NIST SP 800-72 Guidelines on PDA Forensics

NIST SP 800-72 Guidelines on PDA Forensics
Special Publication 800-72
Sponsored by the Department
of Homeland Security
Guidelines on PDA Forensics
Recommendations of the National Institute
of Standards and Technology
Wayne Jansen
Rick Ayers
NIST Special Publication 800-72
Guidelines on PDA Forensics
Recommendations of the National
Institute of Standards and Technology
Wayne Jansen
Rick Ayers
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
November 2004
U.S. Department of Commerce
Donald L. Evans, Secretary
Technology Administration
Phillip J. Bond, Under Secretary for Technology
National Institute of Standards and Technology
Arden L. Bement, Jr., Director
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing
technical leadership for the Nation’s measurement and standards infrastructure. ITL
develops tests, test methods, reference data, proof of concept implementations, and
technical analysis to advance the development and productive use of information
technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective
security and privacy of sensitive unclassified information in Federal computer
systems. This Special Publication 800-series reports on ITL’s research, guidance, and
outreach efforts in computer security and its collaborative activities with industry,
government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-72
Natl. Inst. Stand. Technol. Spec. Publ. 800-72, 67 pages (2004)
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is
not intended to imply recommendation or endorsement by the National Institute of
Standards and Technology, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
The authors, Wayne Jansen and Rick Ayers from NIST wish to express their thanks to
colleagues who reviewed drafts of this document. In particular, their appreciation goes to
Murugiah Souppaya and Tim Grance from NIST, Karen Kent from Booz-Allen-Hamilton,
Barry Grundy from NASA – Office of Inspector General, Rick Mislan from Ferris State
University, Joe Grand from Grand Idea Studio, and Eoghan Casey from Knowledge Solutions
LLC for their research, technical support, and written contributions to this document. The
authors would also like to express thanks to all others who assisted with our review process,
including Susan Ballou from NIST’s Office of Law Enforcement Standards and those
individuals who contributed input during the public comment period.
This work was sponsored by the Department of Homeland Security (DHS), whose support
and guidance in this effort are greatly appreciated.
Guidelines on PDA Forensics
Table of Contents
TABLE OF CONTENTS............................................................................................................. V
LIST OF FIGURES ....................................................................................................................VII
LIST OF TABLES.................................................................................................................... VIII
EXECUTIVE SUMMARY........................................................................................................... 1
1. INTRODUCTION.................................................................................................................. 2
AUTHORITY ...................................................................................................................... 2
PURPOSE AND SCOPE ........................................................................................................ 2
AUDIENCE AND ASSUMPTIONS......................................................................................... 3
DOCUMENT STRUCTURE .................................................................................................. 3
2. BACKGROUND.................................................................................................................... 4
DEVICE CHARACTERISTICS .............................................................................................. 4
PALM OS........................................................................................................................... 6
POCKET PC ....................................................................................................................... 9
LINUX.............................................................................................................................. 12
GENERIC STATES ............................................................................................................ 14
3. FORENSIC TOOLS............................................................................................................. 16
PALM DD (PDD) ............................................................................................................... 17
PILOT-LINK ..................................................................................................................... 17
POSE .............................................................................................................................. 17
PDA SEIZURE ................................................................................................................. 18
ENCASE .......................................................................................................................... 18
DUPLICATE DISK (DD) .................................................................................................... 19
MISCELLANEOUS TOOLS ................................................................................................ 19
CUSTOM TOOLS .............................................................................................................. 20
4. PROCEDURES AND PRINCIPLES.................................................................................. 21
ROLES AND RESPONSIBILITIES ....................................................................................... 21
EVIDENTIAL PRINCIPLES ................................................................................................ 22
PROCEDURAL MODELS................................................................................................... 23
5. PRESERVATION ................................................................................................................ 26
SEARCH ........................................................................................................................... 28
RECOGNITION ................................................................................................................. 28
DOCUMENTATION........................................................................................................... 29
COLLECTION ................................................................................................................... 30
Guidelines on PDA Forensics
6. ACQUISITION..................................................................................................................... 35
UNOBSTRUCTED DEVICES .............................................................................................. 36
OBSTRUCTED DEVICES ................................................................................................... 38
TANGENTIAL EQUIPMENT .............................................................................................. 41
7. EXAMINATION AND ANALYSIS.................................................................................. 45
LOCATING EVIDENCE ..................................................................................................... 45
APPLYING TOOLS ........................................................................................................... 47
8. REPORTING ........................................................................................................................ 50
9. REFERENCES ..................................................................................................................... 52
APPENDIX A. ACRONYMS .................................................................................................... 55
APPENDIX B. GLOSSARY ...................................................................................................... 57
Guidelines on PDA Forensics
List of Figures
Figure 1: Generic Hardware Diagram ................................ 5
Figure 2: Palm OS Architecture.......................................... 8
Figure 3: Windows CE Architecture ................................ 10
Figure 4: Linux Architecture............................................. 13
Figure 5: Generic State Diagram ...................................... 15
Figure 6: ROM/RAM Storage Assignments.................... 37
Figure 7: Alternative ROM/RAM Assignments.............. 38
Guidelines on PDA Forensics
List of Tables
Table 1: An Overview of Representative PDA models..... 5
Table 2: PDA Forensic Tools............................................ 16
Table 3: Action Matrix ...................................................... 32
Table 4: Interoperability Among Palm OS Tools ............ 35
Table 5: Cross Reference of Sources and Objectives ...... 46
Guidelines on PDA Forensics
Executive Summary
Personal Digital Assistants (PDAs) are a relatively recent phenomenon, not usually covered in
classical computer forensics. This guide attempts to bridge that gap by providing an in-depth
look into PDAs and explaining the technologies involved and their relationship to forensic
procedures. It covers three families of devices – Pocket PC, Palm OS, and Linux-based PDAs
– and the characteristics of their associated operating system. This guide also discusses
procedures for the preservation, acquisition, examination, analysis, and reporting of digital
information present on PDAs, as well as available forensic tools.
The objective of the guide is twofold: to help organizations evolve appropriate policies and
procedures for dealing with PDAs, and to prepare forensic specialists to deal with new
situations involving PDAs, when they are encountered. The guide is not all-inclusive nor is it
a mandate for the law enforcement and incident response communities. However, from the
principles outlined and other information provided, organizations should nevertheless find the
guide helpful in setting policies and procedures.
The information in this guide is best applied in the context of current technology and practices.
Every situation is unique, as are the experiences of the forensic specialists and the tools and
facilities at their disposal. The judgment of the forensic specialists should be given deference
in the implementation of the procedures suggested in this guide. Circumstances of individual
cases and International, Federal, State, local laws/rules and organization-specific policies may
also require actions other than those described in this guide. As always, close and continuing
consultation with legal council is advised.
Guidelines on PDA Forensics
1. Introduction
The National Institute of Standards and Technology (NIST) developed this guide in
furtherance of its statutory responsibilities under the Federal Information Security
Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum
requirements, for providing adequate information security for all Federal agency operations
and assets; but such standards and guidelines shall not apply to national security systems. This
guideline is consistent with the requirements of the Office of Management and Budget (OMB)
Circular A-130, Section 8b(3), “Securing Agency Information Systems,” as analyzed in A130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130,
Appendix III.
This guide has been prepared for use by Federal agencies. It may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright, though attribution is desired.
Nothing in this guide should be taken to contradict standards and guidelines made mandatory
and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor
should these guidelines be interpreted as altering or superseding the existing authorities of the
Secretary of Commerce, Director of the OMB, or any other Federal official.
Purpose and Scope
This guide provides basic information on the preservation, examination, and analysis of digital
evidence on PDAs, relevant to law enforcement, incident response, and other types of
investigations. The guide focuses mainly on the characteristics of the following families of
PDAs: Pocket PC, Palm OS, and Linux-based PDAs. It also covers provisions to be taken into
consideration during the course of an incident investigation, including evidence handling,
device identification, content acquisition, documentation, and reporting.
The guide is intended to address common circumstances that may be encountered by
organizational security staff and law enforcement investigators, involving digital electronic
data residing on PDAs and associated electronic media. It is also intended to compliment
existing guidelines and delve more deeply into issues related to PDAs and their examination
and analysis.
Procedures and techniques presented in this document are a compilation of the authors’
opinions and references taken from existing forensic guidelines. The publication is not to be
used as a step-by-step guide for executing a proper forensic investigation when dealing with
new technologies such as PDAs or construed as legal advice, its purpose is to inform readers of
various technologies and potential ways to approach them from a forensic point of view.
Readers are advised to apply the recommended practices only after consultation with
management and legal officials for compliance with laws and regulations (i.e., local, state,
federal, and international) that pertain to their situation.
Guidelines on PDA Forensics
Audience and Assumptions
The intended audience is varied and ranges from response team members handling a computer
security incident to organizational security officials investigating an employee-related situation
to forensic examiners involved in criminal investigations. The practices recommended in this
guide are designed to highlight key principles associated with the handling and examination of
electronic evidence, in general, and PDAs in particular. Readers are assumed to have a basic
grounding in classical computer forensics involving individual computer systems (e.g.,
personal computers) and network servers. Because of the constantly changing nature of
handheld devices and related forensic procedures and tools, readers are expected to take
advantage of other resources, including those listed in this guide, for more current and detailed
Document Structure
The guide is divided into the following nine sections:
Section 1 (this section) explains the authority, purpose and scope, audience and
assumptions of the document, and outlines its structure.
Section 2 is an overview on PDAs, including an overview of common operating
systems and generic operating states.
Section 3 discusses present-day PDA forensic tools and with which types of devices
they work.
Section 4 provides general information on procedures and principles that apply to
PDA forensics.
Section 5 discusses considerations for preserving digital evidence associated with
Section 6 examines the process of acquisition of digital evidence from PDAs, as well
as from common types of peripheral equipment.
Section 7 outlines common sources of evidence on PDAs and the features and
capabilities of tools for examination.
Section 8 discusses the reporting of findings.
Section 9 contains a list of references used in this guide.
Appendix A contains a list of acronyms used in this guide.
Appendix B contains a glossary defining terms used in this guide.
Guidelines on PDA Forensics
2. Background
The digital forensic community faces a constant challenge to stay on top of the latest
technologies that may be used to reveal relevant clues in an investigation. Personal Digital
Assistants (PDAs) are commonplace in today’s society, used by many individuals for both
personal and professional purposes. PDAs vary in design and are continually undergoing
change as existing technologies improve and new technologies are introduced. When a PDA
is encountered during an investigation, many questions arise: What should be done about
maintaining power? How should the PDA be handled? How should valuable or potentially
relevant data contained on the device be examined? The key to answering these questions is
an understanding of the hardware and software characteristics of PDAs.
This section gives an overview of the hardware and software capabilities of Palm OS, Pocket
PC, and Linux-based PDAs. The overview provides a summary of general characteristics and,
where useful, focuses on a particular model or software version that best illustrates key
features of such products. Developing an understanding of the components and inner
workings of these devices (e.g., memory organization and use) is a prerequisite to
understanding the criticalities involved when dealing with digital devices. PDA memory is
volatile (i.e., RAM) and requires power to maintain data unlike a personal computer’s hard
disk. Handheld device technologies are changing rapidly, with new products and features
being introduced regularly. Because of the fast pace with which handheld device technologies
are evolving, this discussion represents a snapshot of the handheld area at the present time.
