Difference between pages "FAT" and "Palm"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(added formula for determing clusters in partitions)
 
(I added information about Paraben's PDA Seizure)
 
Line 1: Line 1:
=Technical Overview=
+
__TOC__
  
FAT, or file allocation table, is a file system that is designed to keep track of allocation status of clusters on a hard drive.  Developed in 1977 by Microsoft Corporation, FAT was originally intended to be a file system for the Microsoft Disk BASIC interpreter.  FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". Microsoft later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS. 
+
=Overview=
  
==File Allocation Table Structure==
+
A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.
  
[[Image:Yale fat16 diagram.jpg|frame|Basic layout of the FAT16 file system.]]
+
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
The FAT file system is composed of several areas:
+
* The reference hardware design<br>
 +
* The device operating system called the Palm OS software<br>
 +
* The HotSync conduit data synchronization technology<br>
 +
* The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
 +
* The software interface capabilities to support hardware add-ons<br>
  
*  Boot Record or Boot Sector
+
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
*  FATs
+
*  Root Directory or Root Folder
+
*  Data Area
+
*  Clusters
+
*  Wasted Sectors
+
  
'''Boot Record'''
 
  
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the MBR (Master Boot Record).  The MBR is present no matter what file system is in use, and contains information about how the storage device is logically partitioned.  When using a FAT file system, the MBR hands off control of the computer to the Boot Record, which is the first sector on the partition.  The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted.  Once the Boot Record code executes, control is handed off to the operating system installed on that partition.
+
== History ==
  
'''FATs'''
+
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan.  The original purpose of the company was to create handwriting recognition software for other devices (Graffiti).  The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
  
The primary task of the FATs is to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk driveThere are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.  
+
The initial Palm device released in 1996 was called the PilotBecause Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.
  
In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system. FAT2 is a typically a duplicate of FAT1. However, FAT mirroring can be disabled on a FAT32 drive, thus enabling any of the FATs to become the Primary FAT. This possibly leaves FAT1 empty, which can be deceiving.
+
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
  
'''Root Directory'''
+
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks.  As later versions were released, more features were added.  Here is a list of various Palm OS releases:
  
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system.  This information includes the file name, starting cluster number, and file size.  This information is changed whenever a file is created or subsequently modified. Root directory has a fixed size of 512 entries on a hard disk and the size on a floppy disk depends.  With FAT32 it can be stored anywhere within the partition, although in previous versions it is always located immediately following the FAT region.
+
*  Version 3.1, 3.3, 3.5
 +
Added support for color, multiple expansion ports, new processors, etc.
  
'''Data Area'''
+
*  Version 4.0
 +
Added a standard interface for external FS access
  
The Boot Record, FATs, and Root Directory are collectively referred to as the System Area. The remaining space on the logical drive is called the Data Area, which is where files are actually stored. It should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.
+
*  Version 5.0
 +
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.  
  
'''Clusters'''
+
Presently, version 6.1 of the Palm OS is under development (Cobalt).  Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
 
+
In order for FAT to manage files with satisfactory efficiency, it groups sectors into larger blocks referred to as clusters. A cluster is the smallest unit of disk space that can be allocated to a file, which is why clusters are often called allocation units. Only the "data area" is divided into clusters, the rest of the partition is simply sectors. Cluster size is determined by the size of the disk volume and every file must be allocated an even number of clusters. Cluster sizing has a significant impact on performance and disk utilization. Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters.
+
 
+
The size of one cluster is specified in the Boot Record and can range from a single sector (512 bytes) to 128 sectors (65536 bytes). The sectors in a cluster are continuous, therefore each cluster is a continuous block of space on the diskNote that only one file can be allocated to a cluster.  Therefore if a 1KB file is placed within a 32KB cluster there are 31KB of wasted space. The formula for determining clusters in a partition is (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) /  (# of Sectors per Cluster).
+
 
