1 / 27

Computer Forensics Principles and Practices

Computer Forensics Principles and Practices. by Volonino, Anzaldua, and Godwin. Chapter 5: Data, PDA, and Cell Phone Forensics. Objectives. Recognize and identify types of drives and media storage devices Describe PDA and cellular phone technologies

virgo
Download Presentation

Computer Forensics Principles and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer ForensicsPrinciples and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics

  2. Objectives • Recognize and identify types of drives and media storage devices • Describe PDA and cellular phone technologies • Explain techniques for acquiring and analyzing data from hard drives and other storage media © Pearson Education Computer Forensics: Principles and Practices

  3. Objectives (Cont.) • Describe techniques for acquiring and analyzing data from PDAs and cellular phones • List and describe tools that can be used to analyze disk images, PDA data, and cellular phone data © Pearson Education Computer Forensics: Principles and Practices

  4. Introduction It is important to understand how the technology works in order to properly gather evidence from the different media devices. This chapter gives you the requisite understanding and then the tools to help in gathering the evidence from those devices. © Pearson Education Computer Forensics: Principles and Practices

  5. Basic Hard Drive Technology • Composition of hard drives • Platters • Heads • Cylinders • Sectors • Locating hard drive geometry information • Information on label on hard drivecontains drive geometry © Pearson Education Computer Forensics: Principles and Practices

  6. Basic Hard Drive Technology(Cont.) • Hard drive standards • ATA (advanced technology attachment) • ATAPI (advanced technology attachment programmable interface) • E IDE • IDE (integrated drive electronics) • PIO (programmable input/output) • UDMA (ultra direct memory access) • ATA speed rating • SATA (serial advanced technology attachment) © Pearson Education Computer Forensics: Principles and Practices

  7. Other Storage Technologies • Floppy disks • Tape drive technologies • QIC, DAT, DLT • ZIP and other high-capacity drives • Optical media structures • Single session vs. multisession CDs • DVDs • USB Flash drives © Pearson Education Computer Forensics: Principles and Practices

  8. Personal Digital Assistant Devices (PDAs) • Five major PDA operating systems: • BlackBerry • Open Embedded (Linux) • PalmSource (Palm OS) • Symbian (Psion) • Windows Mobile (Pocket PC) © Pearson Education Computer Forensics: Principles and Practices

  9. PDA functionality Text messaging SMS, EMS, MMS, IM Single photo and/or movie video capable Phonebook Call logs Subscriber identity module Global positioning systems Video streaming Audio players Cellular Phones • New phones are low-end computers with the following capabilities: © Pearson Education Computer Forensics: Principles and Practices

  10. Drive and Media Analysis • Acquiring data from hard drives • Bit-stream transfer • Disk-to-disk imaging © Pearson Education Computer Forensics: Principles and Practices

  11. Drive and Media Analysis(Cont.) • Acquiring data from removable media • Document the scene • Use static-proof container and label container with • Type of media • Where media was found • Type of reader required for the media • Transport directly to lab • Do not leave any media in a hot vehicle or environment • Store media in a secure and organized area © Pearson Education Computer Forensics: Principles and Practices

  12. Drive and Media Analysis(Cont.) • Acquiring data from removable media (cont.) • Once at the lab, make a working copy of the drive • Make sure the media is write-protected • Make a hash of the original drive and the duplicate • Make a copy of the duplicate to work from • Store the original media in a secure location © Pearson Education Computer Forensics: Principles and Practices

  13. Drive and Media Analysis(Cont.) • Acquiring data from USB flash drives • Write protect the drive • Software may be needed to write protect • Essentially recognized much like a regular hard drive by the operating system © Pearson Education Computer Forensics: Principles and Practices

  14. In Practice: PDA-Configured iPod Reveals Employee Theft • Review of bank fees revealed that Joe had been skimming money • Suspicion fell on iPod that Joe had on his desk every day • iPod had been partitioned to hold both data and music © Pearson Education Computer Forensics: Principles and Practices

  15. PDA Analysis • Guidelines for seizing PDAs: • If already off, do not turn it on • Seal in an envelope before putting it in an evidence bag to restrict access • Attach the power adapter through the evidence bag to maintain the charge • Keep active state if PDA is on when found © Pearson Education Computer Forensics: Principles and Practices

  16. PDA Analysis (Cont.) • Guidelines for seizing PDAs (cont.): • Search should be conducted for associated memory devices • Any power leads, cables, or cradles relating to the PDA should also be seized, as well as manuals • Anyone handling PDAs before their examination should treat them in such a manner that gives the best opportunity for any recovered data to be admissible as evidence in any later proceedings © Pearson Education Computer Forensics: Principles and Practices

  17. PDA Chain of Custody • Documentation of the chain of custody should answer the following: • Who collected the device, media, and associated peripherals? • How was the e-evidence collected and where was it located? • Who took possession of it? • How was it stored and protected while in storage? • Who took it out of storage and why? © Pearson Education Computer Forensics: Principles and Practices

  18. Secured PDA Device • Ask the suspect what the password is • Contact the manufacturer for backdoors or other useful information • Search the Internet for known exploits for either a password crack or an exploit that goes around the password • Call in PDA professional who specializes in data recovery © Pearson Education Computer Forensics: Principles and Practices

  19. Cellular Phone Analysis • Determine which forensic software package will work with the suspect cellular phone • Ascertain the connection method • Some devices need to have certain protocols in place before acquisition begins • Physically connect the cellular phone and the forensic workstation using the appropriate interface © Pearson Education Computer Forensics: Principles and Practices

  20. Cellular Phone Analysis (Cont.) • Before proceeding, make sure all equipment and basic data are in place • Most software packages are GUI based and provide a wizard • Once connected, follow the procedures to obtain a bit-stream copy • Search for evidence and generate reports detailing findings © Pearson Education Computer Forensics: Principles and Practices

  21. Disk Image Forensic Tools • Guidance software • Paraben® software • FTK™ • Logicube © Pearson Education Computer Forensics: Principles and Practices

  22. PDA/Cellular Phone Forensic Software • Tools for examining PDAs • EnCase and Palm OS software • PDA Seizure • Palm dd (pdd) • POSE (Palm OS Emulator) • PDA memory cards © Pearson Education Computer Forensics: Principles and Practices

  23. PDA/Cellular Phone Forensic Software (Cont.) • Tools for examining cellular phones • Bit PM • Cell Seizure • Oxygen PM • Pilot-link • Forensic SIM • SIMCon • SIMIS © Pearson Education Computer Forensics: Principles and Practices

  24. PDA/Cellular Phone Forensic Software (Cont.) • Tools for examining both PDAs and cellular phones • Paraben software • Logicube © Pearson Education Computer Forensics: Principles and Practices

  25. Summary • You are most likely to encounter media devices such as: • Hard drives • Optical media (CDs) • USB drives • PDAs • Cellular phones © Pearson Education Computer Forensics: Principles and Practices

  26. Summary (Cont.) • You learned how data is stored on these devices and methods for acquiring the data • General guidelines for data acquisition are the same for most devices • There are also specific guidelines depending on the type of device © Pearson Education Computer Forensics: Principles and Practices

  27. Summary (Cont.) • Guidance, Paraben, AccessData, and Logicube are suppliers of forensic software • Some software is specific to PDAs • Some can be used for several different types of data © Pearson Education Computer Forensics: Principles and Practices

More Related