Difference between pages "Palm" and "Cell Phone Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(added information to Palm Pilot Section and table)
 
(External Links)
 
Line 1: Line 1:
__TOC__
+
== Guidelines ==
  
=Overview=
+
# If on, switch it off. If off, leave off.
  
A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.
+
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many [[wireless preservation]] or [[RF isolation]] techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
  
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
+
#* Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off.  You may wish to avoid having this part of the program run.
* The reference hardware design<br>
+
* The device operating system called the Palm OS software<br>
+
* The HotSync conduit data synchronization technology<br>
+
* The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
+
* The software interface capabilities to support hardware add-ons<br>
+
  
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
+
#* Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
  
 +
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
 +
 +
# Plug the phone in, preferably in the evidence room, as soon as possible.
 +
# Retain [[search warrant]] (if necessary - [[LE]]).
 +
# Return device to forensic lab if able.
 +
# Use [[forensically sound]] tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
  
== History ==
+
== Notes ==
  
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan.  The original purpose of the company was to create handwriting recognition software for other devices (Graffiti).  The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
+
Expand on as to what to collect:
  
The initial Palm device released in 1996 was called the Pilot.  Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.
+
* [[ESN]],
 +
* [[IMEI]],
 +
* [[Carrier]],
 +
* Manufacturer,
 +
* Model Number,
 +
* Color, and
 +
* Other information related to [[Cell Phone]] and [[SIM Card]]...
  
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
+
Process:
 +
# Photograph the [[Cell Phone]] screen during power up.
 +
# Research the [[Cell Phone]] for technical specifications.  
 +
# Research the [[Cell Phone]] for forensic information.
 +
# Based on phone type [[GSM]], [[CDMA]], [[iDEN]], or [[Pay As You Go]] determine acquisition tools
  
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks.  As later versions were released, more features were added.  Here is a list of various Palm OS releases:
+
GSM:
 +
# Phone and SIM Card
 +
# SIM Card
  
*  Version 3.1, 3.3, 3.5
+
CDMA:
Added support for color, multiple expansion ports, new processors, etc.
+
# Phone
  
*  Version 4.0
+
iDEN:
Added a standard interface for external FS access
+
# Three major tools exist for iDEN Phones:
 +
* iDEN Companion Pro
 +
* iDEN Media Downloader
 +
* iDEN Phonebook Manager
  
*  Version 5.0
+
Pay As You Go:
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.
+
# Phone
  
Presently, version 6.1 of the Palm OS is under development (Cobalt).  Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
+
== External Links ==
  
=Features=
+
Articles and Reference Materials
<table>
+
*[http://www.e-evidence.info/cellarticles.html E-Evidence.Info Articles, Papers, Presentations, etc.]
<tr>
+
*[http://esm.cis.unisa.edu.au/new_esml/resources/publications/forensic%20analysis%20of%20mobile%20phones.pdf Forensic Analysis of Mobile Phones]
<td>'''Address Book''': Allows the user to keep track of their contacts. Synchronized via HotSync manager</td>
+
*[http://www.ijde.org/docs/03_spring_art1.pdf Forensics and the GSM Mobile Telephone System]
</tr>
+
*[http://www.cl.cam.ac.uk/~fms27/persec-2006/goodies/2006-Naccache-forensic.pdf Law Enforcement, Forensics and Mobile Communications]
<tr>
+
*[http://www.forensics.nl/mobile-pda-forensics Mobile Phone Forensics & PDA Forensics Links]
<td>'''Calculator''': Basic 4 function calculator</td>
+
*[http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm Netherlands Forensic Institute: Mobile Phone Forensics Examination - Basic Workflow and Preservation]
</tr>
+
*[http://csrc.nist.gov/mobilesecurity/publications.html#MF U.S. National Institute of Standards and Technology Documents]
<tr>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year. Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
+
</tr>
+
<tr>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
+
</tr>
+
<tr>
+
<td>'''Memo Pad''': Write short notes.</td>
+
</tr>
+
<tr>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
+
</tr>
+
<tr>
+
<td>'''To Do List''': Create a check list of items to accomplish.   Synchronized via HotSync manager.</td>
+
</tr>
+
<tr>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
+
</tr>
+
</table>
+
  
==Palm Pilot==
+
Conferences
The original creators of the Palm Pilot were Jeff Hawkins, Donna Dubinsky, and Ed Colligan. The idea of the palm pilot was established by Jeff Hawkins from a block of wood with writing on it.
+
*[http://www.MobileForensicsWorld.com/ Mobile Forensics World]
  
