Difference between pages "MOBILedit!" and "T-Mobile Sidekick II"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Copying my paper onto the Wiki)
 
Line 1: Line 1:
'''MOBILedit!''' is an application that provides an interface between a cell phone and a personal computer.  It is designed to help improve productivity and communication by allowing input using the computer to be downloaded into the phone.  It it used to send photos, SMS messages, documents, and other important data to and from a cell phone. 
+
<b>Work In Progress</b>
  
[[Image:Mobileditscreen.jpg|thumb|right|MOBILedit! Phone Copier Screen.]]
+
h1. Disclaimer
  
== Versions ==
+
This paper assumes that the investigator has secured appropriate authorization to intercept or access the files and information contained on or received by the electronic device in question, and that the implementation of any of the techniques and procedures set forth herein is being done under circumstances and restrictions that are in full compliance with The Electronic Communications Privacy Act of 1986 and other potentially applicable federal and state laws.  No representation is made or intended that any specific application of the techniques and procedures set forth herein may be lawfully performed in any particular factual circumstance.  Each investigator should secure appropriate legal advice with respect to each such application.
  
MOBILedit! Lite is designed for the casual user, while MOBILedit! Forensics is designed to help aid in forensic investigations. MOBILedit! Liteis available as an evaluation version and can be purchased at MOBILedit's website.  It supports more makes and models than any other program of its type.  It allows edits to anything from the time on the phone to the contacts in the phonebook, all from a computer.  It also can backup all the information on the phone to a computer in case you lose the phone.  This makes for an easy way to get everything back onto the new phone. 
+
h1. Introduction
  
This application allows communication with phones via BlueTooth, Infrared, or cable, depending on the model of phone.  The basic drivers for each phone are installed with the programHowever, if another driver is needed, they can be downloaded from the website assuming the phone is supported.   
+
This document is meant to familiarize investigators with the Danger Hiptop 2, known also as the T-Mobile Sidekick II (Sidekick herein).  The procedures and tools presented here are by no means exhaustive of the technology surrounding the Sidekick, but are intended to elicit design of custom tools to gather forensic data from the deviceAll testing done for this paper were conducted using an original T-Mobile Sidekick II device along with a T-Mobile To-Go account.  Since T-Mobile's Sidekick service includes Internet access to the data on your device, it is important to cover what can and can't be gathered with an account's password.   
  
== Features ==
+
h1. Relevance of Sidekick Forensics
  
As a cell phone forensics software tool, MOBILedit! has the ability to:
+
Like other devices in the smartphone category, the T-Mobile Sidekick contains personal information such as calendars and contacts.  Similar to RIM's Blackberry, the Sidekick does not require desktop synchronization to get any new data from the deviceInstead, all data is synchronized over the air with T-Mobile and Danger's servers. This was best explained by Michael Burnette in his examination of the Blackberry in June of 2002.
*send SMS messages and phone calls directly from a computer connected to a cell phone
+
*monitor a cell phone's battery life, signal quality, and the current network operator
+
*display everything on a phone to the screen of a computer, allowing easier use of the phone.   
+
*allow the user to control a phone from a personal computer.
+
*synchronize e-mail onto a cell phone with Microsoft Outlook
+
*configure multiple devices to connect to MOBILedit!.
+
*generate secure reports in any language
+
*create specific templates for specific functions and insert gathered data into a template
+
  
All functions of the program are located on the main screen.  It is also fully compatible with Microsoft Outlook, allowing the user to synchronize email onto his or her phone with Outlook. Multiple devices can be configured to connect to MOBILedit!.
+
bq. The more time a PDA spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. Thus, the ... unsurpassed portability is the examiner’s greatest ally.
  
MOBILedit! collects all the data from the mobile phone and generates an extensive report onto a PC that can be saved or printed.    MOBILedit! Forensic allows for the customization of the output from the cell phone which makes the data completely adaptable to the needs of each judicial system.  MOBILedit! Forensic also has frequent updates and upgrades.
+
h1. The Hardware
  
====Report Generation====
+
The Sidekick comes in two versions: PV-100 and PV-108.  The PV-100 model is a GSM 900/1800/1900 deviceThe PV-108 model has GSM 850 rather than GSM 900.  Both versions of the Sidekick 16 MB of of built-in Flash shared memory as well as 32 MB of RAMThe Flash memory is for storage of photos, applications, ringtones and other types of personal data while the RAM is management of open applications similar to a PCA VGA camera with flash is also built-in to the device.
MOBILedit! Forensic has the ability to generate reports in any language.  The ability to create specific templates for specific functions is also a function of MOBILedit!These template files can be created in tools such as MS Word and many other text editorsMOBILedit! Forensic will read this template and insert all data gathered from the deviceThis means that there is no need to import or export stubs of data from SIM cards or phones.
+
  