+
'''Wasted Sectors'''
+
 
+
Wasted Sectors are a result of the number of data sectors not being evenly distributed by the cluster size. It's made up of unused bytes left at the end of a file. Also if the partition as declared in the partition table is larger than what is claimed in the Boot Record the volume can be said to have wasted sectors. Small files on a hard drive are the reason for wasted space and the bigger the hard drive the more wasted space there is.
+
 
+
'''FAT Entry Values'''
+
<br>
+
FAT12<br>
+
<br>
+
0x000          (Free Cluster)<br>   
+
0x001          (Reserved Cluster)<br>
+
0x002 - 0xFEF (Used cluster; value points to next cluster)<br>
+
0xFF0 - 0xFF6  (Reserved values)<br>
+
0xFF7          (Bad cluster)<br>
+
0xFF8 - 0xFFF  (Last cluster in file)<br>
+
<br>
+
FAT16<br>
+
<br>
+
0x0000          (Free Cluster)<br>
+
0x0001          (Reserved Cluster)<br>
+
0x0002 - 0xFFEF  (Used cluster; value points to next cluster)<br>
+
0xFFF0 - 0xFFF6  (Reserved values)<br>
+
0xFFF7          (Bad cluster)<br>
+
0xFFF8 - 0xFFFF  (Last cluster in file)<br>
+
<br>
+
FAT32<br>
+
<br>
+
0x?0000000              (Free Cluster)<br>
+
0x?0000001              (Reserved Cluster)<br>
+
0x?0000002 - 0x?FFFFFEF  (Used cluster; value points to next cluster)<br>
+
0x?FFFFFF0 - 0x?FFFFFF6  (Reserved values)<br>
+
0x?FFFFFF7              (Bad cluster)<br>
+
0x?FFFFFF8 - 0x?FFFFFFF  (Last cluster in file)
+
<br><br>
+
 
+
Note: FAT32 uses only 28 of 32 possible bits, the upper 4 bits should be left alone. Typically these bits are zero, and are represented above by a question mark (?).
+
 
+
==Versions==
+
 
+
There are three variants of FAT in existence: FAT12, FAT16, and FAT32.
+
 
+
'''FAT12'''
+
<br />
+
*  FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry. 
+
*  FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in  the FAT). 
+
*  It is used for floppy disks and hard drive partitions that are smaller than 16 MB. 
+
*  All 1.44 MB 3.5" floppy disks are formatted using FAT12.
+
*  Cluster size that is used is between 0.5 KB to 4 KB.
+
 
+
'''FAT16'''
+
<br/>
+
*  It is called FAT16 because all entries are 16 bit.
+
*  FAT16 can hold a max of 65,536 addressable units (2 <sub>26</sub>
+
*  It is used for small and moderate sized hard disk volumes.
+
*  The actual capacity is 65,525 due to some reserved values
+
 
+
'''FAT32'''
+
<br />
+
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
+
Features include:
+
*  Drives of up to 2 terabytes are supported (Windows 2000 only supports up to 32 gigabytes)
+
*  Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
+
*  The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
+
*  File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.
+
<br />
+
'''Comparison of FAT Versions'''
+
 
+
Table adapted from:
+
http://en.wikipedia.org/wiki/File_Allocation_Table
+
 
+
 
+
<table cellpadding="2" border="1">
+
<tr bgcolor="lightgreen" align="center">
+
<td bgcolor="white"></td>
+
<td><b>FAT12</b></td>
+
<td><b>FAT16</b></td>
+
<td><b>FAT32</b></td>
+
  
 +
=Features=
 +
<table>
 +
<tr>
 +
<td>'''Address Book''': Allows the user to keep track of their contacts.  Synchronized via HotSync manager</td>
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey">Developer</th>
+
<td>'''Calculator''': Basic 4 function calculator</td>
<td colspan="3">Microsoft</td>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey" rowspan="2">Full Name</th>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year.  Synchronized via HotSync manager</td>
<td colspan="3">File Allocation Table</td>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<td>(12-bit version)</td>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
<td>(16-bit version)</td>
+
 