Device Characteristics
Most types of PDAs have comparable features and capabilities. They house a microprocessor,
read only memory (ROM), random access memory (RAM), a variety of hardware keys and
interfaces, and a touch sensitive, liquid crystal display. The operating system (OS) of the
device is held in ROM. Several varieties of ROM are used, including Flash ROM, which can
be erased and reprogrammed electronically with OS updates or an entirely different OS.
RAM, which normally contains user data, is kept active by batteries whose failure or
exhaustion causes all information to be lost.
The latest PDAs come equipped with system-level microprocessors that reduce the number of
supporting chips required and include considerable memory capacity. Built-in Compact Flash
(CF) and combination Secure Digital (SD) 1/MultiMedia Card (MMC) 2 slots support memory
cards and peripherals, such as a digital camera or wireless communications card. Wireless
communications such as infrared (i.e., IrDA), Bluetooth, and WiFi may also be built in. Figure
1 illustrates a system-level processor chip and the generic core components of most PDAs.
The Secure Digital home page can be found at:
The MultiMediaCard home page can be found at:
Guidelines on PDA Forensics
Cradle Connector
Figure 1: Generic Hardware Diagram
Different devices have different technical and physical characteristics (e.g., size, weight,
processor speed, memory capacity). Devices may also use different types of expansion
capabilities (e.g., I/O and memory card slots, device expansion sleeves, and external hardware
interfaces) to provide additional functionality. Furthermore, PDA capabilities are sometimes
combined with those of other devices such as cell phones, global positioning systems, and
cameras to form new types of hybrid devices. Table 1 highlights the general characteristics of
selected Palm OS, Pocket PC (rebranded as Windows Mobile in 2003), and Linux PDA
models, which highlight this diversity. Characteristics of a wider range of PDAs can be found
on manufacturer and vendor Web sites, as well as product review sites. 3,4
Table 1: An Overview of Representative PDA models
Tungsten T2
iPAQ H5555
Zaurus SL-5600
Palm OS 5.2.1
Windows Mobile 2003
Linux Embedix v2.4.18,
Qtopia v1.5.0
144 MHz TI OMAP 1510
Dual core 192 Mhz DSP
enhanced ARM-based
400 MHz Intel PXA-255
400 MHz Intel PXA-250
For an online comparison of older PDA models see:
For PDA product reviews and prices of current models see
Guidelines on PDA Forensics
Tungsten T2
iPAQ H5555
Zaurus SL-5600
8 MB Flash ROM
48 MB Flash ROM (17
MB available for user
64 MB Flash ROM
(approx. 30-35 MB for
user filesystem)
4.0” x 3.0” x 0.6”
5.43" x 3.3" x .63"
5.4” x 2.9" x 0.9"
320x320, transflective
Thin Film Transistor
(TFT) LCD, 65,536 colors
240x320, transflective
TFT LCD, 65,536 colors
240x320, reflective TFT
LCD, 65,536 colors
Text Input
Handwriting recognition,
Soft keyboard
Handwriting recognition,
Soft keyboard
Touch screen,
Handwriting recognition,
Built-in QWERTY-style
IrDA, Bluetooth
Card Slots
SD/MMC slot
1 fixed, rechargeable
Lithium Ion Polymer
IrDA, CIR, Bluetooth,
SD/MMC slot
Type II CF slot
Optional expansion
sleeves for PCMCIA
cards, CF cards, and
1 removable, rechargeable
Lithium Ion Polymer
SD/MMC slot
Type II CF slot
Expansion jacket with CF
slot and battery
USB 1.1 host connector
(mini type A)
1 removable, rechargeable
Lithium Ion
Despite the PDA family, all devices support a set of basic Personal Information Management
(PIM) applications, which provide Address Book, Appointment, Mailbox, and Memo
Management capabilities. Most devices also provide the ability to communicate wirelessly,
review electronic documents, and surf the Web. PIM data residing on a PDA can be
synchronized with a desktop computer and automatically reconciled and replicated between
the two devices, using synchronization protocols such as Microsoft’s Pocket PC ActiveSync
protocol and Palm’s HotSync protocol. Synchronization protocols can also be used to
exchange other kinds of data (e.g., individual text, images, and archive file formats).
Information not obtainable directly from the PDA can often be retrieved from a personal
computer to which the device has been synchronized.
Palm OS
Palm established itself early in the PDA market with devices built around its operating system,
Palm OS. Early Palm OS devices use 16- and 32-bit processors based on the Motorola
DragonBall MC68328-family of microprocessors. More recent devices use StrongArm and
XScale microprocessors.5 Older Palm OS devices tend to be driven by alkaline batteries
instead of lithium-ion batteries, used in new models.
The Palm OS is stored in ROM, while applications and user data are stored in RAM. Add-on
utilities also exist to back up PIM data (e.g., Address Book, Date Book, To Do List, Memo
Pad) onto available ROM [Bob04, Pie99]. Palm OS system software logically organizes
For Palm OS and device related material see
Guidelines on PDA Forensics
ROM and RAM for a handheld device into one or more memory modules known as a card.
Each memory card can contain ROM, RAM, or both. A handheld device can have one card,
multiple cards, or no cards. The main suite of applications provided with each Palm OS
powered handheld is built into ROM. This design permits the user to replace the operating
system and the entire application suite by installing a single replacement module. Additional
or replacement applications and system extensions can be loaded into RAM.
The Palm OS divides the total available RAM store into two logical areas: dynamic RAM and
storage RAM. Dynamic RAM is used as working space for temporary allocations, and is
analogous to the RAM installed in a typical desktop system. The remainder of the available
RAM on the card is designated as storage RAM and is analogous to disk storage on a typical
desktop system. Because power is always applied to the memory system, both areas of RAM
preserve their contents when the device is turned "off" (i.e., is in low-power sleep mode). All
of the storage memory is preserved even when the device is reset explicitly (i.e., manually
pressing the reset button to perform a warm boot). As part of the warm boot sequence (i.e., a
soft reset), the system software reinitializes the dynamic area, and leaves the storage area
intact. The entire area of RAM is used to implement a single collection of free storage or heap
that provides memory for dynamic allocations such as global variables, system buffers (e.g.,
TCP/IP, IrDA communications), and application stacks. As part of the cold boot sequence
(i.e., a hard reset), in addition to reinitializing the dynamic area, the storage area is erased
Palm OS memory is arranged in chunks called “records,” which are grouped into “databases.”
The Palm OS “databases” can be thought of as files. The Palm file format (PFF) conforms to
one of the three types defined below [Hil03]:
Palm Database – A record database used to store application data, such as contact
lists, or user specific data.
Palm Resource – A database similar to the Palm Database that contains application
code and user interface objects.
Palm Query Application – A database that contains world-wide-web content for use
with Palm OS wireless devices.6
With Palm OS, because all applications share the same dynamic RAM, they can interfere with
each other’s data. Buffer overflow attacks are also easily implemented [Ket00].
The latest Palm OS PDAs offer two expansion modes providing an increase in functionality:
the Palm Universal Connector System and Palm Expansion Card Slot. The Universal
Connector System allows GPS receivers, wireless modems, keyboards, and other peripherals
to interact with the device via a USB enabled connection. The Palm Expansion Card Slot
accommodates MultiMediaCard (MMC) and Secure Digital (SD) cards. MMC card modules
are removable solid-state memory of similar size and design to SD memory Cards. Besides
memory, SD cards may also incorporate other types of peripherals such as wireless
communications or camera cards.
Support for Palm Query Application has recently been discontinued; information about its status can be found at:,Kb=PalmSupportKB,ts=Palm_External2001,case=obj(10646)#pqa
Guidelines on PDA Forensics
The architecture for Palm OS devices is organized into the following layers: Application,
Operating System, Software API and Hardware Drivers, and Hardware. Figure 2 illustrates
the relationship between layers. The software Application Programming Interface (API) gives
software developers a degree of hardware independence, allowing applications to execute
under different hardware environments by recompiling the application. Developers have the
freedom to bypass the API and directly access the processor, providing more control of the
processor and its functionality. However, this comes at the expense of increased security risks
due to malicious applications. The Palm OS does not implement permissions on code and
data. Therefore, any application can access and modify data [Kin01].
Figure 2: Palm OS Architecture
Other handheld device manufacturers have licensed the Palm OS for use in their own line of
equipment. Versions of the Palm OS can be divided into three ranges: those before version
4.0, those from version 4.0 to 5.0, and those from 5.0 onward to version 6. A number of
vulnerabilities were identified in versions before 4.0 and subsequently fixed. In particular, the
user login password was shown to be vulnerable and easily reversed [Kin01]. Version 4.0 also
introduced initial support for filesystems on removable memory cards. Versions before 5.0
execute only a single program at a time, while 5.0 and after support multiprocessing. Versions
5.0 and above switched emphasis away from the DragonBall family of microprocessors to the
StrongArm family7, with emulation support of legacy applications previously developed for
Palm OS devices offer built-in security features to provide protection for individual
entries/records and the ability to lock the device when the user turns the device off. Locking
individual records allow users to mark records as private and not be displayed unless the
proper password is provided. However, records marked private can be accessed, read, and
copied through other means [Ket00]. The ability to lock a device requires users to enter the
correct password before access is granted to the application screen. In early versions of Palm
OS, weak password encoding is easily reversed and the encoded block of data that contains the
password during a HotSync can be intercepted [Kin01]. Third party products exist that give
users the ability to encrypt sensitive data and enhance overall security [Pmd02].
Palm OS devices include an RS232-based “Palm Debugger” providing source and assembly
level debugging, entered by issuing a keystroke combination. Two interfaces exist that
monitor the serial port for communication. “Console Mode” interacts with a high-level
For Palm OS and device related material see
Guidelines on PDA Forensics
debugger and is used mostly for manipulation of databases. “Debug Mode” is typically used
for assembly and register-level debugging [Kin01].
Pocket PC
Pocket PC grew out of the success of the Palm PDA and the growing demand for similar
devices that had more processing power and networking capabilities. Microsoft entered the
handheld device market with the Windows CE (WinCE) operating system, which was later
augmented with additional functionality to produce Pocket PC (PPC).8 Windows CE supports
a multitasking, multithreaded environment, which is inherited by Pocket PC. Applications
running under Windows CE are protected from interfering with each other through memory
management [Ket00]. Windows CE and PPC have evolved in tandem from versions WinCE
2.0/PPC 2000 to WinCE 3.0/PPC 2002 to WinCE 4.1/PPC 2003 (PPC 2003 was rebranded as
Windows Mobile 2003), through a number of feature upgrades. For example, early versions
of ActiveSync were susceptible to brute force password attacks and denial of service attacks
when synchronizing over a network [Meu02] and subsequently corrected. Vulnerabilities
present on earlier devices may provide a means of bypassing security mechanisms, allowing
forensic investigators access to data.