The reports that MOBILedit! Forensic generates are secure, as the final report document is created automatically.  MOBILedit! Forensic is read-only, thereby preventing changes in the device, avoiding potentially damaging losses of evidenceAll items are also protected against later modifications by a hash code used in digital signatures.  All blocks of data, such as the phonebook, are protected by the MD5 hash algorithm.  Each item has its own MD5 code to help quickly locate the possible place of modification.  
+
The Sidekick has a QWERTY keyboard underneath the TFT screen for easy e-mail and SMS messagingTo expose the keyboard, the screen needs to be rotated upward.  
  
MOBILedit! also has the ability to generate reports from devices presently connected to the computer, as well as from phones that were connected in the past using a backup file.
+
h1. Tools Used
  
====Applications and Drivers====
+
To test methods presented in this paper, the following tools were used on a Windows XP machine running Service Pack 2.   
MOBILedit! is designed with architecture similar to that of operating systems.  The result is that you can add new applications and drivers, and in the same way that Windows or Linux resolves the complexity of computer hardware, MOBILedit! reconciles the differences between mobile phones.
+
MOBILedit! supports adding applications to enhance its functionality for future phones and new featuresFor example, if a phone supports MMS, one can add an MMS application to MOBILedit!; one can add the ability to edit, upload, or download pictures, control a camera and view movies.
+
  
In addition to applications, drivers can also be added, which cover the differences between mobile phones at a low-level. Therefore, any mobile phone can be supported. The driver interface is open, COMPELSON Labs offers the source codes of their drivers.
+
* Danger Developer SDK free at http://danger.developer.com
 +
* Hex editor
 +
* Text editor
 +
* USB Sim Card Reader
  
==Links==
+
h1. Acquisition
[http://www.mobiledit.com/ Official web site]
+
 
 +
From my research, I have discovered that the T-Mobile sidekick device is incapable of having forensic data extracted.  According to Danger, the USB port found on the device is a _dumb_ terminal: it can only transfer files to the device, but not retrieve any data from the device.  Attempts at connecting to the device via Windows XP and Mac OS X were unsuccessful.
 +
 
 +
Danger's reasoning for not allowing the extraction of data from the device is to protect their intellectual property.  The Sidekick has a proprietary file system and operating system that the company is not interested in allowing to be exposed more than it already is.  To get data from the device, Danger's attornies suggested submiting a subpoena to their legal office.  They could not offer a definite turnaround time on the receipt of the data in an investigator's hand.
 +
 
 +
h1. Evidence Collection
 +
 
 +
_Extended System Information_
 +
 
 +
Even though transferring data from the device to a third party computer doesn't seem to be possible, an investigator can still get useful information from the device itself.  The system information contains the user's login name for the Danger servers and the phone number.  With the login name, an investigator can subpoena the data from Danger's servers.  Basic system information can be accessed via the following key sequence:
 +
 
 +
bq. Jump -> Menu -> Settings -> System Info
 +
 
 +
One feature that can be accessed is extended system info.  This shows the following information:
 +
 
 +
* hiptop OS (firmware) build number, build date & time
 +
* Long-format Radio Firmware version (v0.4.1 becomes 5.041.6)
 +
* 'Dress Barn (unknown)'
 +
* Recovery ROM filename and write-date & time
 +
* System Library build number, build date & time
 +
* 'Partner ID 101'
 +
* build number, build date & time of all installed applications.
 +
 
 +
It's unclear what the 'Dress Barn (unknown)' and 'Partner ID 101' information details, but it doesn't seem to be relevant for a forensic analysis of the device. 
 +
 
 +
To get to the extended system info, enter this key sequence:
 +
 
 +
bq. Jump -> Menu -> Settings -> System Info -> Menu + M
 +
 
 +
_System Log_
 +
 
 +
An important, but removed feature, in later versions of the Sidekick is the ability to view the syslog.  This only works with firmware versions prior to 2.3.  The functionality was removed because a bug was found that allowed someone to get past the three digit security lock the device may have had enabled.  The log contained information on data transmitted to and from the Danger servers. 
 +
 
 +
The syslog can be accessed by entering this key sequence. 
 +
 
 +
bq. Jump -> Menu -> Settings -> System Info -> Menu + Shift + S
 +
 
 +
_Network Status_
 +
 
 +
The basic network status panel gives the following information:
 +
 
 +
* Service status (connected or not)
 +
* Connection time
 +
* Signal strength
 +
* GSM Registration
 +
* GPRS status
 +
* Radio version
 +
 