+
<td>(32-bit version)</td>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey">Introduced</th>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
<td>1977 (Microsoft Disk BASIC)</td>
+
<td>July 1988 (MS-DOS 4.0)</td>
+
 
+
<td>August 1996 (Windows 95 OSR2)</td>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey">Partition identifier</th>
+
<td>'''Memo Pad''': Write short notes.</td>
<td>0x01 (MBR)</td>
+
<td>0x04, 0x06, 0x0E (MBR)</td>
+
 
+
<td>0x0B, 0x0C (MBR)<br />
+
<small>EBD0A0A2-B9E5-4433<br />
+
-87C0-68B6B72699C7</small> (GPT)</td>
+
 
</tr>
 
</tr>
<tr bgcolor="lightgreen" align="center">
+
<tr>
<th>Structures</th>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
<th><b>FAT12</b></th>
+
 
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey">Directory contents</th>
+
<td>'''To Do List''': Create a check list of items to accomplish.  Synchronized via HotSync manager.</td>
<td colspan="3">Table</td>
+
 
</tr>
 
</tr>
<tr align="center">
+
<tr>
<th bgcolor="lightgrey">File allocation</th>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
<td colspan="3">Linked List</td>
+
 
</tr>
 
</tr>
 +
</table>
  
<tr align="center">
+
==Palm Pilot==
<th bgcolor="lightgrey">Bad blocks</th>
+
<td colspan="3">Linked List</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Limits</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
<tr align="center">
+
  
<th bgcolor="lightgrey">Max file size</th>
+
==3Com Audrey==
<td>32 MiB</td>
+
<td>2 GiB </td>
+
<td>4 GiB</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max number of files</th>
+
<td>4,077</td>
+
<td>65,517</td>
+
<td>268,435,437</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max filename size</th>
+
<td colspan="3">8.3 or 255 characters when using LFNs</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max volume size</th>
+
<td>16 MiB</td>
+
<td>2 GiB for all (4 GiB for some)</td>
+
<td>32 GiB for all OS (2 TiB for some)</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Max clusters</th>
+
<td>4080</td>
+
<td>65520</td>
+
<td>4177918</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Features</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
  
<tr align="center">
+
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
<th bgcolor="lightgrey">Dates recorded</th>
+
<td colspan="3">Creation, modified, access</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Date range</th>
+
<td colspan="3">January 1, 1980 - December 31, 2107</td>
+
  
</tr>
+
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously.  It uses a USB Ethernet controller to connect to the Internet.  It also has built-in stereo speakers to play digital and streaming music.  You can either use the clear pen to input data, or pull out the wireless keyboard.  No graffiti is used. 
<tr align="center">
+
<th bgcolor="lightgrey">Forks</th>
+
<td colspan="3">Not natively</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Unicode File Names</th>
+
<td colspan="3">System Character Set</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Attributes</th>
+
<td colspan="3">Read-only, hidden, system, volume label, subdirectory, archive</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Permissions</th>
+
<td colspan="3">No</td>
+
  
</tr>
+
It was discontinued on March 21, 2001.  However, there is still an Audrey frenzy going on today.
<tr align="center">
+
<th bgcolor="lightgrey">Transparent compression</th>
+
<td colspan="2">Per-volume, Stacker, DoubleSpace, DriveSpace</td>
+
<td>No</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Transparent encryption</th>
+
  
<td colspan="2">Per-volume only with DR-DOS</td>
+
==Fossil==
<td>No</td>
+
</tr>
+
<tr bgcolor="lightgreen" align="center">
+
<th>Overall Performance</th>
+
<th><b>FAT12</b></th>
+
<th><b>FAT16</b></th>
+
<th><b>FAT32</b></th>
+
</tr>
+
  
<tr align="center">
+
==Garmin==
<th bgcolor="lightgrey">Fault Tolerance</th>
+
<td>Minimal</td>
+
<td colspan="2">Average</td>
+
</tr>
+
<tr align="center">
+
<th bgcolor="lightgrey">Disk Space Economy</th>
+
<td>Average</td>
+
<td>Minimal on large volumes</td>
+
<td>Max</td>
+
</tr>
+
</table>
+
<br/>
+
==Applications of FAT==
+
  
