Investigation of Blackberry, Ipod and Pda

Introduction of Ipod Investigation

iPod is actually not just for entertainment and enjoyment, because it can be more that i seem we look like . The criminal for example find that ipod can be use “alternative” ways for a seemingly harmless device, and the criminal bags of trick.

Component of Ipod

1. In disk mode, the iPod can store other types of files, such as documents or pictures. Apple’s digital music player has a capacity of up to 60GB. With this much storage space, Apple has branched out and included features like calendar and contacts ("Apple iPod - music and more", 2004).
2. The latest versions include photo viewing and a color screen. Additionally with proper configuration,
3. iPod can run Linux and even contain all the necessary information for a computer system to run effectively. This would allow an individual to carry their entire computer around with them and boot it via their iPod attached to any computer.
4. The iPod different of file system for example :uses the Apple HFS+ file system when the device is run with an Apple system and uses the FAT32 file system when used with a Windows PC. configured with a variety of capacities.
5. The iPod uses the standard vCard file format for storing contact information. Calendar entries are stored in the industry standard v Calendar format. Music is stored in a range

Type of consideration when do the investigation on Ipod

Legal Considerations of ipod

When evidence is being prepared for possible submission to court proceedings, it is important for it to be collected in a forensically under the Daubert criteria.

1. First Care must be taken to ensure that evidence collected from an iPod meets these criteria. Because of the iPod’s large capacities and increased functionality,

2. The cyber forensic and law enforcement community should treat it in a similar manner to how they treat a suspect’s hard drive.

3. Suspects could potentially store key evidence on the iPod, and thus, a proper method for handling this type of evidence must be developed. This poses an interesting challenge for the forensic examiner, especially in terms of collection and analysis.

Crime Scene Considerations

It is now necessary to search a physical crime scene and a suspect’s personal effects for iPods or other digital music devices. Some considerations when an iPod is found at a crime scene include:

• The first responder should wait for the advice of a forensics specialist before any evidence is collected.

• Documentation of where the device is in the scene should be taken by photographing its location and anything around it

• The device should be left in its current state, as it is possible that the device could be booby trapped with a delete command set to execute if the device is disconnected from a charger or computer.

Forensic tool for ipod

The tool that use should provide facilities such as acquisition, examination, or reporting

Example tool

Access Data’s Forensic Tool Kit (FTK),

EnCase Forensic Edition,

Blackbag Technologies’ Macintosh Forensic Software (MFS)

Is forensic tool exclusive to Apple Macintosh platform

Introduction of PDA investigation

A PDA is a hand held computing device that combines a multitude of functions and features. These features include things like computing, telephone, fax and Internet.PDA can and most often does contain some form of networking or other form of connectivity .Pda also have reached such a level of power, and functionality they are in essence a mini-computer.

Component of PDA

1.PDAs are oriented toward mobility, they depend on battery power, emphasize wireless connectivity, and use specialized interfaces and media.

2.PDAs typically use volatile memory versus non-volatile memory for user data, such that loss of

battery power results in an immediate loss of data.

3.PDAs normally use different operating systems from desktop computers, which accommodate

mobility aspects such as power management, specialized file systems, automatic file compression,

and execute-in-place programs.

4 .PDAs are always in an active state; when powered off or idle various degrees of hibernation occur to avoid a lengthy delay when powered on again or activity resumes

Type of consideration when do the investigation on PDA

There are four main steps when it comes to performing a forensic investigation of a PDA. These four steps are identified as follows:

Step 1: Examination
understand the potential sources of the evidence, with a PDA these sources can be the device, the device cradle, power supply and any other peripherals or media that the device being examined has came into contact with. In addition to these sources you should also investigate any device that has synchronized with the PDA you are examining.

Step 2: Identification
In the identification step of PDA forensics we start the process by identifying the type of device we are investigating. Once we have identified the device we then have to identify the operating system that the device is using

Step 3: Collection
During this part of our forensic investigation it is imperative that we collect data and potential evidence from the memory devices that are part of or suspected to be part of the PDA we are investigating.

Step 4: Documentation
As with any component in the forensic process, the collect of our information and potential evidence, we need to record all visible data. Our records must document the case number, and the date and time it was collected. Additionally the entire investigation area needs to be photographed. This includes any devices that can be connected to the PDA, or currently are connected to the PDA. Another part of the documentation process is to generate a report that consists of the detailed information that describes the entire forensic process that you are performing. Within this report you need to annotate the state and status of the device in question during your collection process. The final step of the collection process consists of all of the information and storing it in a secure and safe location.

Palm dd (pdd)

Palm dd (pdd) is a Windows-based command line tool that performs a physical acquisition of information from Palm OS devices .Pdd is designed to work with most PDAs running the Palm OS in console mode. During the acquisition stage, a bit-for-bit image of the device’s memory can be obtained. The data retrieved by pdd includes all user applications and databases .

Pilot-Link

Pilot-link is an open source software suite originally developed for the Linux community to allow information to be transferred between Linux hosts and Palm OS devices. It runs on other desktop operating systems besides Linux, including Windows and Mac OS. Unlike pdd, which uses the Palm debugger protocol for acquisition, pilot-link uses the Hotsync protocol. Pilot-link does not provide hash values of the information acquired. A separate step must be carried out with an appropriate utility to obtain them.