 +
This can be accessed via following key sequence:
 +
 
 +
bq. Jump -> Network Status
 +
 
 +
Like the System Info screen, network status has an extended information feature as well.  It can similarly be accessed by keying +Jump + M_ while still in the network status screen.  The extended network status gives the following relevant information:
 +
 
 +
* IP Address
 +
* Packets Transmitted
 +
* Packets Received
 +
* Bytes Trans
 +
* Bytes Received
 +
* Current Cell Tower
 +
* Bit Error Rate
 +
 
 +
_Battery Status_
 +
 
 +
Battery status can be accessed via the following command: 
 +
 
 +
bq. Jump -> Menu -> Settings -> Battery & Display
 +
 
 +
_Resetting_
 +
 
 +
To perform a soft reset of the device, the following key command is used:
 +
 
 +
bq. @ + 1 + 0
 +
 
 +
Be advised that there is no confirmation dialog. If you press this combination, the device will reset immediately.  It's unknown what sort of file system cleanup is performed when performing a soft reset.  Danger was not cooperative in answering such questions.
 +
 
 +
h1. Sim Card Analysis
 +
 
 +
The only feasible way to extract data from a T-Mobile sidekick is via the SIM Card.  While there doesn't seem to be a way to export contacts from the Sidekick on to the SIM Card, the device can import contacts from a SIM Card.    The main purpose of the card for a device like the Sidekick is network authorization.  Unless data is specifically added to the card, all data is stored on the Danger servers. 
 +
 
 +
The SIM card's stored SMS messages are also displayed on the device by default.  It's unknown at this time if those messages are then transferred to the Danger servers. 
 +
 
 +
SIM Card analysis was done using SIMCon. 
 +
 
 +
h1. Conclusions & Future Research
 +
 
 +
This paper has presented a starting point for the analysis of forensic data of a T-Mobile Sidekick device.  Because of a lack of an active T-Mobile Sidekick account, I was incapable of performing any sort of analysis or research on the backend servers provided by T-Mobile and Danger.  The main focus of this paper was trying to gather information from the Sidekick device itself.  In short, there isn't much.
 +
 
 +
Until Danger develops drivers and becomes willing to provide information on the file system and other information surrounding the Sidekick, creating software to extract data from a device will be almost impossible. 
 +
 
 +
h1. Selected Bibliography
 +
 
 +
This paper compiles information and/or concepts presented in the following works:
 +
 
 +
1. Wikipedia: http://en.wikipedia.org/wiki/T-Mobile_Sidekick

Revision as of 13:27, 24 April 2006

Work In Progress

h1. Disclaimer

This paper assumes that the investigator has secured appropriate authorization to intercept or access the files and information contained on or received by the electronic device in question, and that the implementation of any of the techniques and procedures set forth herein is being done under circumstances and restrictions that are in full compliance with The Electronic Communications Privacy Act of 1986 and other potentially applicable federal and state laws. No representation is made or intended that any specific application of the techniques and procedures set forth herein may be lawfully performed in any particular factual circumstance. Each investigator should secure appropriate legal advice with respect to each such application.

h1. Introduction

This document is meant to familiarize investigators with the Danger Hiptop 2, known also as the T-Mobile Sidekick II (Sidekick herein). The procedures and tools presented here are by no means exhaustive of the technology surrounding the Sidekick, but are intended to elicit design of custom tools to gather forensic data from the device. All testing done for this paper were conducted using an original T-Mobile Sidekick II device along with a T-Mobile To-Go account. Since T-Mobile's Sidekick service includes Internet access to the data on your device, it is important to cover what can and can't be gathered with an account's password.

h1. Relevance of Sidekick Forensics

Like other devices in the smartphone category, the T-Mobile Sidekick contains personal information such as calendars and contacts. Similar to RIM's Blackberry, the Sidekick does not require desktop synchronization to get any new data from the device. Instead, all data is synchronized over the air with T-Mobile and Danger's servers. This was best explained by Michael Burnette in his examination of the Blackberry in June of 2002.

bq. The more time a PDA spends with its owner, the greater the chance is that it will more accurately reflect and tell a story about that person. Thus, the ... unsurpassed portability is the examiner’s greatest ally.

h1. The Hardware

The Sidekick comes in two versions: PV-100 and PV-108. The PV-100 model is a GSM 900/1800/1900 device. The PV-108 model has GSM 850 rather than GSM 900. Both versions of the Sidekick 16 MB of of built-in Flash shared memory as well as 32 MB of RAM. The Flash memory is for storage of photos, applications, ringtones and other types of personal data while the RAM is management of open applications similar to a PC. A VGA camera with flash is also built-in to the device.