Pocket PC runs on a number of processors, but primarily appears on devices having Xscale,
ARM, or SHx processors. Various Pocket PC devices have ROM ranging from 32 to 64MB
and RAM ranging from 32 to 128MB. PIM and other user data normally reside in RAM,
while the operating system and support applications reside in ROM. An additional filestore
can be allocated in unused ROM and made available for backing up files from RAM. One or
more card slots, such as a Compact Flash (CF) or Secure Digital (SD) card slots, are typically
supported. Additionally, some manufactures provide expansion capabilities, such as extension
sleeves or modules that allow other technologies to be incorporated. Most Pocket PC devices
use a lithium-ion battery. To prevent data loss when battery power is low, the lithium-ion
battery must be recharged via the cradle, a power cable, or removed and replaced with a
charged battery.
The architecture for Windows CE devices consists of four layers: Application, Operating
System, Original Equipment Manufacturer (OEM), and Hardware. A simplified diagram of
the architecture of Windows CE is shown in the Figure 3 below. Services are organized into
modules, which can be included or excluded when building an image for a specific target
system [Ges03]. Because most of the Windows CE operating system is written in the C
language, the kernel and other modules can be ported to different processors by recompiling
the code for a specific hardware architecture (e.g., StrongArm, XScale, etc.).
The Original Equipment Manufacturer (OEM) Layer is the layer between the Operating
System Layer and the Hardware Layer. It contains the OEM Adaptation Layer (OAL), which
consists of a set of functions related to system startup, interrupt handling, power management,
profiling, timer and clock. The OAL allows an OEM to adapt Windows CE to a specific
platform. An OEM must write the OAL for any custom hardware present.
For Windows CE/PPC device related material see
Guidelines on PDA Forensics
Figure 3: Windows CE Architecture
Within the Operating System Layer are the Windows CE kernel and device drivers, whose
purpose is to manage and interface with hardware devices. Device drivers provide the linkage
for the kernel to recognize the device and to allow communications to be established between
hardware and applications. A device driver can be either monolithic or layered. Monolithic
drivers implement their interface directly in terms of actions on the device they control.
Layered drivers separate the implementation into two layers – an upper layer, which exposes
the driver’s native or stream interface, and a lower layer that performs the hardware
The Graphics, Windowing, and Events Subsystem (GWES) is also part of the Operating
System Layer and provides the interface between the user, the application, and the operating
system. GWES is an integrated graphics device interface (GDI), window manager, and event
manager. The GWES module has two subcomponents: User and GDI. User refers to the part
of GWES that handles messages, events, and user input from keyboard and mouse or stylus.
GDI refers to the part of GWES that controls how text and graphics are displayed. GDI is used
to draw lines, curves, closed figures, text, and bitmap images.
The object store refers to three types of persistent storage supported by Windows CE within
the Operating System Layer: file system, registry, and property databases. Standard Win32
functions provide access to files and the registry, while new Windows CE-specific API
functions provide access to property databases and certain registry features. The subset of
Win32 and other Microsoft APIs implemented in Pocket PC allows a system to fulfill the
requirements of an embedded application, yet keep the programmability similar to that of
Windows PCs. The maximum size of the object store is 256MB in Windows CE. The object
store is built on an internal heap that resides in RAM, ROM, or both. The internal heap
provides a transaction model that uses logging to ensure the integrity of the object store data.
The Windows CE file system allows a file to be stored both in RAM and ROM. When a file
stored in RAM has the same name as a file stored in ROM, the actual RAM file shadows the
ROM file. A user who tries to access a shadowed file gains access to only the RAM version.
However, when the RAM version is deleted, the ROM version of the file is accessible. This
feature is useful for upgrading files that come with a device as ROM files.
Property databases are repositories of information that can be stored, searched, and retrieved
by associated applications. To reduce space, compression techniques are also applied
automatically. These databases provide a common way to manage persistent information on
the device.
Guidelines on PDA Forensics
The Windows CE registry is a database that stores information about applications, drivers,
system configuration, user preferences, and other data. The purpose of the registry is to
provide a single place for storing all the settings for the system, applications, and user. The
registry is always stored in RAM and consequently is volatile. If no registry is available in
RAM, Windows CE can regenerate a default one from a file stored in ROM.
The Windows CE operating system supports four types of memory:
RAM – RAM is allocated into two separate areas: the object store where data is kept
and program memory where programs execute. The partitioning of main memory can
be controlled by the end-user via an application level control and can be adjusted
without rebooting. A paged virtual-memory management system is used to allocate
program memory.
Expansion RAM – Expansion RAM is supported in addition to main system RAM to
provide users with extra storage. The Expansion RAM is mapped into virtual
memory after a cold boot and appears identical in the virtual memory map to the OS
as system RAM.
ROM – The ROM memory space contains miscellaneous data files like audio files,
fonts and bitmaps. These are generally compressed and decompressed when brought
into system RAM for usage. The ROM memory space also contains support for
uncompressed executables, applications, and DLLs for XIP (eXecute In Place)
operation. During the image build process, individual elements can be designated for
either XIP or paged on demand operation.
Persistent Storage – Much of the support for persistent storage is oriented around
removable storage cards. For example, files (executables, data, users files) stored in
persistent storage are memory mapped into system RAM for use.
Pocket PC devices offer users the ability to set a power-on password that can be made up of a
4-digit numeric or a stronger alphanumeric password up to 29 characters long. Additionally,
users can set a timeout that locks the device when not in use for the predefined specified
amount of time. If a password entry attempt is incorrect, the subsequent attempt is penalized
and takes longer to process, to discourage brute force attacks. If a password is forgotten, the
only way to unlock the device is by performing a hard-reset and resynching data. Some recent
models of Pocket PC devices have integrated a fingerprint biometric for additional security
that can be used in tandem with 4-digit or alphanumeric passwords.
Pocket PC permits the hardware developer, system integrator, or developer to decide which
services are incorporated in their Pocket PC version. Pocket PC devices can incorporate
trusted environments where the OS kernel verifies applications and libraries before loading
them. Three possibilities exist: the software module may be trusted without restrictions,
trusted with the restriction that no privileged function calls or registry access can be done, or
not trusted at all [Aho01].
Guidelines on PDA Forensics
Pocket PC devices can have significantly different bootloader9 functionality. The device
manufacturer determines the range of functionality with two exceptions – the bootloader must
be able to load the OS and to upgrade it to a more recent version. Some early versions of
Pocket PC devices provided documentation on specific key chord sequences (e.g.,
simultaneously pressing buttons 2 and 4, the power button, and the reset button on iPaq 38xx
models) that would boot into a specific mode known as “Parrot mode.” The device must be
connected via the serial connector and a terminal emulator is used to establish communications
with the bootloader and issue commands. Parrot mode has a rich command set that includes
the ability to set register values, display memory contents, set memory contents, display the
virtual address mapping table, backup memory to storage cards (CF/SD), and restore memory
from storage.
Linux, a popular open source operating system for servers and desktop computers, has also
appeared on several PDA devices [Fae03]. Linux is a true multitasking, 32-bit operating
system that supports multithreading. Besides commercial distributions that come preinstalled
by PDA manufacturers, Linux distributions are also available for a range of Pocket PC and
Palm OS devices. The success of Linux-based PDAs rests on the open source model and its
ability to engage the software development community to produce useful applications.
The most common Linux PDA in the U.S. is the Sharp Zaurus. The first Zaurus model, the
SL-5500, was introduced in 2002. It uses Embedix10, an embedded Linux kernel from Lineo,
and Qtopia desktop environment from Trolltech for the windowing and presentation
technology. Embedix is based on a networked kernel with built-in support for WiFi,
Bluetooth, and wireless modem technologies, as well as associated security and encryption
modules. The device has a StrongARM processor, 16 MB of ROM, 64MB of RAM, and a
3.5-inch 240x320-pixel color LCD. As with Palm OS and Pocket PC devices, the Zaurus’
power source is a lithium-ion battery. Both Compact Flash (CF) and SD slots are present (the
SD slot also accepts MMC). A small QWERTY-style keyboard is integrated into the device
and becomes visible by sliding down the thumb pad and application button panel.
Embedix Linux refers to a commercial distribution. While most Linux distributions include
the same utilities, libraries, drivers, and windowing frameworks, differences occur with what
patches, modules, and utilities are included, and how the installation, configuration and
upgrade is performed. A minimal embedded Linux system11 requires three crucial elements: a
boot utility, the Linux micro-kernel, and an initialization process. User applications based
upon personal use can be added for self-customization of the device.
Linux distributions are also available for HP’s iPAQ, Dell’s Axim, and other PDAs but require
the user to install over the existing OS. For example, iPAQ devices come preinstalled with
Microsoft's Windows for Pocket PC. Linux can replace the Microsoft OS in the unit's flash
ROM [Hal01, Zwi02]. A popular Linux distribution for the iPAQ is the Familiar Distribution
The bootloader is responsible for loading the run-time image into memory and jumping to the OS startup routine.
For more information on Embedix see
For more information on Embedded Linux Systems see
Guidelines on PDA Forensics
[Hon04].12 Familiar includes a packaging system called ipkg (Itsy package), which installs,
updates, removes, and manages packages similarly to the Redhat or Debian package facility
for desktop Linux.13 For current information about Linux-based handheld devices, related
Web sites should be monitored regularly.14
Figure 4 gives a conceptual architecture for the Linux operating system. The Linux operating
system is responsible for memory management, process and thread creation, interprocess
communication mechanisms, interrupt handling, execute-in-place (XIP) ROM filesystems,
RAM filesystems, flash management, and TCP/IP networking.
Figure 4: Linux Architecture
The Linux kernel is composed of modular components and subsystems that include device
drivers, protocols, and other component types. The kernel also includes the scheduler, the
memory manager, the virtual filesystem, and the resource allocator. Programming interfaces
provide a standard method by which the Linux kernel can be expanded. Processing proceeds
from the system call interface to request service, for example, from the file or process control
subsystem, which in turn requests service(s) from the hardware. The hardware then provides
the service to the kernel, returning results through the kernel to the system call interface.
Linux offers comprehensive support for security that has been part of the operating system
from its onset. Features include user identification and authentication, access control on files
and directories based on owner (user/group/all), logging of security-relevant activities, and
various levels of network encryption (Point-to-Point Tunneling Protocol (PPTP), Internet
Protocol Security (IPsec), Secure Shell (SSH), etc.). Processes running under Linux on the
same machine are also protected from interfering with one another [Ket00]. Linux operating
systems tailored for PDAs have on occasion been found to contain security vulnerabilities in
design and implementation that affect system security. For example, the screen-locking
passcode on the Zaurus that provides user authentication, created the same random value (i.e.,
salt value15) every time the passcode was set. This oversight weakened security by allowing
For more information on the Familiar OS see
A package is a file containing all the files needed to install an application.
For the latest on Linux devices see
Salt values are random numbers used to make password values unique.
Guidelines on PDA Forensics
an attacker to generate a passcode table and find consistent values to uncover the device
password, and required correction [Cha02]. Besides its built-in security features, third-party
security solutions also exist for Linux, to provide additional security measures for device and
file access.
