 3 (Forensics Tools)
- section 3.2
- section 3.5, on pg 18 of the document (pg 26 of 67 pages).

These items in the document pretty clearly list tools you can use, which I understand from to develop a way to get images, exact copies of all the data, of the ROM and ESPECIALLY the RAM on Linux PDA's as what you're looking for.

If this doesn't help, maybe you could rephrase the question.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 07/06/2005 11:30 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Well, it seems to me that you're not doing much searching yourself.

Not called for, Harlan. By all means think it but there's no need to include it in your post. There is, of course, an obvious frustration if people post questions in forums which others may view as easily answered by a little searching elsewhere but let's not make a big deal out of it (either here or elsewhere). In the grand scheme of things it's probably better to make a new member feel welcome, if at all possible.

We've been here before, you know what I'm saying.

Jamie

 
Posted : 08/06/2005 9:31 am
Randy-P
(@randy-p)
Posts: 6
Active Member
Topic starter
 

Thank you site Admin. Harlan, 😈 , if you kindly refer to that same document, which I have read several times, I would like to point out why this document helps but in fact does not have the answer to my question.

1) That table shows that dd is the only way to acquire data from a linux pda. Pilot-Link nor EnCase can acquire data from a linux handheld, which you pointed out.

2) Pilot-Link is a tool for linux hosts to communicate with Palm handhelds. Not linux handhelds. This is an old tool for a time when linux did not nativly work well with Palm.

3) EnCase is a good tool, I like FTK and iLook more, but can not acquire data from linux PDA's either. It can however examine them IF you can get an image of the linux handheld's ROM and RAM.

That IF is the major problem there is no good way to do this WITHOUT using the handheld's native terminal which is forensicly unsound.

So basicly I need to come up with a way to attach a linux PDA to a computer and mount the RAM and ROM as read-only and dd them OR make something like a boot CD but in a CF form and execute the dd that way.

Sorry If I seemed a little blunt at the beginning but the problem is frustrating and being told that I have not done my research is not what I want to read. My research is sound the problem really lies in that I am not a Linux Jedi and I do not have the ability to make linux magic happen. Thus why I have posted this question on Linux boards as well.

Thank you for your time and may the force be with you 8)

 
Posted : 08/06/2005 2:00 pm
(@jonathan)
Posts: 878
Prominent Member
 

Ok guys and gals I got a very techy question but I am desperate for some help. The main problem is that I need to develop a way to get images, exact copies of all the data, of the ROM and ESPECIALLY the RAM on Linux PDA's. If anyone here is familiar with digital forensics then they understand the complications that can quickly arise. For those who don't, here are the catches:

1) It must NOT destroy the original data in any way.
2) It must accurately gather the data from the device.
3) I am not entirely sure what happens to the RAM when you throw the device into boot loader so I am trying to avoid that.
4) I would really like to have the solution work from a secure box and not require the device to execute commands.
5) The solution CAN NOT use commands from the device…the devices commands may not be secure so I can not use them.

If anyone out there has any helpful advice, please post here. No one can probably solve this in one try so just helpful bits of the solution would be greatly appreciated. Again thank you for your time. 😀

Sounds like an exam question to me!

 
Posted : 08/06/2005 2:00 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Note to self: seek easier position than forum moderator.

Cat herder, perhaps.

😆

Jamie

 
Posted : 08/06/2005 3:23 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Sorry If I seemed a little blunt at the beginning but the problem is frustrating and being told that I have not done my research is not what I want to read. My research is sound the problem…

I apologize if my comments offended you, as that was not my intention. However, I would like to point out that from beginning, you made no reference whatsoever to having done any research. You never mentioned having seen/read the NIST document…nor did you mention having read any other documents or done anything else to support your own question.

For what it's worth, I have a license for ProDiscover, which can acquire images using either the PD-proprietary format, or dd. I've plugged devices into a system using USB that don't show up as hard drives (even though they are, in fact, hard drives) but rather as physical devices, and are then imaged that way.

I don't think that one has to be Linux Jedi to solve the issue at hand…but I do think that in doing research and experimentation, finding out what works and what doesn't, one will be on their Way…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 08/06/2005 3:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've thought about this a little more…when you connect a Linux PDA to a Linux system, doesn't it "appear" as a /dev?

I'm not sure which distro you're using but shouldn't you be able to access it via /dev/serial for serial connection, or /dev/usb for a USB connection?

If that's the case, couldn't you use that as a parameter for dd?

Just thinking out loud…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 10/06/2005 12:39 pm
Page 1 / 2
Share: