Digital Evidence and Computer Crime, Second Edition

13.3 Dealing with Password Protection and Encryption

Palm OS permits users to password protect their device and stores the associated password in encoded form in two places: in the "Unsaved Preferences" database on the device and in a file named "users.dat" file on computers that are used to HotSync the device. Also, if a Palm OS device is on, digital evidence examiners can obtain an encoded version of the password via the InfraRed port using the notsync^[10] utility on another Palm OS device. Prior to Palm OS 4, these passwords were weakly encoded and could be recovered using palmcrypt as shown here.

D:\>palmcrypt -d B8791D707A2359435082DA4E599FBE4BEE675CCE541B346C04186C55AE81CDF PalmOS Password Codec kingpin@atstake.com @stake Research Labs http://www.atstake.com/research August 2000 0x62 0x69 0x72 0x74 0x68 0x64 0x61 0x79 [birthday]

It is more difficult to recover data from a Palm OS device that is protected with strong encryption using applications like Secret! and CryptoPad. In such cases, it may be possible to recover data in unencrypted form in the device memory or on the computer used to HotSync the device. Alternatively, it may be possible to obtain or guess the password used to encrypt the data. More advanced tools and techniques for obtaining or guessing passwords from PDAs and mobile telephones are described in the Handbook of Computer Crime Investigation, Chapter 11 (Van der Knijff 2001).

^[10]http://www.atstake.com/research/tools/password_auditing/