<table>
+
Investigative Support
<tr>
+
*[http://www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications]
  <th>
+
*[http://www.e-evidence.info/cellular.html E-Evidence.Info Mobile Forensic Tools]
  Palm Pilot 1000
+
*[http://www.forensicfocus.com ForensicFocus.com(Practitioners Forum)]
  </th>
+
*[http://www.hex-dump.com Hex-Dump.com(Advanced Forum for Hex Dump and Memory Analysis)]
  <th>
+
*[http://www.Mobile-Examiner.com Mobile-Examiner.com (Forum for Practitioners)]
  Palm Pilot 5000
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
  </th>
+
*[http://www.mfi-training.com Mobile Forensics Training Forum (Mobile Device Investigative Support and Training)]
  <th>
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
  Palm Pilot Personal
+
*[http://www.Phone-Forensics.com Phone-Forensics.com (Advanced Forum for Practitioners)]
  </th>
+
*[http://trewmte.blogspot.com TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)]
  <th>
+
  Palm Pilot Professional
+
  </th>
+
</tr>
+
<tr>
+
  <th>Features</th>
+
  <td>
+
      <ul>Motorola 68328 processor</ul>
+
      <ul>128 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>1 MB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
</tr>
+
<tr>
+
  <th>Dimensions & Weight</th>
+
</tr>
+
  
==3Com Audrey==
+
Phone Research
 +
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
 +
*[http://www.MobileForensicsCentral.com MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)]
 +
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
 +
*[http://www.ssddforensics.com/ Small Scale Digital Device Forensics Information]
  
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
+
Training
 
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously.  It uses a USB Ethernet controller to connect to the Internet.  It also has built-in stereo speakers to play digital and streaming music.  You can either use the clear pen to input data, or pull out the wireless keyboard.  No graffiti is used. 
+
*[http://www.MobileForensicsWorld.com/Training.aspx Mobile Forensics World Training]
 
+
*[http://www.mobileforensicstraining.com Mobile Forensics Training (Mobile Forensics Inc. Training Class site)]
It was discontinued on March 21, 2001.  However, there is still an Audrey frenzy going on today.
+
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
 
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
==Fossil==
+
*[http://www.msab.com/training/schedule Micro Systemation Training (Mobile Forensics Training)]
 
+
==Garmin==
+
 
+
==Kyocera==
+
 
+
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
+
 
+
==QualComm==
+
 
+
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
+
 
+
==Samsung==
+
 
+
==Sony Cli&Egrave;==
+
 
+
==Symbol==
+
 
+
==TapWave==
+
 
+
==TRG==
+
 
+
==Handspring Visor==
+
 
+
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
+
 
+
The Visor line includes:
+
<ul>
+
<li>Visor and Visor Deluxe</li>
+
<li>Visor Prism</li>
+
<li>Visor Platinum</li>
+
<li>Visor Edge</li>
+
<li>Visor Neo</li>
+
<li>Visor Pro</li>
+
</ul>
+
 
+
==Treo==
+
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2. Each of these devices is marketed at a different segment of the market.  For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s.  The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
+
 
+
=Forensics=
+
Forensics for Palm devices is a nascent field. There are several tools available for the image acquisition and analysis of Palm devices.
+
 
+
==EnCase==
+
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation.  The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
+
 
+
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.
+
 
+
==Paraben==
+
Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure.  This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment.  The software comes equiped with quite a few key features.  These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many more.  It has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them.  This allows the investigator to look for case specific information easily and quickly.
+
 
+
=References=
+
http://www.answers.com/topic/palm-os
+
 
+
http://www.palm.com/us/
+
 
+
http://www.encase.com
+
 
+
http://www.paraben.com
+
 
+
http://en.wikipedia.org/wiki/Palm_(PDA)
+
 
+
http://www.etech4sale.com/products/partinfo-id-116929.html
+

Latest revision as of 08:27, 11 May 2011

Guidelines

  1. If on, switch it off. If off, leave off.
    • Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many wireless preservation or RF isolation techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
    • Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off. You may wish to avoid having this part of the program run.
    • Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
  1. Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
  1. Plug the phone in, preferably in the evidence room, as soon as possible.
  2. Retain search warrant (if necessary - LE).
  3. Return device to forensic lab if able.
  4. Use forensically sound tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Notes

Expand on as to what to collect:

Process:

  1. Photograph the Cell Phone screen during power up.
  2. Research the Cell Phone for technical specifications.
  3. Research the Cell Phone for forensic information.
  4. Based on phone type GSM, CDMA, iDEN, or Pay As You Go determine acquisition tools

GSM:

  1. Phone and SIM Card
  2. SIM Card

CDMA:

  1. Phone

iDEN:

  1. Three major tools exist for iDEN Phones:
  • iDEN Companion Pro
  • iDEN Media Downloader
  • iDEN Phonebook Manager

Pay As You Go:

  1. Phone

External Links

Articles and Reference Materials

Conferences

Investigative Support

Phone Research

Training