The bootloader is firmware that is responsible for initializing hardware and physical memory,
and loading and transferring control to the kernel. Linux-based bootloaders on embedded
devices usually can accept kernel images transferred over one or more different interfaces,
including serial connections, Ethernet connections, and memory cards. They also may provide
a rich command set. For instance, the flash bootloader for Linux on iPAQ devices is a fullfeatured program that includes commands to read and write arbitrary RAM locations and write
arbitrary flash ROM locations.16
Generic States
The simplest view of a computing device, such as a desktop computer, is that it is in either an
“on” or “off” state. However, further amplification is needed, particularly for PDAs, whose
behavior is more complex. Figure 5 gives a high-level diagram that illustrates the various
states in which a PDA can be at any time, along with the transitions that can occur to cause a
change of state. While a more detailed state diagram is possible, the following four states
provide a simple but comprehensive generic model that applies to most PDAs:
Nascent State – Devices are in the nascent state when received from the manufacturer
– the device contains no user data and observes factory configuration settings. The
PDA must be charged to a minimum voltage level to be usable and to gain initial entry
to the nascent state, which is attained when the device is first powered on by pressing
the power button. Any user action transitions the device out of this state. This state
can be attained again by performing a hard reset or letting the battery drain, which
clears both the filesystem and dynamic working memory and restores factory settings.
Active State – Devices that are in the active state are powered on, performing tasks,
and able to be customized by the user and have their filesystems populated with data.
If a soft reset is performed, the device returns back to the active state after clearing
working memory. If user authentication mechanisms are enabled, they are asserted on
a power on or soft reset transition to this state.
Quiescent State – The quiescent state is a dormant mode that conserves battery life
while maintaining user data and performing other background functions. Context
information for the device is preserved in memory to allow a quick resumption of
processing when returning to the active state. Pressing the power button when in the
active or semi-active state (i.e., to power off the device), or having an inactivity timer
expire when in the semi-active state, causes a transition to the quiescent state.
Semi-Active State – The semi-active state is a state partway between active and
quiescent. The state is reached by a timer, which is triggered after a period of
inactivity allowing battery life to be preserved by dimming the display and taking
other appropriate actions. The semi-active state returns to the active state when a
Code is available at
Guidelines on PDA Forensics
screen-tap, button press, or soft reset occurs. Devices that do not support a semiactive state need only a single inactivity timer to transition directly from the active to
quiescent state.
Power On
Power Off
User Action
Hard Reset
Hard Reset
Soft Reset
Soft Reset/Screen tap
Power On
Power Off/Timer
Power Off
Figure 5: Generic State Diagram
Simply stated – a PDA device with sufficient battery power is never really turned off, since
processes are active even when no visible cues are present.
For simplicity, a device is said to be “off” or “powered off” if it is in the quiescent state, and
“on” or “powered on” if it is in any of the remaining states. Similarly, a device is said to be
“cleared” and devoid of data when in the nascent state. Note, however, deviations can occur
should devices utilize flash memory for purposes other than exclusively housing the operating
system. For example, applications exist for the Palm OS that allow data to be stored on flash
memory in space unused by the operating system. Similarly, some recent Pocket PC PDAs are
beginning to include a feature to backup important PIM data on flash memory, where it can be
retained and restored if a hard reset is performed on the device. Finally, Linux handheld
distributions, such as the Familiar Distribution from, often use flash memory in
lieu of RAM for user data to avoid loss when a hard reset occurs. In these situations, the
nascent state must be interpreted accordingly.
Guidelines on PDA Forensics
3. Forensic Tools
Unlike the situation with personal computers, the number and variety of toolkits for PDAs and
other handheld devices are considerably limited. Not only are there fewer specialized tools
and toolkits, but also the range of devices over which they operate is typically narrowed to
only the most popular families of PDA devices – those based on the Pocket PC and Palm OS.
Linux-based devices can be imaged with the dd utility, somewhat analogously to a Linux
desktop, and analyzed with the use of a compatible tool (e.g., EnCase). Since Palm OS
devices have been around the longest, more forensic tools are available for them than for other
device families. Table 2 lists open-source and commercially available tools known to the
authors and the facilities they provide: acquisition, examination, or reporting. The
abbreviation NA means that the tool at the left of the row is not applicable to the device at top
of the column. With one exception (i.e., versions of Palm OS prior to 4.0), these tools require
that the examiner have unobstructed access to acquire contents (i.e., no authentication
technique need be satisfied to gain access).
Table 2: PDA Forensic Tools
Palm OS
Pocket PC
Linux PDA
PDA Seizure
Forensic tools acquire data from a device in one of two ways: physical acquisition or logical
acquisition. Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a
disk drive or RAM chip), while logical acquisition implies a bit-by-bit copy of logical storage
objects (e.g., directories and files) that reside on a logical store (e.g., a filesystem partition).
The difference lies in the distinction between memory as seen by a process through the
operating system facilities (i.e., a logical view), versus memory as seen in raw form by the
processor and other related hardware components (i.e., a physical view).
Physical acquisition has advantages over logical acquisition, since it allows deleted files and
any data remnants present (e.g., unallocated RAM or unused filesystem space) to be examined,
which otherwise would go unaccounted. Physical device images are generally more easily
imported into another tool for examination and reporting. However, a logical structure has the
advantage that it is a more natural organization to understand and use during examination.
Thus, if possible, doing both types of acquisition on PDAs is preferable.
Guidelines on PDA Forensics
Tools not designed specifically for forensic purposes are questionable and should be
thoroughly evaluated before use. In some situations, they might be the only means to retrieve
information that could be relevant as evidence.
Palm dd (pdd)
Palm dd (pdd)17 is a Windows-based command line tool that performs a physical acquisition of
information from Palm OS devices [Gra02]. pdd is designed to work with most PDAs running
the Palm OS in console mode. During the acquisition stage, a bit-for-bit image of the device’s
memory can be obtained. The data retrieved by pdd includes all user applications and
databases. pdd is strictly a command line driven application without features such as graphics
libraries, report generation, search facilities, and bookmarking capabilities. Once the
information has been acquired, two files are generated: one that contains device-specific
information (e.g., OS version, processor type, sizes of RAM and ROM), and another that
contains a bit-by-bit image of the device. Examiners face the challenge of carefully examining
the output, which is in binary form, some of which happens to be ASCII characters. Files
created from pdd can be imported into a forensic tool, such as EnCase, to aid analysis;
otherwise the default tool is a hex editor. pdd does not provide hash values for the information
acquired. However, a separate procedure can be used to obtain needed hash values. As of
January 2003, pdd is no longer supported, however, version 1.11 source code is available and
should remain available for use, as defined in the included license. Paraben has integrated
elements of the pdd engine into PDA Seizure [Cas00].
Pilot-link is an open source software suite originally developed for the Linux community to
allow information to be transferred between Linux hosts and Palm OS devices.18 It runs on
other desktop operating systems besides Linux, including Windows and Mac OS. About thirty
command line programs comprise the software suite. Unlike pdd, which uses the Palm
debugger protocol for acquisition, pilot-link uses the Hotsync protocol. The two programs of
interest to forensic specialists are pi-getram and pi-getrom, which respectively retrieve the
contents of RAM and ROM from a device, similar to the physical acquisition done by pdd.
Another useful program is pilot-xfer, which allows the installation of programs and the backup
and restoration of databases. pilot-xfer provides a means to acquire the contents of a device
logically. The contents retrieved with these utilities can be manually examined with either
POSE, a compatible forensic tool such as EnCase, or a hex editor. Pilot-link does not provide
hash values of the information acquired. A separate step must be carried out to obtain needed
hash values.
POSE (Palm OS Emulator)19 is a software program that runs on a desktop computer under a
variety of operating systems, and behaves exactly as a Palm OS hardware device, once an
appropriate ROM is loaded into it. The free emulator program imitates the hardware of a
Additional information on pdd can be found at:
Additional information on pilot-link can be found at:
Additional information on POSE can be found at:
Guidelines on PDA Forensics
DragonBall processor. Built-in PIM applications (e.g., Datebook, Address Book, To Do, etc.)
run properly and the hardware buttons and display react accurately. ROM images can be
obtained from the PalmSource Web site or by copying the contents of ROM from an actual
device, using pdd, Pilot-Link, or a companion tool provided with the emulator. POSE is
limited to Palm OS versions 4.x and below.
Loading actual RAM-based databases into the emulator, extracted using pilot-link or another
tool, allows an examiner to view and operate the emulated device in a similar fashion as
having the original. Though originally developed to run, test, and debug Palm OS applications
without having to download them to an actual device, POSE also serves as a useful tool for
doing presentations or capturing screen shots of evidence found on the emulated device from
within the databases loaded from a seized device. POSE can be configured to map the Palm
OS serial port to one of the available serial ports on the desktop computer or to redirect any
TCP/IP calls to the TCP/IP stack on the desktop. With some experimentation, the HotSync
protocol can even be run between the desktop computer and device it is emulating, over a
looped back serial connection or a redirected TCP/IP connection.
PDA Seizure
Paraben’s PDA Seizure is a commercially available forensic software toolkit that allows
forensic examiners to acquire and examine information on PDAs for both the Pocket PC
(PPC) and Palm OS platforms.20 Paraben’s product currently supports Palm OS up to version
5, Pocket PC 2000-2003 (up to Windows CE 4.2), ActiveSync 3.5, and HotSync. PDA
Seizure’s features include the ability to acquire a forensic image of Palm OS and Pocket PC
devices, to perform examiner-defined searches on data contained within acquired files,
generate hash values of individual files and to generate a report of the findings. PDA Seizure
also provides book-marking capabilities to organize information, along with a graphics library
that automatically assembles found images under a single facility, based on the graphics file
extension of the acquired files.
During the acquisition stage of a PPC device, the connectivity of the device and ActiveSync is
required. A guest account must be used to create a connection. Before acquisition begins,
PDA Seizure places a small program on the device in the first available block of memory to
access unallocated regions of memory. To access the remaining information, PDA Seizure
utilizes the Remote API (RAPI) protocol, which provides a set of functions for desktop
applications to communicate with a device and logically access information. For Palm OS
devices, the PDA must first be put into a debug mode, commonly referred to as console mode,
and all active HotSync applications must be closed. Once the memory image of a Palm OS
device is acquired, the user is prompted to select the HotSync button on the device to acquire
the logical data separately. The logical data is also represented in the RAM file that was
acquired through the physical acquisition stage. Palm’s HotSync protocol is used to gain
communication with the device to perform a logical acquisition.
EnCase is a commercially available forensic software toolkit that provides acquisition of
suspect media, search and analytical tools, hash generation of individual files, data capture and
Additional information on PDA Seizure can be found at:
Guidelines on PDA Forensics
documentation features.21 Although more widely used for examining PCs, EnCase also
supports Palm OS devices. Currently, support for Pocket PC is not available, but the ability to
import a data dump of Linux-based PDAs exists. EnCase allows for the creation of a complete
physical bit-stream image of a Palm OS device. Throughout the process, the integrity of the
bit-stream image is continually verified by CRC (Cyclical Redundancy Check) values, which
are calculated concurrent to acquisition. The resulting bit-stream image, called an EnCase
evidence file, is mounted as a read-only file or “virtual drive” from which EnCase proceeds to
reconstruct the file structure using the logical data in the bit-stream image. This allows the
examiner to search and examine the contents of the device using either a logical or physical
EnCase allows for files, folders, or sections of a file to be highlighted and saved for later
reference. These marks are called bookmarks. All bookmarks are saved in case files, with
each case having its own bookmark file. Bookmarks can be viewed anytime and can be made
from anywhere data or folders exist. Reporting features allows examiners to view information
from a number of perspectives: all acquired files, single files, results of a string search, a
report, or the entire case file created.
