13.4 Related Sources of Digital Evidence


13.4 Related Sources of Digital Evidence

Data relating to a handheld device can often be found on associated desktop computers and memory modules. For example, when a Palm OS device is synchronized with a desktop computer, data is stored in primary backup files (.dat, *.bak) and archive files (*.dba, *.tda, *.ada). Items that have been erased from the device may still exist on the desktop including e-mail messages and private data. These files are Microsoft Foundation Class (MFC) objects and their format varies depending on the MFC version used. For this reason, tools that are designed to interpret Palm databases may not be able to read these files. To complicate matters, the format of data in Palm memory is not identical to the format of these backup files. Therefore, it may be necessary to interpret meticulously and piece together data in these backup files on the desktop.

13.4.1 Removable Media

Memory modules are usually formatted with FAT file system and can be treated like any other piece of removable media. For example, some memory cards have a write-protection switch, which should be enabled before the digital evidence acquisition process. Also, like other forms of storage media, some form of drive or adapter is required to provide an interface between the memory module and the digital evidence collection system. Adapters for more types of memory modules are available for desktop and laptop computers (see Figure 13.6).

click to expand
Figure 13.6: A memory module for a Palm OS device along with a PCMCIA interface card. This type of adapter is useful for acquiring digital evidence from memory modules using Windows and Unix based tools such as EnCase and dd.

One complication that can arise with some memory modules is copy protection. This can usually be bypassed using dd on UNIX. Another complication arises when dealing with modules such as GSM SIMs and other smart cards that cannot be accessed using previously mentioned evidence acquisition tools. For instance, Cards4Labs is a tool specifically designed for accessing smart cards of various kinds (Van der Knijff 2001).

13.4.2 Neighborhood Data

Handheld devices often contain remnants of network activity such as e-mail messages and Web clippings obtained using Palm Query Application (PQA). This information can be used to locate related digital evidence on other systems.[11]

For instance, the following portion of RAM dump of a Kyocera device (combination Palm PDA and mobile telephone) contains the number of the telephone and the name of the POP server used to check e-mail. The telephone company may have call records associate with this telephone number and the POP server may have associated logs and e-mail messages.

click to expand

Mobile telephones and Blackberry devices are specifically designed to access wireless networks and may have a substantial amount of neighborhood data.

[11]E-mail messages and other information downloaded from the Internet can be transferred onto handheld devices via a desktop computer. Therefore, the presence of such information on a device does not necessarily indicate that the device could access the Internet directly.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net