The Sidekick has a QWERTY keyboard underneath the TFT screen for easy e-mail and SMS messaging. To expose the keyboard, the screen needs to be rotated upward.

h1. Tools Used

To test methods presented in this paper, the following tools were used on a Windows XP machine running Service Pack 2.

h1. Acquisition

From my research, I have discovered that the T-Mobile sidekick device is incapable of having forensic data extracted. According to Danger, the USB port found on the device is a _dumb_ terminal: it can only transfer files to the device, but not retrieve any data from the device. Attempts at connecting to the device via Windows XP and Mac OS X were unsuccessful.

Danger's reasoning for not allowing the extraction of data from the device is to protect their intellectual property. The Sidekick has a proprietary file system and operating system that the company is not interested in allowing to be exposed more than it already is. To get data from the device, Danger's attornies suggested submiting a subpoena to their legal office. They could not offer a definite turnaround time on the receipt of the data in an investigator's hand.

h1. Evidence Collection

_Extended System Information_

Even though transferring data from the device to a third party computer doesn't seem to be possible, an investigator can still get useful information from the device itself. The system information contains the user's login name for the Danger servers and the phone number. With the login name, an investigator can subpoena the data from Danger's servers. Basic system information can be accessed via the following key sequence:

bq. Jump -> Menu -> Settings -> System Info

One feature that can be accessed is extended system info. This shows the following information:

  • hiptop OS (firmware) build number, build date & time
  • Long-format Radio Firmware version (v0.4.1 becomes 5.041.6)
  • 'Dress Barn (unknown)'
  • Recovery ROM filename and write-date & time
  • System Library build number, build date & time
  • 'Partner ID 101'
  • build number, build date & time of all installed applications.

It's unclear what the 'Dress Barn (unknown)' and 'Partner ID 101' information details, but it doesn't seem to be relevant for a forensic analysis of the device.

To get to the extended system info, enter this key sequence:

bq. Jump -> Menu -> Settings -> System Info -> Menu + M

_System Log_

An important, but removed feature, in later versions of the Sidekick is the ability to view the syslog. This only works with firmware versions prior to 2.3. The functionality was removed because a bug was found that allowed someone to get past the three digit security lock the device may have had enabled. The log contained information on data transmitted to and from the Danger servers.

The syslog can be accessed by entering this key sequence.

bq. Jump -> Menu -> Settings -> System Info -> Menu + Shift + S

_Network Status_

The basic network status panel gives the following information:

  • Service status (connected or not)
  • Connection time
  • Signal strength
  • GSM Registration
  • GPRS status
  • Radio version

This can be accessed via following key sequence:

bq. Jump -> Network Status

Like the System Info screen, network status has an extended information feature as well. It can similarly be accessed by keying +Jump + M_ while still in the network status screen. The extended network status gives the following relevant information:

  • IP Address
  • Packets Transmitted
  • Packets Received
  • Bytes Trans
  • Bytes Received
  • Current Cell Tower
  • Bit Error Rate

_Battery Status_

Battery status can be accessed via the following command:

bq. Jump -> Menu -> Settings -> Battery & Display

_Resetting_

To perform a soft reset of the device, the following key command is used:

bq. @ + 1 + 0

Be advised that there is no confirmation dialog. If you press this combination, the device will reset immediately. It's unknown what sort of file system cleanup is performed when performing a soft reset. Danger was not cooperative in answering such questions.

h1. Sim Card Analysis

The only feasible way to extract data from a T-Mobile sidekick is via the SIM Card. While there doesn't seem to be a way to export contacts from the Sidekick on to the SIM Card, the device can import contacts from a SIM Card. The main purpose of the card for a device like the Sidekick is network authorization. Unless data is specifically added to the card, all data is stored on the Danger servers.

The SIM card's stored SMS messages are also displayed on the device by default. It's unknown at this time if those messages are then transferred to the Danger servers.

SIM Card analysis was done using SIMCon.

h1. Conclusions & Future Research

This paper has presented a starting point for the analysis of forensic data of a T-Mobile Sidekick device. Because of a lack of an active T-Mobile Sidekick account, I was incapable of performing any sort of analysis or research on the backend servers provided by T-Mobile and Danger. The main focus of this paper was trying to gather information from the Sidekick device itself. In short, there isn't much.

Until Danger develops drivers and becomes willing to provide information on the file system and other information surrounding the Sidekick, creating software to extract data from a device will be almost impossible.

h1. Selected Bibliography

This paper compiles information and/or concepts presented in the following works:

1. Wikipedia: http://en.wikipedia.org/wiki/T-Mobile_Sidekick