Duplicate Disk (dd)
The duplicate disk (dd) utility is similar to pdd insofar as it allows examiners to create a bit-bybit image of the device. As one of the original Unix utilities, dd has been around in one form
or another for decades. Unlike the other tools described above, dd executes directly on the
PDA. An image of the device can be obtained by connecting to the PDA, issuing the dd
command, and dumping the contents elsewhere, for example, to auxiliary media such as a
memory card or across a network session to a forensic workstation. Caution should be
exercised, since dd may destroy parts of the filesystem (e.g., overwriting data) if used
incorrectly. As with pdd, dd produces binary data output, some of which contains ASCII
character information. Images created from dd may be imported for examination into a
forensic tool, such as EnCase, if the filesystem is supported. A dd created image may also be
mounted in loopback mode on a filesystem-compatible Linux machine for analysis. The
standard version of dd does not provide hash values for the information acquired. However, a
separate procedure can be used to obtain needed hash values. Modified versions of dd exist
that incorporate hash value computation, but would require cross compilation and installation
to use.
Miscellaneous Tools
Other tools available from a hardware or software manufacturer to backup data or develop
software for a device or device family may aid an investigation. For example, Microsoft has
developed a tool called ActiveSync Remote Display (ASRDisp) that allows ActiveSync to
connect to a Pocket PC device and display its full functionality in a virtual device window on
the desktop, as if one were performing actions on the physical device itself. After data has
been acquired from the target device, a full backup via ActiveSync could be done to restore the
Additional information on EnCase can be found at:
Guidelines on PDA Forensics
backed up data on an identical device, which is used with ASRDisp for presentation purposes.
The ASRDisp utility is part of the Windows Mobile Developer Power Toys suite.22
Another means of presenting data is to use a Pocket PC emulator and the shared folder
functionality available. Again, after device acquisition has taken place, examiners can export
out individual files gleaned from the device to a specific folder present on the forensic
workstation. The shared folder allows information to be imported and displayed via the
emulator, giving examiners the ability to present relevant information virtually. Emulators for
all versions of the Pocket PC operating system are available for downloading at the Microsoft
Custom Tools
Where possible, established procedures should guide the technical process of acquisition, as
well as the examination of evidence. However, some situations demand that specialized
procedures and methods be applied. Procedures must be tested to ensure that the results
obtained are valid and independently reproducible. The development and validation of the
procedures should be documented and include the following steps [DOJ04]:
Identifying the task or problem
Proposing possible solutions
Testing each solution on an identical test device and under known control conditions
Evaluating the results of the test
Finalizing the procedure
The Windows Mobile Developer Power Toys suite can be downloaded at:
The Pocket PC 2003 Emulator can be downloaded at:
Guidelines on PDA Forensics
4. Procedures and Principles
Investigations and incidents are handled in various ways depending upon the circumstances of
the incident, the gravity of the incident, and the preparation and experience of the investigation
team. Digital investigations are comparable to crime scenes where investigative techniques
used by law enforcement have been applied as a foundation for the creation of procedures used
when dealing with digital evidence. This section provides an overview of various procedural
models and principles that have been proposed.
Roles and Responsibilities
Whatever the type of incident, the various types of roles involved are similar. Planning for
incidents should address how existing personnel fulfill these roles when responding and
conducting an investigation. A generic set of roles and associated responsibilities can be
identified. They include First Responders, Investigators, Technicians, Forensic Examiners,
and Forensic Analysts. In a given situation, a single individual may perform more than one
role. Nevertheless, distinguishing distinct roles and their associated responsibilities is useful.
First Responders are trained personnel who arrive first on the scene of an incident, provide an
initial assessment, and begin the appropriate level of response. The responsibilities of First
Responders are to secure the incident scene, call for the appropriate support needed, and assist
with evidence collection.
Investigators plan and manage preservation, acquisition, examination, analysis, and reporting
of electronic evidence. The Lead Investigator is in charge of making sure that activities at the
scene of an incident are executed in the right order and at the right time. The Lead Investigator
may be responsible for developing the evidence, preparing a case report, and briefing any
findings and determinations to senior officials.
Technicians carry out actions at the direction of the Lead Investigator. Technicians are
responsible for identifying and collecting evidence and documenting the incident scene. They
are specially trained personnel who seize electronic equipment and acquire digital images
resident within memory. More than one technician is typically involved in an incident,
because different skills and knowledge are needed. Sufficient expertise should be available at
the scene to address all distinct digital apparatus involved in the incident.
Evidence Custodians protect all evidence gathered that is stored in a central location. They
accept evidence collected by Technicians, ensure it is properly tagged, check it into and out of
protective custody, and maintain a strict chain of custody.
Forensic Examiners are specially trained personnel who reproduce images acquired from
seized equipment and recover digital data. Examiners make the information on the device
visible. Examiners may also acquire more elusive data using highly specialized equipment,
intensive reverse engineering, or other appropriate means unavailable to Forensic Technicians.
Forensic Analysts evaluate the product of the Forensic Examiner for its significance and
probative value to the case.
Guidelines on PDA Forensics
Evidential Principles
As a backdrop to any investigation basic principals have been proposed for dealing with digital
evidence. Digital evidence has both physical and logical aspects. The physical side of it
involves hardware components, peripherals, and media, which may contain data or the means
to access it, while the logical side deals with the raw data extracted from a relevant information
source. The Good Practice Guide for Computer based Electronic Evidence [ACPO2] suggests
four principles when dealing with digital evidence.
No actions performed by investigators should change data contained on digital
devices or storage media.
Individuals accessing original data must be competent to do so and have the ability to
explain their actions.
An audit trail or other record of applied processes, suitable for independent third-party
review, must be created and preserved, accurately documenting each investigative
The person in charge of the investigation has overall responsibility for ensuring the
above-mentioned procedures are followed and in compliance with governing laws.
The Proposed Standards for the Exchange of Digital Evidence [IOCE], suggest a similar set of
principals for the standardized recovery of computer-based evidence:
Upon seizing digital evidence, actions taken should not change that evidence.
When it is necessary for a person to access original digital evidence, that person must
be forensically competent.
All activity relating to the seizure, access, storage, or transfer of digital evidence must
be fully documented, preserved, and available for review.
An individual is responsible for all actions taken with respect to digital evidence while
the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or transferring digital
evidence is responsible for compliance with these principles.
The above sets of principles aim to ensure the integrity and accountability of digital evidence
through its entire life cycle. Proper handling of evidence is always vital for it to be admissible
in judicial proceedings. However, different standards may apply to different types of
investigations. The degree of training and expertise required to execute a forensic task largely
depends on the level of evidence required in the case [Pur].
The Daubert method, a set of standards that serve as a guide when dealing with evidence in a
court of law, proposes several reliability factors, which should be kept in mind when applying
and reporting on a scientific technique being used in a forensic examination [Oco04]:
Guidelines on PDA Forensics
Testability – Has the scientific theory or technique been empirically tested?
According to K. Popper (1989) in The Growth of Scientific Knowledge, "the criterion
on the scientific status of a theory is its falsifiability, refutability, and testability."
Acceptance – Has the scientific theory or technique been subjected to peer review
and publication? This ensures that flaws in the methodology would have been
detected and that the technique is finding its way into use via the literature.
Error Rate – What is the known or potential error rate? Scientific measures
generally have associated error rates, which can be estimated with a fair amount of
precision. Known threats exist against the validity and reliability in any test
(experimental and quasi-experimental) of a theory.
Credibility – What is the expert's qualifications and stature in the scientific
community? Does the technique rely upon the special skills and equipment of one
expert, or can it be replicated by other experts elsewhere?
Clarity – Can the technique and its results be explained with sufficient clarity and
simplicity so that the court and the jury can understand its plain meaning? This
criterion is assumed to be incorporated in Daubert implicitly.
In general, even outside of law enforcement investigations, evidence should be collected in a
manner that makes it likely the evidence could be admissible in court. It may not be obvious
when an investigation is initiated, for example, when a computer security incident is first
detected, that a court action will ensue. Important evidence might be overlooked, improperly
handled, or accidentally destroyed before the seriousness of the incident is realized.
Procedural Models
The Electronic Crime Scene Investigation – A Guide for First Responders, produced by the
U.S. Department of Justice [DOJ01], offers the following suggestions when approaching a
digital crime scene.
Securing and Evaluating the Scene – Steps should be taken to ensure the safety of
individuals and to identify and protect the integrity of potential evidence.
Documenting the Scene – Create a permanent record of the scene, accurately
recording both digital-related and conventional evidence.
Evidence Collection – Collect traditional and digital evidence in a manner that
preserves their evidentiary value.
Packaging, Transportation, and Storage – Take adequate precautions when
packaging, transporting, and storing evidence, maintaining chain of custody.
Incident Response [Man01], an “Incident Response Methodology” proposes the following
phases when encountering an incident or performing a digital investigation.
Pre-incident preparation – Through training and education, gain an understanding
on how to respond to an incident.
Guidelines on PDA Forensics
Detection of incidents – Develop techniques on how to detect suspect activities.
Initial Response – Confirm that an incident has occurred and obtain volatile
Response strategy formulation – Respond to incident based upon knowledge of all
known facts collected from the Initial Response phase.
Duplication (forensic backups) – Based upon the scenario, either create a physical
forensic image or do a live retrieval of evidence.
Investigation – Determine what happened, who did it and how the incident can be
prevented in the future.
Security measure implementation – Apply security measures to isolate and contain
infected systems.
Network monitoring – Monitor network traffic for ongoing or additional attacks.
Recovery – Restore the affected system to a secure, operational state.
Reporting – Document all of the details and investigative steps taken throughout the
Follow-up – Learn from the incident by reviewing how and why it happened and
make necessary adjustments.
Research conducted at the U.S. Air Force proposes the following steps when dealing with a
forensic investigation [Rei02].
Identification – Recognize and determine the type of incident.
Preparation – Prepare tools, techniques, search warrants, authorizations, and
management approval.
Approach Strategy – Maximize untainted evidence collection while minimizing the
impact upon the victim.
Preservation – Isolate, secure, and preserve the state of physical and digital evidence.
Collection – Record the physical scene and duplicate digital evidence.
Examination – Search for evidence relating to the suspected crime.
Analysis – Determine significance, reconstruct fragments of data, and draw
conclusions based on the evidence found. The Analysis phase may go through
numerous iterations until a theory has been supported.
Presentation – Summarize and provide an explanation of conclusions.