POSE

POSE (Palm OS Emulator) is a software program that runs on a desktop computer under a variety of operating systems, and behaves exactly as a Palm OS hardware device, once an appropriate. ROM images can be obtained from the PalmSource Web site or by copying the contents of ROM from an actual device, using pdd, Pilot-Link, or a companion tool provided with the emulator. POSE is limited to Palm OS versions 4.x and below.

PDA Seizure

Paraben’s PDA Seizure is a commercially available forensic software toolkit that allows forensic examiners to acquire and examine information on PDAs for both the Pocket PC (PPC) and Palm OS platforms. PDA Seizure’s features include the ability to acquire a forensic image of Palm OS, Pocket PC, and BlackBerry devices, to perform examiner-defined searches on data contained within acquired files, generate hash values of individual files and to generate a report of the findings. PDA Seizure also provides book-marking capabilities to organize information, along with a graphics library that automatically assembles found images under a single facility, based on the graphics file extension of the acquired files.

EnCase

EnCase is a commercially available forensic software toolkit that provides acquisition of suspect media, search and analytical tools, hash generation of individual files, data capture and documentation features. Although more widely used for examining PCs, EnCase also supports Palm OS devices. Currently, support for Pocket PC is not available, but the ability to import a data dump of Linux-based PDAs exists. EnCase allows for the creation of a complete physical bit-stream image of a Palm OS device. Throughout the process, the integrity of the bit-stream image is continually verified by CRC (Cyclical Redundancy Check) values, which are calculated concurrent to acquisition.

Introduction of BlackBerry Investigation

The BlackBerry is also known as a RIM device. It was software that implementation of proprietary wireless-oriented protocols; furthermore, the device is supported by the RIM BlackBerry Message Center. It is always-on, and participating in some form of wireless push technology. As a result of this the BlackBerry does not require some form of desktop synchronization like the PDA does. Because this unique component of the BlackBerry device adds a different dimension to the process of forensic examination.

Component of BlackBerry

1. Have a OS that numerous capabilities and features. These features include; over the air activation, ability to synchronize contracts and appointments with Microsoft Outlook, a password keeper

2. Integrated wireless modem; this allows the device to communicate over the BellSouth Intelligent Wireless Network

3. Has a couple of transport encryption options. These options are the Triple Des (Data Encryption Standard) or AES (Advanced Encryption Standard.

Type of consideration when do the investigation on BlackBerry

1. First step in preserving the information is to eliminate the ability of the device to receive this data push. If possible you could turn the radio off, or a better solution is to take the device to an area where the signal cannot be received, this possibly can be achieved by putting the device inside of" a filing cabinet drawer, but your mileage will vary here.
2. Acquisition of Information Considerations
   look at the considerations you have to make when acquiring evidence from the Blackberry (RIM) device.
3. Device is in the "off" State
   If the unit is off at the time of acquisition, the investigator needs to take the unit to a shielded location before attempting to switch the unit on. If a shielded location is not readily available, you might have success using a safe or other room that can block the signal well enough to prevent the data push.
4. Device is in the "on" State
   If the device you are examining is in the "on" state then as outlined and detailed above, you need to take the device to a secure location and disable or turnoff the radio before beginning the examination.
5. Evidence Collection
   requiring the investigator to record logs kept on the unit that will be wiped after an image is taken.
6. Unit Control Functions
   The logs are reviewed by using the unit control functions; there are several functions \
7. Imaging and Profiling
   When you are conducting a forensic examination of a BlackBerry (RIM) device we need to conduct imaging and profiling. This is accomplished by extracting the logs from a developed image; acquiring an image of a bit-by-bit

Forensic tool Forensic tool for ipod

1. SDK

The SDK is available from www.blackberry.com and is essential for the forensic examiner when investigating a Blackberry. The SDK utility dumps the contents of the Flash RAM into a file. Once the Flash RAM is dumped it can be examined and reviewed using traditional methods with your favorite hex editor or other tool. In addition to reviewing the evidence with traditional methods, you can use the Simulator from the SDK to match the network and model of the investigated unit.

Conclusion

There are three small scale device that we discussed here with is blackberry ,ipod and pda .Each of device have differnt component and function ,the advantages of this be manipulated by the criminal to stroge all criminal activities without be suspected .There are different type of rule and tool be use to do investigation on this three device that already been discuss on this take from different type of resources that i found

Resources

[1]http://searchstoragechannel.techtarget.com/feature/Introduction-to-the-BlackBerry

[2]http://searchstoragechannel.techtarget.com/tip/PDA-BlackBerry-and-iPod-Forensic-Analysis-Introduction

[3]http://www.forensics.nl/mobile-pda-forensics

[4] iPod Forensics

Christopher V. Marsico Marcus K. Rogers Purdue University Cyber Forensics Lab

Department of Computer Technology Purdue University

[5] An Overview and Analysis of PDA Forensic Tools

Wayne Jansen, Rick Ayers

National Institute of Standards and Technology