Difference between pages "Applied Cellphone Forensics" and "Microsoft PocketPC"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Wrote PocketPC 2000 section)
 
Line 1: Line 1:
===Applied Cellphone Forensics===
+
__TOC__
  
• Defining processes of the acquisition, preservation, analysis of evidence
+
=Overview=
 +
A PocketPC is commonly referred to as a handheld computer that runs a version of Microsoft’s proprietary mobile operating systems.
  
• Presentation of physical and digital cellular phone evidence in the investigation process
+
[[Image:Pocketpc.jpg|thumb|Acer PocketPC]]
  
• Evidence regulation and its impacts in the investigation process
+
Microsoft PocketPC, sometimes referred to as P/PC or PPC, is based upon the Windows CE framework.  Variants of this operating system include versions such as PocketPC 2000, PocketPC 2002, Windows Mobile 2003/2003 SE, and Windows Mobile 5.0.  Variants also exist for [[SmartPhones]], such as Windows Mobile 2003 Smartphone edition. 
  
• Applications: practical forensic cases related to cellular phones
+
One of the key benefits of Microsoft's Windows Mobile platform is file format compatibility with the desktop versions of the company's productivity software.  Mobile versions of Microsoft software, such as Pocket Word, Pocket Excel, and Pocket PowerPoint, allow individuals to view and edit these files outside of the home and office.
  
====Introduction====
+
Another benefit is integration with Microsoft's cross-platform solution, the .NET Framework.  The .NET Framework and its associated class libraries handle things such as memory management, file I/O, and many other functions. The .NET Framework allows programmers to develop code in one of several .NET languages, such as C# and VB.NET.  PocketPCs run a simplified version of the framework called the .NET Compact Framework.
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
+
  
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
+
In order to maintain synchronization and connectivity with desktop computers, Microsft developed the ActiveSync program. The user merely has to connect the PocketPC to the desktop computer in order to synchronize items such as appointments, contact lists, and even multimedia files.
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.
+
<br><br>
+
Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.
+
<br><br>
+
Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.
+
<br><br>
+
Once identified, the phone is ready for the next step of the virtual acquisition.
+
<br><br>
+
'''''Off Network'''''
+
<br><br>
+
'''''Powered up'''''
+
<br><br>
+
To ensure a good evidence acquisition
+
<br><br>
+
'''''Cables'''''
+
<br><br>
+
It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.
+
<br><br>
+
Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.
+
<br><br>
+
Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.
+
<br><br>
+
BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba
+
<br><br>
+
Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones
+
<br><br>
+
Float’s Mobile Agent
+
<br><br>
+
iDEN Media Downloader
+
<br><br>
+
iDEN Phoenbook Manager
+
<br><br>
+
SmartMoto
+
<br><br>
+
GSM .XRY
+
<br><br>
+
SuperAgent RSS
+
<br><br>
+
MobilEdit
+
<br><br>
+
Tulp2G<br>
+
Access Data’s FTK<br>
+
Guidance Software’s EnCase<br>
+
  
SIM Card software applications:<br>
+
In 2001, PDAs running Palm OS variants held a market share of about 72%, while PocketPC held a meager 15% of the market.  However, by the fourth quarter of 2004, Microsoft PocketPC and Palm OS were practically tied with regards to market share -- PocketPC-based devices had a market share of 40.2% while Palm OS claimed 40.7% of the market.  This upward trend clearly illustrates the growing popularity of PocketPC-based devices, and thus the increased likelihood that one will encounter such a device in the field.
SIM Seizure<br>
+
SIMCon<br>
+
Tulp2G<br>
+
  
  
Overly simplified…<br>
+
== History ==
  
Is there a method for determining which application to use based on the phone?
+
The PocketPC operating system began as Windows CE in November of 1996.  The NEC MobilePro 200 and the Casio A-10 were the first two PDA-type devices available with this early version of the operating system.  From here, Windows CE continued in development through versions 2 (with such devices as the MD Elan SC400, DEC SA1100, Hitachi SuperH 3, NEC VR4101, Philips DR 31500, and the Toshiba TX3912).
Can this be built from a database of knowledge
+
  
Process of Cellphone Acquisition.<br>
+
=PocketPC Variants=
1. Take phone off network via faraday technology<br>
+
As previously noted, there exist many variants of the PocketPC operating system. Below are a summary of each.
2. Connect power source and ensure at least 50% charge<br>
+
3. Connect the data synchronization cable to the phone<br>
+
4. Launch the software application for acquisition and analysis<br>
+
5. Acquire the phones image<br>
+
  