Guidelines on PDA Forensics
Return Evidence – Ensure physical and digital property is returned to the proper
Each of the above procedural models and evidential principals contains key points that should
be considered when dealing with digital evidence. Because every incident investigation is
distinct with its own unique set of circumstances, a single definitive procedural approach is
difficult to prescribe. Nevertheless, most models touch on the same key areas, though
stressing different aspects. The remaining sections follow a simple framework of four topical
areas: obtaining an exhibit, making a forensic copy of its contents, obtaining evidence from the
forensic copy, and reporting on the evidence obtained and process used. They are respectively
referred to within this document as preservation, acquisition, examination and analysis, and
Guidelines on PDA Forensics
5. Preservation
Evidence preservation is the process of seizing suspect property without altering or changing
the contents of data that reside on devices and removable media. It is the first step in digital
evidence recovery. The section begins with a generic introduction to preservation then
provides a more in-depth look at PDA-specific guidance.
Preservation involves the search, recognition, documentation, and collection of electronicbased evidence. In order to use evidence successfully, whether in a court of law or a less
formal proceeding, it must be preserved. Failure to preserve evidence in its original state could
jeopardize an entire investigation, potentially losing valuable information about an incident
The DOJ’s Electronic Crime Scene Investigation report covers this subject in detail [DOJ01].
The guide offers principles, policies, and procedures to follow when encountering a digital
evidence scene. The reader is directed to that report for additional information. The following
is a summary of the key points to observe.
Securing and Evaluating the Scene
Ensure the safety of all individuals at the scene.
Protect the integrity of traditional and electronic evidence.
Evaluate the scene and formulate a search plan.
Identify potential evidence.
All potential evidence should be secured, documented, and/or photographed.
Conduct interviews.
Documenting the Scene
Create a permanent historical record of the scene.
Accurately record the location and condition of computers, storage media, other
digital devices, and conventional evidence.
Document the condition and location of the computer system, including power
status of the computer (on, off, or in sleep mode).
Identify and document related electronic components that will not be collected.
Photograph the entire scene to create a visual record as noted by the first
Guidelines on PDA Forensics
Collecting Evidence
Handle computer evidence, whether physical or digital, in a manner that preserves
its evidentiary value.
Recover non-electronic evidence (e.g., written passwords, handwritten notes,
blank pads of paper with indented writing, hardware and software manuals,
calendars, literature, text or graphical computer printouts, and photographs).
Packaging, Transporting, and Storing Evidence
Take no actions to add, modify, or destroy data stored on a computer or other
Avoid high temperatures and humidity, physical shock, static electricity, and
magnetic sources.
Maintain chain of custody of electronic evidence, documenting its packaging,
transportation and storage.
Packaging Procedure
Properly document, label, and inventory evidence before packaging.
Pack magnetic media in antistatic packaging (paper or antistatic plastic
Avoid folding, bending, or scratching computer media such as diskettes,
CD-ROMs, removable media, etc.
Properly label evidence containers.
Transportation Procedure
Avoid magnetic sources (e.g., radio transmitters, speaker magnets).
Avoid conditions of excessive heat, cold, or humidity while in transit.
Avoid shock and excessive vibrations.
Storage Procedures
Ensure evidence is inventoried in accordance with authoritative policies.
Store evidence material in a secure area away from temperature and
humidity extremes.
Protect evidence material from magnetic sources, moisture, dust, and
other harmful particles or contaminants.
Guidelines on PDA Forensics
The remaining subsections provide supplemental information related to PDAs, following the
paradigm of search, recognition, documentation, and collection.
When an investigative team arrives at the scene with the appropriate authorization to examine
a suspect’s surroundings (e.g., a search warrant, consent from the owner), they should proceed
cautiously and follow the necessary steps to ensure that the device arrives at the forensics
laboratory without data depletion. Incorrect procedures during the seizure can cause critical
information to be lost. Awareness of device specific issues and an understanding of various
families of devices and their characteristics and accessories (e.g., power consumption, battery
type, cradles, and power supplies) are essential.
For PDAs, evidence sources include the device, device cradle, power supply, and associated
peripherals, media, and accessories. Removable media varies from the size of a stamp to a
stick of gum, which can be hidden and extremely difficult to find. Most often removable
media can be identified through the number and placement of pins or pin receptacles located
on the media that establish an interface with the device. The surrounding area and rooms other
than where the device was found should be searched to ensure related evidence is not
overlooked. Equipment associated with the PDA, such as memory cards or personal
computers synched with the PDA, may be more valuable than the PDA itself.
By accident or deliberate action, electronic equipment may be found in a damaged state.
Devices or media with visible external damage do not necessarily prevent data from being
extracted from them. Damaged equipment should be taken back to the lab for further
investigation. Repairing damaged components on a device and restoring it to working order
for examination and analysis may be possible. The memory components may also be
repaired/examined locally, or removed and examined by a specially trained examiner.
Legal advisors should be contacted for assistance, if needed, with the following two critical
legal considerations [DOJ04]:
Determining the extent of the authority to search and what additional legal process
may be necessary to continue the search (e.g., warrant, amended consent form), if
evidence is located that was not authorized in the original search authority.
Identifying possible concerns related to applicable local policies and laws, and
International, Federal, or State statutes, such as the Electronic Communications
Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA).
To proceed effectively, the exact type of device must be identified. Individuals may attempt to
thwart specialists by altering the device to conceal its true identity. Device alteration could
range from removing manufacturer labels to filing off logos. In addition, the operating system
may be modified or completely replaced and appear differently, as well as behave differently
than before.
If digital devices such as PDAs are in the “on” state the type of device can be identified by the
operating system, which is more consistent in device identity rather than a logo. Though the
Guidelines on PDA Forensics
two dominant operating systems are Pocket PC and Palm OS, PDAs manufactured to run one
operating system can frequently run an alternative operating system. For example,
distributions of Linux available from can be loaded and run on a variety of
Pocket PC devices.24 Similarly, versions of Linux, such as Linux DA, exist for Palm OS
Each operating system has particular applications intertwined within the main graphical user
interface (i.e., icons such as Word, Explorer, Memo Pad, Terminal, etc.). Other clues that
allow identification of a device are the following: the cradle interface, manufacturer serial
number, the cradle type, power supply, etc. Any synchronization software discovered on an
associated PC also helps to differentiate among operating system families.
Evidence must be accurately accounted for and identified. The labeling process should
document the case number, a brief description, signature, and the date and time the evidence
was collected. Additionally, the crime scene should be photographed alongside a report
documenting the state of each digital device/personal computer (personal computers may
contain useful data that has not been synchronized with the owner’s PDA). This is helpful if
questioned about the environment later [Kru01].
A record of all visible data should be created. All digital devices (PDAs) that may possibly
store data should be photographed with all peripherals cables, cradles, power connectors,
removable media, and connections. If the device is in an active or semi-active state, the
screen’s contents should be photographed and, if necessary, recorded manually. Other
characteristics such as any LED activity (e.g., blinking) or physical connectivity should also be
noted. Having an individual in charge to perform evidence custodian duties at the scene,
alongside a partner responsible for documentation of evidence, is desirable during the
collection phase [Kru01].
Actions taken on the system to view and record other volatile data not displayed at the time
affect the remaining evidence. For example, running an application to view memory
allocation or running processes will overwrite parts of memory. Moreover, it risks activating
Trojan horse code hidden within the application.
The chain of custody procedure is a simple yet effective process of documenting the complete
journey of evidence through the lifecycle of the case. Carefully maintaining the chain of
custody not only protects the integrity of evidence, but also makes if difficult for someone to
argue that the evidence was tampered with [Kru01]. The documentation should answer the
following questions:
Who collected it? (i.e., devices, media, associated peripherals, etc.)
How and where? (i.e., how was the evidence collected and where it was located)
Additional information on current projects can be found at:
Additional information on Linux DA can be found at:
Guidelines on PDA Forensics
Who took possession of it? (i.e., individual in charge of seizing evidence)
How was it stored and protected in storage? (i.e., evidence-custodian procedures)
Who took it out of storage and why? (i.e., on-going documentation of individual’s
name and purpose for checking-out evidence)
Documentation to all of the above questions must be maintained and filed in a secure location
for current and future reference.
Where PDAs are concerned, the collection process normally involves dynamic and volatile
information that may be lost unless precautions are taken at the scene of the incident or crime.
The “Good Practice Guide for Computer Based Electronic Evidence” [ACPO] suggests the
following procedures when dealing with PDAs:
On seizure, the PDA should not be switched on, if already off.
The PDA should be placed in an envelope then sealed before being put into an
evidence bag, to restrict physical access while it is still sealed in the evidence bag.
Where the PDA is fitted with only a single rechargeable battery, the appropriate
power adaptor should be connected to the device with the cable passing through the
evidence bag so that it can be kept on charge.
If the PDA is switched on when found, the device should be kept in an active running
mode (e.g., by tapping on a blank section of the screen) and supplied with power until
an expert can examine it, to avoid the consequences of activating security mechanisms
such as user authentication and content encryption. If sufficient power cannot be
supplied, consideration should be given to switching off the PDA to preserve battery
life, documenting the current device state and noting the time and date of the
A search should be conducted for associated memory devices, such as SD, MMC, or
CF semiconductor cards, microdrives, and USB tokens.
Any power leads, cables, or cradles relating to the PDA should also be seized, as well
as manuals.
Anyone handling PDAs before their examination should treat them in such a manner
that gives the best opportunity for any recovered data to be admissible as evidence in
any later proceedings.
PDAs maintain user data in a volatile state powered by either an alkaline or lithium ion battery
source. The device design determines the type of battery source provided; batteries may be
rechargeable or replaceable. If devices lose power for too long a time, the chance of
recovering all data from the seized device is unlikely. Before a technician can bag and tag a
PDA, the present power state must be considered. For example, the device may be receiving
power from a cradle plugged into an outlet and fully charged, the batteries may have recently
Guidelines on PDA Forensics
removed from the device to clear memory, or the device may be extremely low on battery
In cases where devices are powered by alkaline batteries, fresh batteries should be inserted as
soon as possible to lessen the chance of data loss before evidence can be acquired. Installing
fresh batteries is a normal activity for PDAs, especially those that run alkaline-based devices.
However, pulling the batteries out and installing replacement batteries changes the state of the
device; therefore, the technician should take note of the current state of the device beforehand,
along with any needed photographs.
Devices powered by a lithium-ion battery source should either be plugged into a compatible
cradle with a power source, or have a fully charged replacement battery inserted. If a cradle
found at the scene is occupied with the device, the cradle should first be disconnected from any
computer to which it is attached. During battery replacement, PDAs keep a small capacitance
charge to the device to maintain volatile data for a short amount of time. Thus, batteries must
be replaced quickly to prevent loss of data.
To conserve power, PDAs are normally configured to shut themselves off after a short period
of inactivity. Therefore, they are mostly likely to be powered off when found. If a PDA is
powered on when found, maintaining a device in an active running mode causes it to consume
more power than if it were powered off and inactive, making battery replacement and charging
considerations even more important. Anecdotal evidence suggests that built-in user
authentication and content encryption capabilities are not employed for the vast majority of
PDAs seized. Therefore, if additional power cannot be supplied to a device, and it is turned off
to conserve power and preserve memory contents, the risk of activating such security
mechanisms when the device is turned on again should be low. Keeping a device in the active
state is also troublesome. Moreover, authentication mechanisms, such as passwords, typically
cannot be turned off without first satisfying the mechanism (e.g., supplying the correct
password). For these reasons, procedures for some organizations may recommend turning off
certain classes of PDAs or letting them turn off automatically, if found powered on.
