Digital Evidence and Computer Crime, Second Edition
13.4 Related Sources of Digital Evidence
Data relating to a handheld device can often be found on associated desktop computers and memory modules. For example, when a Palm OS device is synchronized with a desktop computer, data is stored in primary backup files (.dat, *.bak) and archive files (*.dba, *.tda, *.ada). Items that have been erased from the device may still exist on the desktop including e-mail messages and private data. These files are Microsoft Foundation Class (MFC) objects and their format varies depending on the MFC version used. For this reason, tools that are designed to interpret Palm databases may not be able to read these files. To complicate matters, the format of data in Palm memory is not identical to the format of these backup files. Therefore, it may be necessary to interpret meticulously and piece together data in these backup files on the desktop.
13.4.1 Removable Media
Memory modules are usually formatted with FAT file system and can be treated like any other piece of removable media. For example, some memory cards have a write-protection switch, which should be enabled before the digital evidence acquisition process. Also, like other forms of storage media, some form of drive or adapter is required to provide an interface between the memory module and the digital evidence collection system. Adapters for more types of memory modules are available for desktop and laptop computers (see Figure 13.6).
One complication that can arise with some memory modules is copy protection. This can usually be bypassed using dd on UNIX. Another complication arises when dealing with modules such as GSM SIMs and other smart cards that cannot be accessed using previously mentioned evidence acquisition tools. For instance, Cards4Labs is a tool specifically designed for accessing smart cards of various kinds (Van der Knijff 2001).
13.4.2 Neighborhood Data
Handheld devices often contain remnants of network activity such as e-mail messages and Web clippings obtained using Palm Query Application (PQA). This information can be used to locate related digital evidence on other systems.[11]
For instance, the following portion of RAM dump of a Kyocera device (combination Palm PDA and mobile telephone) contains the number of the telephone and the name of the POP server used to check e-mail. The telephone company may have call records associate with this telephone number and the POP server may have associated logs and e-mail messages.
Mobile telephones and Blackberry devices are specifically designed to access wireless networks and may have a substantial amount of neighborhood data.
[11]E-mail messages and other information downloaded from the Internet can be transferred onto handheld devices via a desktop computer. Therefore, the presence of such information on a device does not necessarily indicate that the device could access the Internet directly.
Категории