Process of SIM Card Acquisition.<br>
+
==PocketPC 2000==
1. Connect SIM Card to Computer through a compliant card reader<br>
+
2. Launch the software application for acquisition and analysis<br>
+
3. Acquire and Analyze the SIM Card<br>
+
  
Process of Cellphone Analysis.<br>
+
PocketPC 2000, based on Micrsoft's Windows CE 3.0 platform, was a first step towards the familiar appearance and functionality that is offered by Windows Mobile 5.0.  Devices running PocketPC 2000 ranged from the Askey PC010, which had a 16-color grayscale screen with no expansion slots, to the Casio EM-500, which had a 64k color screen and provisions for upgraded pheripherals such as cameras.  PocketPC 2000 launched with versions of Pocket Word, Pocket Excel, and Microsoft Reader bundled.  ActiveSync 3.1, which provided an easier way to install applications onto the PocketPC, was required to synchronize with host desktop machines.
What are we looking for:<br>
+
GSM: IMEI<br>
+
CDMA: ESN<br>
+
Short Dial Numbers<br>
+
SMS Messages<br>
+
Phone Settings (language, date/time, tone/volume etc)<br>
+
Stored Audio Recordings<br>
+
Stored Computer Files<br>
+
Logged incoming calls and dialed numbers<br>
+
Stored Executable Programs<br>
+
GPRS, WAP and Internet settings<br>
+
Calendar and Contacts<br>
+
Calls Made, Received, and Missed<br>
+
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
+
  
 +
==PocketPC 2002==
 +
Codenamed "Merlin," PocketPC 2002 was Microsoft's Windows CE 3.0-based upgrade to PocketPC 200.  PocketPC 2002 offered many improvements over the previous operating system, including a Terminal Service Client, a new mail Inbox, Windows Media Player 8.0, improved versions of Pocket Word and MS Reader, and many other features. 
  
Process of SIM Card Analysis.<br>
+
There were three service packs (EUUU1/2/3) released which addressed bugs and other issues in the original release.
What are we looking for:<br>
+
Location Information<br>
+
SMS Messages<br>
+
Abbreviated Dialing Numbers<br>
+
Last Numbers Dialed<br>
+
  
 +
==Windows Mobile 2003/SE==
 +
Based on the Windows CE.Net operating system, Windows Mobile 2003 for Pocket PC includes a Windows-like graphical user interface (GUI), tools and helper apps, and several companion applications, including Pocket Word and Pocket Excel. It's the third major release of the platform, which debuted in April 2000 and was last updated in October 2001
  
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
+
Here's a list of Windows Mobile 2003 for Pocket PC's new features:
Cellular Phone<br>
+
Forensic Evidence Folder Organization<br>
+
Analog – Screenshots of phones<br>
+
Digital – Reports from applications<br>
+
Word Document for binding information together<br>
+
  
 +
-- Enhanced Connection Manager user interface
 +
 +
-- Zero Configuration connections
 +
 +
-- Improved animated connectivity status icons
 +
 +
-- Improved connectivity bubbles
  
====Evidence Regulation and its Impacts in the Investigation Process ====
+
-- Always-on Bluetooth discoverability
Cellphones are not hard drives<br>
+
Live versus dead animals<br>
+
-- Use of Bluetooth modems
  
Hard Drives are coming tho: http://itvibe.com/news/3934/
+
-- Bluetooth beaming
  
SIM cards are getting bigger too: http://www.vnunet.com/2150531
+
-- Auto-correct spelling
====Applications: Practical Forensic Cases Related to Cellular Phones ====
+
Examples???
+
-- Auto-suggest in Inbox
 +
 
 +
-- One-touch turn all radios off
 +
 +
-- 802.1x support
 +
 
 +
-- Certificate Management UI
 +
 
 +
-- IPSec/L2TP
 +
 
 +
-- Support for Multiple VPNs
 +
 +
-- IPv6 support
 +
 +
-- New Today screen
 +
 +
-- Smart Lookup in Contacts
 +
 +
-- Windows CE 4.2 operating systems
 +
 +
-- .NET Compact Framework
 +
 +
-- Enhanced developer support
 +
 +
-- 128-bit encryption strength for Crypto API
 +
 +
-- Improved power management
 +
 +
-- Windows Media Player 9 Series for Pocket PC 2003
 +
 +
-- Plus! Sync & Go
 +
 