Exacerbating Conditions
Besides the battery level, other factors can influence the actions a technician takes in a given
situation to preserve evidence when the device is found in the on state. For example, some
devices can receive data through wireless networks that might provide new evidence, but
might overwrite existing data. Therefore, a calculated decision must be made whether to
prevent or allow further wireless communications [Cas00]. Other factors include whether the
device is cradled, is synchronizing with or communicating through a host computer, or has a
memory card inserted. Table 3 provides a list of common conditions and associated actions
for the forensic technician to consider in meeting the identified goal.
Guidelines on PDA Forensics
Table 3: Action Matrix
▪ Leave the device on and keep active
▪ If the power level is low, immediately replace
batteries with fresh ones or charge with the proper
device power adaptor, as appropriate26
▪ Maintain an adequate power level with the device
power adaptor or periodic replacement of batteries
▪ Create an image of the device, when
circumstances permit
▪ Leave the device off
▪ Immediately replace batteries with fresh ones,
periodically renewing them, or charge with the proper
device power adaptor, as appropriate
▪ Create an image of the device, when
circumstances permit
▪ Pull the USB/serial interface connection from the PC
▪ If the device is on, see condition 1
▪ If the device is off, see condition 2
▪ Seize the cradle and cords
Device on
▪ Maintain device in active
state and with an adequate
power level
▪ Acquire image at earliest
Device off
▪ Maintain an adequate
power level for the device
▪ Acquire image at earliest
Device in cradle27
▪ Eliminate the possibility of
further communication
Device out of cradle27
▪ If the device is on, see condition 1
▪ If the device is off, see condition 2
▪ Seize the cradle and cords
▪ Collect related evidence
Wireless (WiFi, Bluetooth,
etc.) on
▪ See condition 1
▪ Properly package the device in an envelope, antistatic bag, and a radio frequency isolation container,
eliminating the possibility of connectivity from
another machine/device 28
▪ Eliminate the possibility of
further communication
Wireless (WiFi, Bluetooth,
etc.) off
▪ See condition 1
▪ Properly package the device to eliminate wireless
activity from occurring
▪ Collect related evidence
Card in expansion card
▪ Avoid removing any peripheral/media cards (e.g., CF,
▪ Avoid triggering further
activity within the device
Card not in expansion card
▪ Seize any associated peripheral/media cards (e.g., CF,
As mentioned in section 5.4, if additional power cannot be supplied, consideration should be given to switching off
the device.
Some devices connect to a PC through the cradle connector, but without a cradle per se, and also fall under this
This action normally causes the battery to deplete more quickly as the device continually tries to reestablish
communications. Alternatively, consideration may be given to turning off communications through the device
configuration settings, to preserve battery life.
Guidelines on PDA Forensics
▪ Collect related evidence
Expansion sleeve attached
▪ Avoid triggering further
activity within the device
▪ Avoid removing the expansion sleeve
▪ Avoid removing any peripheral/media cards (e.g., CF,
SD, MMC) from the sleeve
▪ If wireless/networked connectivity is occurring see
condition 5
▪ Seize the expansion sleeve
▪ Seize any associated peripherals/media cards (e.g.,
Expansion sleeve removed
▪ Collect related evidence
Modified Devices
A number of considerations need to be made when handling a device. For example, pressing
the power button, synchronization button, or the PIM-related contacts, calendar, to-do list, and
tasks buttons on the device could potentially trigger an alteration of state. More interesting,
however, are modifications to the software applications and operating system that may have
been made to the device, which could be triggered from these actions. The following is a list
of common classes of modifications that can occur:
Key Remapping – It is relatively straightforward to remap a hardware key to perform
a different function than the default. Overall, a key press or combination of key
presses can be made to launch an arbitrary program.
Malicious Programs – Common utilities or functions can be replaced with versions
that contain a Trojan horse designed to alter or damage data present on the device.
For example, tools exist that allow users to capture, update, and replace ROM images
with preferred applications, such as improved Web browsers. Trojan-bearing
programs could conditionally be activated or suppressed based on conditions such as
input parameters or hardware key interrupts. Watchdog applications could also be
written to listen for specific key chord events and carry out actions such as wiping the
device clean.
Security Enhancements – Many organizations and individuals enhance their
handheld devices with add-on security mechanisms. A variety of visual login,
biometric, and token-based authentication mechanisms are available for use as
replacements or supplements to password mechanisms. Improper interaction with a
mechanism could cause the device to lock down and even destroy its contents. This is
particularly a concern with security tokens whose presence is constantly monitored
and whose removal from a card slot or other device interface is immediately acted
Transport and Storage
Once the device is ready to be seized, the forensic specialists should seal the device in a static
proof bag and tag it. The individual who seizes the device must sign and date the tag to initiate
a chain of custody. A hard case, in which the internal padding can conform to various device
shapes, would be preferable to using an envelop within the evidence bag to prevent keys from
being pressed accidentally. Radio frequency isolation bags exist for cutting off a device’s
Guidelines on PDA Forensics
radio transmission and reception and should be used where appropriate with PDAs having
wireless capabilities. An independent external power charger may be connected and placed in
the bag with the device to keep the power level full during transit. The device may also be
packaged to allow a power adaptor to be connected to the device through a hole in the bag, as a
means for keeping the power level high. Lithium-ion devices can usually be powered through
a compatible cigarette-lighter cable to keep charge to the device while in transit. If a cable is
used with a radio frequency isolation bag, the cable must be properly shielded to prevent it
from serving as an antenna and nullifying the effect of the isolation bag.
Digital devices are fragile and easily damaged. When a device is transported, it should be
handled carefully and adequately protected from shock, breakage, and extreme temperature.
Due to the volatile state of PDAs, they should immediately be checked into a forensic
laboratory to be processed and the evidence custodian be made aware of the situation
regarding power requirements. Battery powered devices held in storage for more than a few
days risk power depletion and data loss, unless a process is in place to avoid this outcome.
Storage facilities that hold evidence should provide a cool, dry environment appropriate for
valuable electronic equipment. All evidence should be in sealed containers, in a secure area
with controlled access.
Guidelines on PDA Forensics
6. Acquisition
Acquisition is the process of imaging or otherwise obtaining information from a digital device
and its peripheral equipment and media. Acquisition should occur at a forensics laboratory
once the seized information has been safely checked in. The advantage of performing
acquisition at the scene is that loss of information due to battery depletion, damage, etc. is
avoided. However, finding a controlled setting in which to work, having the appropriate
equipment, and satisfying other prerequisites may not occur at the scene, but instead be
available within a laboratory setting. For the purpose of discussion, in this section a laboratory
environment is assumed.
Once the device has arrived at the forensic laboratory, the forensic examiner begins the
acquisition with identification of the device. The type of device and operating system present
on the device determines the route to take for the creation of a sound bit-for-bit image or
otherwise acquiring the contents of the device. Only a few different forensic software tools
that image PDAs currently exist and no one application presently handles the full range of
devices on the market [Aye04]. The type of PDA and operating system, therefore, generally
dictates which application to use in an investigation.
Normally, the forensic toolkit used for acquisition is also the one used for examination and
analysis. Where there is a choice among several tools, such as with Palm OS devices,
interoperability among acquisition and examination facilities may exist, as shown in Table 4.
The entries therein show the results of data acquired with one tool, indicated by the row
header, analyzed by another, indicated by the column header. Interoperability is an important
aspect for consideration, since some tools may be limited to specific operating system versions
or may not support certain device models. Moreover, occasionally one forensic tool may fail
to acquire information from a specific device, while another tool works without problems.
Table 4: Interoperability Among Palm OS Tools
PDA Seizure
PDA Seizure
Accepts ROM image,
but pdd does not output
individual databases
Accepts ROM image
and individual
databases created
respectively with pi-get
rom and pilot-xfer
Built-in version of
POSE accepts
acquisition output
Accepts individual
databases produced
Accepts ROM and
RAM images
produced, with only
partial functionality
Accepts ROM, RAM
and individual
databases created
respectively with pigetrom, pi-getram and
Works implicitly
Accepts ROM and
RAM images
Accepts ROM and
RAM images
produced, with only
partial functionality
Works implicitly
Accepts ROM, RAM
and individual
databases created
respectively with pigetrom, pi-getram and
Accepts ROM and
RAM images
Guidelines on PDA Forensics
Forensic examiners are advised to experiment with various toolkits on test devices to find out
which acquisition tools work efficiently with particular device types, and to determine the
degree of interoperability among different acquisition and examination tools for a device
family. Besides gaining familiarity with the capabilities of the tool, experimentation allows
special purpose search filters and custom configurations to be set up before use in an actual
case. In addition, software updates from the manufacturer can be installed.
No matter whether the device is Pocket PC, Palm OS, or Linux-based, to acquire data from it,
a connection must be established from the specialist’s forensic workstation to the device.
Before performing an acquisition, the version of the tool being used should be documented,
along with any applicable patches or errata from the manufacturer applied to the tool. Once
the connection has been established, the forensic software suite can proceed to acquire data
from the device properly.
Unlike desktop machines or network servers, present day PDAs have no hard disk and rely
instead completely on semiconductor memory. Specialized software exists for producing an
image of the device, as well as performing a logical acquisition of PIM data. However, the
contents of a PDA are dynamic and continually changing, even when switched off (i.e., in the
quiescent state). Two back-to-back acquisitions of a device using the same tool produce
different results overall, though the majority of information, such as PIM data, remains
unchanged. To image a PDA device’s memory, the device has to be switched on, which is a
major difference from personal computers. This effectively means that the first evidentiary
principle mentioned in section 4 – actions taken should not modify data contained on the
device – cannot be complied with, strictly speaking. Therefore, the goal with PDA acquisition
is to affect memory contents as little as possible and then only in the knowledge of what is
happening internally, placing more importance on ensuring adherence to the second and third
evidentiary principles, which stress the competence of the specialist and the generation of a
detailed audit trail [ACPO].
After an acquisition is finished, the forensic specialist should always confirm that the entire
contents of a device were captured correctly (i.e., verify RAM/ROM size ensuring consistency
with the device). On occasion, a tool may fail its task without any error notification and
require the specialist to reattempt it with either the same tool or another tool. Similarly, some
tools do not work well with certain devices as others do, and may fail with an error
notification. Thus, when possible, it is advisable to have multiple tools available.
Unobstructed Devices
An unobstructed device is a device that does not require a password or other authentication
technique to be satisfied to be granted access to the device. From anecdotal information, most
devices seized in investigations appear to fall into this category. As mentioned earlier, when
seizing an “Unobstructed Device” caution should be utilized to avoid, for example, altering the
state of the device by pressing key chord sequences that have the potential to corrupt or erase
valuable evidence.
In general, a PDA has four main categories of storage to consider: the operating system code,
including the kernel, device drivers, and system libraries; dynamically allocated memory for
executing operating system applications and storing and executing additional user applications
loaded onto the device, user storage for various types of data files, including text, images, and
Guidelines on PDA Forensics
sounds; and critical data backup of important PIM application information and data files. The
characteristics of these four categories range from highly stable to extremely volatile. These
differences combined with the characteristics of a specific operating system, determine how
ROM and RAM are used to support each storage category.