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system.  In addition, FAT is also frequently used in electronic devices with miniature hard drives.
+
==Kyocera==
  
Examples of devices in which FAT is utilized include:
+
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
  
* USB thumb drives
+
==QualComm==
* Digital cameras
+
* Digital camcorders
+
* Portable audio and video players
+
* Multifunction printers
+
* Electronic photo frames
+
* Electronic musical instruments
+
* Standard televisions
+
* PDAs
+
  
=Forensics Issues=
+
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
==Data Recovery==
+
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.
+
  
The pointers are also changed to zero for each cluster used by the file.  Recovery tools look at the FAT to find the entry for the file.  The location of the starting cluster will still be there.  It is not deleted or modified.  The tool will go straight to that cluster and try to recover the file using the file size as a determinant.  Some tools will go to the starting cluster and recover the next "X" number of clusters needed for the specific file size.  However, this tool is not ideal.  An ideal tool will locate "X" number of available clusters.  Since files are most often fragmented, this will be a more precise way to recover the file.
+
==Samsung==
 
+
An issue arises when two files in the same row of clusters are deleted.  If the clusters are not in sequential order, the tool will automatically receive "X" number of clusters.  However, because the file was fragmented, it's most likely that all the clusters obtained will not all contain data for that file.  If these two deleted files are in the same row of clusters, it is highly unlikely the file can be recovered.
+
 
+
==File Slack==
+
File slack is data that starts from the end of the file written and continues to the end of the sectors designated to the file.    There are two types of file slack, RAM slack, and Residual slack.  RAM slack starts from the end of the file and goes to the end of that sector.  Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file.  File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. Go to http://www.pcguide.com/ref/hdd/file/partSizes-c.html for examples.
+
 
+
<br/>
+
 
+
<table border="1" cellspacing="2" bordercolor="#000000" cellpadding="4" width="468" bordercolorlight="#C0C0C0">
+
  <tr>
+
    <td width="101" bgcolor="#808080"><font size="2"><b><center>Cluster</center></b></font></td>
+
    <td width="177" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
+
    50% Cluster Slack Per File</center></b></font></td>
+
    <td width="178" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
+
    67% Cluster Slack Per File</center></b></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>2 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>17 MB</center></font></td>
+
    <td width="178"><font size="2"><center>22 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>4 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>33 MB</center></font></td>
+
    <td width="178"><font size="2"><center>44 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>8 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>66 MB</center></font></td>
+
    <td width="178"><font size="2"><center>89 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>16 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>133 MB</center></font></td>
+
    <td width="178"><font size="2"><center>177 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>32 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>265 MB</center></font></td>
+
    <td width="178"><font size="2"><center>354 MB</center></font></td>
+
  </tr>
+
</table>
+
  
 +
==Sony Cli&Egrave;==
  
The diagram above demonstrates the larger the cluster size used, the more disk space is wasted due to slack. This suggests it is better to use smaller cluster sizes whenever possible.
+
==Symbol==
  
<br/>
+
==TapWave==
  
'''References:'''
+
==TRG==
----
+
  
http://en.wikipedia.org/wiki/File_Allocation_Table
+
==Handspring Visor==
  
http://www.microsoft.com
+
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
  
http://www.ntfs.com
+
The Visor line includes:
 +
<ul>
 +
<li>Visor and Visor Deluxe</li>
 +
<li>Visor Prism</li>
 +
<li>Visor Platinum</li>
 +
<li>Visor Edge</li>
 +
<li>Visor Neo</li>
 +
<li>Visor Pro</li>
 +
</ul>
  
http://www.ntfs.com/ntfs_vs_fat.htm
+
==Treo==
 +
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2. Each of these devices is marketed at a different segment of the market. For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s.  The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
  
http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
+
=Forensics=
 +
Forensics for Palm devices is a nascent field. There are several tools available for the image acquisition and analysis of Palm devices.
  