 +
-- Support for Plus! Photo Story
 +
 +
-- Windows Movie Maker 2
 +
 
 +
-- Pictures
 +
 
 +
-- New version of Pocket Internet Explorer
 +
 +
-- "Jawbreaker" game
 +
 +
-- vCard and vCal support
 +
 
 +
-- Inbox signature support
 +
 +
-- New user notifications
 +
 
 +
==Windows Mobile 5.0==
 +
Windows Mobile 5.0, based off of Windows CE 5.0, was released on May 10, 2005.  Windows Mobile 5.0 brought many changes to the PocketPC landscape.  For one, with this release, the phone and PDA versions of the OS have merged into one encompassing OS, instead of two separate versions of the same one.  Additionally, while past versions of PocketPC software utilized the RAM of a PDA for program and data storage, Windows Mobile 5.0 uses a PDA's hardware more like a traditional computer.  The operating system and user data is stored in the more persistent ROM of the device, and RAM is used in a way more similar to that of a desktop PC.  This has implications for forensics, as data stored on these devices is now less volatile.
 +
 
 +
=Pocket PC Devices=
 +
In recent years, a number of manufacturers have elected to produce PocketPC devices.  Some of these makers include companies such as:
 +
 
 +
*  Acer
 +
*  Asus
 +
*  Audiovox
 +
*  Dell
 +
*  HP
 +
*  Mitac
 +
*  Motorola
 +
*  Samsung
 +
*  Siemens
 +
*  Symbol
 +
*  Treo
 +
 
 +
Because different manufacturers are targeted at different segments of the market, such as business and consumers, the features and functionality of these devices sometimes differ greatly.  For example, some devices have built-in capability for taking images and videos, while other devices have tools such as biometric fingerprint readers and barcode scanners.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
'''References:'''
 +
----
 +
 
 +
[http://www.hpcfactor.com/support/windowsce/ The History of Microsoft Windows CE]
 +
 
 +
[http://palmtops.about.com/cs/pdafacts/a/Palm_Pocket_PC.htm Palm vs. Pocket PC-The Great Debate]
 +
 
 +
[http://www.windowsfordevices.com/news/NS8063885791.html Gartner: Windows CE ties Palm]
 +
 
 +
[http://en.wikipedia.org/wiki/Pocket_PC PocketPC]

Revision as of 03:34, 22 February 2006

Overview

A PocketPC is commonly referred to as a handheld computer that runs a version of Microsoft’s proprietary mobile operating systems.

Acer PocketPC

Microsoft PocketPC, sometimes referred to as P/PC or PPC, is based upon the Windows CE framework. Variants of this operating system include versions such as PocketPC 2000, PocketPC 2002, Windows Mobile 2003/2003 SE, and Windows Mobile 5.0. Variants also exist for SmartPhones, such as Windows Mobile 2003 Smartphone edition.

One of the key benefits of Microsoft's Windows Mobile platform is file format compatibility with the desktop versions of the company's productivity software. Mobile versions of Microsoft software, such as Pocket Word, Pocket Excel, and Pocket PowerPoint, allow individuals to view and edit these files outside of the home and office.

Another benefit is integration with Microsoft's cross-platform solution, the .NET Framework. The .NET Framework and its associated class libraries handle things such as memory management, file I/O, and many other functions. The .NET Framework allows programmers to develop code in one of several .NET languages, such as C# and VB.NET. PocketPCs run a simplified version of the framework called the .NET Compact Framework.

In order to maintain synchronization and connectivity with desktop computers, Microsft developed the ActiveSync program. The user merely has to connect the PocketPC to the desktop computer in order to synchronize items such as appointments, contact lists, and even multimedia files.

In 2001, PDAs running Palm OS variants held a market share of about 72%, while PocketPC held a meager 15% of the market. However, by the fourth quarter of 2004, Microsoft PocketPC and Palm OS were practically tied with regards to market share -- PocketPC-based devices had a market share of 40.2% while Palm OS claimed 40.7% of the market. This upward trend clearly illustrates the growing popularity of PocketPC-based devices, and thus the increased likelihood that one will encounter such a device in the field.