http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
+
==EnCase==
 +
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation. The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
  
http://home.teleport.com/~brainy/fat32.htm
+
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.  
  
http://www2.tech.purdue.edu/cpt/courses/cpt499s/
+
==Paraben==
 +
Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure. This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment. The software comes equiped with quite a few key features.  These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many more.  It has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them.  This allows the investigator to look for case specific information easily and quickly.
  
http://home.no.net/tkos/info/fat.html
+
=References=
 +
http://www.answers.com/topic/palm-os
  
http://www.ntfs.com/fat-systems.htm
+
http://www.palm.com/us/
  
http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx
+
http://www.encase.com
  
http://support.microsoft.com/kb/q140418
+
http://www.paraben.com

Revision as of 18:53, 23 February 2006

Contents


Overview

A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.

The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:

  • The reference hardware design
  • The device operating system called the Palm OS software
  • The HotSync conduit data synchronization technology
  • The platform component tools including an applications programming interface (API) that enables developers to write applications
  • The software interface capabilities to support hardware add-ons

(http://www.palm.com/us/company/pr/2000/092000.html, 2000)


History

Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan. The original purpose of the company was to create handwriting recognition software for other devices (Graffiti). The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.

The initial Palm device released in 1996 was called the Pilot. Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.

The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.

The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks. As later versions were released, more features were added. Here is a list of various Palm OS releases:

  • Version 3.1, 3.3, 3.5

Added support for color, multiple expansion ports, new processors, etc.

  • Version 4.0

Added a standard interface for external FS access

  • Version 5.0

First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.

Presently, version 6.1 of the Palm OS is under development (Cobalt). Cobalt features a Linux-based kernel. There are presently no devices released using Palm OS 6.

Features

Address Book: Allows the user to keep track of their contacts. Synchronized via HotSync manager
Calculator: Basic 4 function calculator
Datebook: Track appointments, birthdates and other important times during the year. Synchronized via HotSync manager
Expenses: Keep track of your spending habits.
HotSync: Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.
Memo Pad: Write short notes.
Note Pad: Scribble notes in your natural writing language.
To Do List: Create a check list of items to accomplish. Synchronized via HotSync manager.
Palm Photos: Photo manager that allows sharing of photos between multiple palm devices.

Palm Pilot

3Com Audrey

The 3Com Audrey was created to be a kitchen computer in 2000-2001. It was a mainly a used to access the Internet. Cisco then bought out 3Com and the Audrey was no more. One noticeable aspect of the Audrey is how people can hack it. They have turned it into anything from a web server to a chatting client. It runs QNX with PalmOS extensions. This allows it to be hacked extremely easily.

It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously. It uses a USB Ethernet controller to connect to the Internet. It also has built-in stereo speakers to play digital and streaming music. You can either use the clear pen to input data, or pull out the wireless keyboard. No graffiti is used.

It was discontinued on March 21, 2001. However, there is still an Audrey frenzy going on today.

Fossil

Garmin

Kyocera

Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.

QualComm

In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.

Samsung

Sony CliÈ

Symbol

TapWave

TRG

Handspring Visor

The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.

The Visor line includes:

  • Visor and Visor Deluxe
  • Visor Prism
  • Visor Platinum
  • Visor Edge
  • Visor Neo
  • Visor Pro

Treo

Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2. Each of these devices is marketed at a different segment of the market. For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s. The LifeDrive Also includes integrated WiFi and Bluetooth capabilities. The Treo 650 and 700w are the company's Smartphones. The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile. The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.

Forensics

Forensics for Palm devices is a nascent field. There are several tools available for the image acquisition and analysis of Palm devices.

EnCase

EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation. The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.

Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.

Paraben

Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure. This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment. The software comes equiped with quite a few key features. These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many more. It has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them. This allows the investigator to look for case specific information easily and quickly.

References

http://www.answers.com/topic/palm-os

http://www.palm.com/us/

http://www.encase.com

http://www.paraben.com