History

The PocketPC operating system began as Windows CE in November of 1996. The NEC MobilePro 200 and the Casio A-10 were the first two PDA-type devices available with this early version of the operating system. From here, Windows CE continued in development through versions 2 (with such devices as the MD Elan SC400, DEC SA1100, Hitachi SuperH 3, NEC VR4101, Philips DR 31500, and the Toshiba TX3912).

PocketPC Variants

As previously noted, there exist many variants of the PocketPC operating system. Below are a summary of each.

PocketPC 2000

PocketPC 2000, based on Micrsoft's Windows CE 3.0 platform, was a first step towards the familiar appearance and functionality that is offered by Windows Mobile 5.0. Devices running PocketPC 2000 ranged from the Askey PC010, which had a 16-color grayscale screen with no expansion slots, to the Casio EM-500, which had a 64k color screen and provisions for upgraded pheripherals such as cameras. PocketPC 2000 launched with versions of Pocket Word, Pocket Excel, and Microsoft Reader bundled. ActiveSync 3.1, which provided an easier way to install applications onto the PocketPC, was required to synchronize with host desktop machines.

PocketPC 2002

Codenamed "Merlin," PocketPC 2002 was Microsoft's Windows CE 3.0-based upgrade to PocketPC 200. PocketPC 2002 offered many improvements over the previous operating system, including a Terminal Service Client, a new mail Inbox, Windows Media Player 8.0, improved versions of Pocket Word and MS Reader, and many other features.

There were three service packs (EUUU1/2/3) released which addressed bugs and other issues in the original release.

Windows Mobile 2003/SE

Based on the Windows CE.Net operating system, Windows Mobile 2003 for Pocket PC includes a Windows-like graphical user interface (GUI), tools and helper apps, and several companion applications, including Pocket Word and Pocket Excel. It's the third major release of the platform, which debuted in April 2000 and was last updated in October 2001

Here's a list of Windows Mobile 2003 for Pocket PC's new features:

-- Enhanced Connection Manager user interface

-- Zero Configuration connections

-- Improved animated connectivity status icons

-- Improved connectivity bubbles

-- Always-on Bluetooth discoverability

-- Use of Bluetooth modems

-- Bluetooth beaming

-- Auto-correct spelling

-- Auto-suggest in Inbox

-- One-touch turn all radios off

-- 802.1x support

-- Certificate Management UI

-- IPSec/L2TP

-- Support for Multiple VPNs

-- IPv6 support

-- New Today screen

-- Smart Lookup in Contacts

-- Windows CE 4.2 operating systems

-- .NET Compact Framework

-- Enhanced developer support

-- 128-bit encryption strength for Crypto API

-- Improved power management

-- Windows Media Player 9 Series for Pocket PC 2003

-- Plus! Sync & Go

-- Support for Plus! Photo Story

-- Windows Movie Maker 2

-- Pictures

-- New version of Pocket Internet Explorer

-- "Jawbreaker" game

-- vCard and vCal support

-- Inbox signature support

-- New user notifications

Windows Mobile 5.0

Windows Mobile 5.0, based off of Windows CE 5.0, was released on May 10, 2005. Windows Mobile 5.0 brought many changes to the PocketPC landscape. For one, with this release, the phone and PDA versions of the OS have merged into one encompassing OS, instead of two separate versions of the same one. Additionally, while past versions of PocketPC software utilized the RAM of a PDA for program and data storage, Windows Mobile 5.0 uses a PDA's hardware more like a traditional computer. The operating system and user data is stored in the more persistent ROM of the device, and RAM is used in a way more similar to that of a desktop PC. This has implications for forensics, as data stored on these devices is now less volatile.

Pocket PC Devices

In recent years, a number of manufacturers have elected to produce PocketPC devices. Some of these makers include companies such as:

  • Acer
  • Asus
  • Audiovox
  • Dell
  • HP
  • Mitac
  • Motorola
  • Samsung
  • Siemens
  • Symbol
  • Treo

Because different manufacturers are targeted at different segments of the market, such as business and consumers, the features and functionality of these devices sometimes differ greatly. For example, some devices have built-in capability for taking images and videos, while other devices have tools such as biometric fingerprint readers and barcode scanners.



References:


The History of Microsoft Windows CE

Palm vs. Pocket PC-The Great Debate

Gartner: Windows CE ties Palm

PocketPC