Figure 6 illustrates the most typical arrangement. Flash ROM is used mainly to hold the
operating system code and optionally, any PIM data or files backed up by the user into the
remaining space. Flash memory has a limited life of approximately 100,000 erase cycles.
RAM is used for dynamic storage and user file storage. A soft reset (i.e., warm boot) typically
reinitializes the dynamic storage in RAM, but leaves user file storage untouched, while a hard
reset (i.e., cold boot) reinitializes both. Completely draining power from the PDA has the
same effect as a hard reset. ROM is unaffected by either a soft or hard reset.
Figure 6: ROM/RAM Storage Assignments
A common alternative memory arrangement is shown in Figure 7. Here user file storage
resides in Flash ROM with the operating system code, which avoids the need for backup
utilities, since the storage is persistent and unaffected by resets and power drainage. The
relative sizes of ROM and RAM are normally sized differently (i.e., more ROM and less
RAM) when compared with the earlier arrangement to provide commensurate capacity. To
keep user file storage in ROM versus RAM, a specialized filesystem is required to avoid
quickly reaching the lifetime of that media. File systems such as JFFS2 (The Journaling Flash
File System, version 2) are designed specifically to manage flash memory usage carefully
[Woo01]. For example, JFFS2 prevents the rewrite of an entire sector to erase a single byte
and ensures that different areas of memory are used in rotation to manage wear.
Because a limited number of forensic tools exist for acquisition of ROM and RAM contents
from a PDA, the choice is often simple. One main consideration is to maintain compatibility
with the toolkit eventually used in examination and analysis, since interoperability among
different PDA tools, especially commercial case file formats, is not guaranteed.
Guidelines on PDA Forensics
Figure 7: Alternative ROM/RAM Assignments
In order to preserve the integrity of the data, examiners should handle the original evidence as
little as possible. Generally, it is recommended to create a “master” forensic copy of the
device first, which is kept completely pristine. The master copy is then used to create
additional mirror images needed for analysis and examination of evidence [Gas03]. A strong
one-way cryptographic hash (e.g., SHA1) should be performed to ensure that the additional
images created from the master copy are identical.
Obstructed Devices
Obstructed devices typically refer to devices that are shut off (i.e., in the quiescent state) and
require successful authentication using a password or some other means to gain access.
Password protected devices normally require the expertise of a specially trained forensic
specialist to gain access to the device contents, while maintaining integrity of the information
and avoiding damage to the device. A number of ways exist to extract data from obstructed
devices. They fall into three classes: investigative, software-based and hardware-based
Software and hardware-based methods are often developed specifically for a particular device
or narrow class of device. In developing a method, the following actions should be considered
for determining possible approaches:
Contacting the device manufacturer for information on known backdoors and
vulnerabilities that might be exploited.
Reviewing manufacturer specifications and other documentation when formulating
plausible exploits.
Contacting commercial evidence recovery professionals that specialize in handheld
Searching Internet sites for developer, hacker, and security information.
Guidelines on PDA Forensics
Contacting device maintenance and repair companies, as well as commercial
organizations that provide architecture information on handheld device products.29
Investigative Methods
Investigative methods are procedures the investigative team can apply, which require no
forensic software or hardware tools. The most obvious methods are the following:
Ask the suspect – If a device is protected with password, PIN, token, or other
authentication mechanism involving knowledge-based authentication, the suspect can
be queried for this information during the initial interview.
Review seized material – Passwords are frequently written down on a slip of paper
and kept with or near the device, at a desktop computer used to synchronize with the
device, or on the suspect’s person, such as within a wallet, and may be recovered
through visual inspection.
Manually supply commonly used input – Users may weaken a mechanism by the
way in which it is used. For example, if a device requires a 4-digit PIN, an examiner
may wish to try the combination 1-2-3-4, as one of the three guesses allowed before
the device is completely locked down [Kni02].
Software-based Methods
Software-based methods involve software techniques used to break or bypass authentication
mechanisms. While some general-purpose software techniques and tools may apply to a class
of PDA devices, most of the techniques are specialized for a specific model within a class.
When a specialized technique is developed, it is normally programmed and tested on an
identical test device. Software-based methods include the following:
Exploit known weaknesses in authentication – If an authentication mechanism is
weak, exploiting the weaknesses to defeat it may be possible. For example, early
password protection schemes on Palm OS PDAs obfuscated the password using a
reversible algorithm [Kin01], allowing it to be recovered easily from devices running
version 4.0 or earlier, using a utility. Similarly, early versions of the Pocket PC
Active Sync protocol allow unlimited authentication attempts to be made without
penalty, allowing a dictionary attack of commonly used passwords to be attempted.
In addition, some systems may have a reserve password or master password built into
the authentication mechanism, which allows unfettered access when entered [Kni02].
Gain access through a backdoor – Manufacturers often build in test facilities or
other backdoors that an examiner can exploit to obtain information. For example, the
bootloaders on some PDA devices support functions that among other things allow
device memory to be read and copied or transmitted. For instance, the iPAQ 3900
and other models in that product series support the parrot bootloader, an unadvertised
utility so named because of the bird that appears on the display [Log01]. When
triggered by a specific combination key chord and provided appropriate commands
For handheld device architecture information see
Guidelines on PDA Forensics
via the serial port, the bootloader returns the contents of memory or copies it to a
memory card. Similarly, the penguin bootloader for Linux handheld devices allows
memory to be copied to a memory card.
Exploit known system vulnerabilities – Mobile systems may possess system
vulnerabilities within a standard interface protocol that an examiner can exploit to
bypass authentication and gain access to information. For example, access to the
device may be possible via a misconfigured network service [Cha02], a flaw in a
standard networking protocol supported by the device, or an error in the protocol’s
implementation making it susceptible to an attack method such as buffer overflow.
Possible communications interfaces for exploitation include the serial, USB, IrDA,
Bluetooth, WiFi, and GSM/GPRS facilities.
Hardware-based Methods
Hardware-based methods involve a combination of software and hardware to break or bypass
authentication mechanisms. Few general-purpose hardware-based methods apply to a general
class of PDA devices. Most of the techniques are specialized for a specific model within a
class. As with software-based methods, when a specialized technique is developed, it is
normally developed using a test device identical to the one under examination. The device
manufacturer may also provide useful information and tools for extracting data. Hardwarebased methods include the following:
Gain access through a hardware backdoor – Hardware backdoors, such as
interfaces for debugging, production testing, or maintenance, may be used to gain
access to memory. For example, some devices have active hardware test points on the
circuit board that can be used to probe the device. Many manufacturers now support
the JTAG (Joint Test Action Group) standard, which defines a common test interface
for processor, memory, and other semiconductor chips, on their devices [Int96].
Forensic examiners can communicate with a JTAG-compliant component by utilizing
software and an add-in hardware controller in a personal computer card slot or a
special purpose stand-alone programmer device to probe defined test points. The
JTAG testing unit can send commands and data to the JTAG-compliant component
and return the results to the unit for storage and rendition [Xjt03]. JTAG gives
specialists another avenue for imaging devices that are locked or devices that may
have minor damage and cannot be properly interfaced otherwise.
Examine memory independently of the device – An experienced examiner may be
able to examine memory chips directly on the device and extract information from
them. For example, the Netherlands Forensic Institute has developed a generalpurpose tool for examining a wide range of memory chips. Once physically
connected via a memory clip, the tool is able not only to read and store memory
contents, but also to overwrite them [Kni02].
Reverse engineer the device to find and exploit a vulnerability – Reverse
engineering involves retrieving the operating system code from the ROM of a PDA
identical to the one under examination and analyzing the code to understand its use of
the device hardware. With the understanding gained, any plausible vulnerabilities
noted can be systematically tested to determine a useful exploit technique. For
example, for a password authentication mechanism, it may be possible using memory
Guidelines on PDA Forensics
injection to overwrite the password with a known value or replace the authentication
program with a version that always authenticates successfully [Kni02]. Similarly,
flipping two bits in a data structure, which determine whether the start-up password is
active and configured, may turn off the mechanism completely, as reported for the
XDA PDA/phone hybrid device [Its].
Infer information by monitoring physical device characteristics – Techniques that
monitor power consumption or other device characteristics have been effective in
systematically determining the password or PIN. For example, forensic specialists
report that the passwords of some electronic organizers have been uncovered by
determining the address area of the password and, as characters are entered,
systematically monitoring the data and address bus of those memory locations to
reveal the value one character at a time [Kni02]. Differential power analysis, which
has been shown to be effective in gaining information from smart cards, is another
technique that could be applied [Aig].
Use automated brute force – If a password mechanism has no restrictions on the
number of manual attempts made and the examiner had time to spare, a brute force
dictionary attack could be attempted. Normally, this approach would be out of the
question. However, with automated keystroke entry, it is plausible. For example, the
Netherlands Forensic Institute developed, an automated password entry system for
devices with a keyboard and screen. Equipped with a robot arm and video camera the
unit can systematically enter passwords until the correct entry is detected or, in the
worst case, the keys become damaged [Kni02].
Tangential Equipment
Tangential equipment includes devices that contain memory and are associated with a PDA.
The two main categories are memory cards and host computers to which a PDA has
synchronized its contents. Surprisingly, USB memory drives, which are a common peripheral
for host computers, are generally not a factor for PDAs because of interface issues.
PDAs, especially higher end models, typically support Compact Flash (CF), Secure Digital
(SD), Multi-Media Cards (MMC), and other types of removable media designed specifically
for handheld devices, which can contain a significant amount of data. Like RAM and ROM,
memory cards are typically semiconductor memory. They are normally used as auxiliary user
file storage, backup of important PDA content, or a means to convey files to and from the
device. The physical sizes of memory cards supported by handheld devices are noteworthy
insofar as they are quite small, about the size of a coin, and easy to overlook. Therefore,
investigators should take their time and thoroughly search the premises, when seizing material.
Data can be acquired from removable media with the use of a media reader and a forensic
application used to image hard drives.
The data contained on a PDA is often present on a personal computer, due to the capability of
a PDA to synchronize or otherwise share information among one or more host computers.
Such personal computers or workstations are referred to as synched devices. Because of
synchronization, a significant amount of valuable evidence on a PDA, if not all, may also be
present on the suspect’s laptop or personal computer, and recovered using a conventional
computer forensic tool for hard drive acquisition and examination.
Guidelines on PDA Forensics
USB drives, sometimes referred to as thumb drives, are chewing-gum-pack size hardware
components with a USB connector at one end, and built as a printed circuit board within a
plastic housing that encases a processor and memory. USB memory drives can be treated
similarly to a removable disk drive, and imaged and analyzed using conventional forensic
Synched Devices
Synchronization refers to the process of resolving differences in certain classes of information,
such as e-mail, residing on two devices (i.e., a PDA and PC), such that both retain most current
versions, which reflect any actions taken by the user (e.g., deletions) on one device or the
other. Depending on how the suspect’s device is configured, a significant amount of
informative data may reside locally on the personal computer. When a connection is
established between the device and the PC, the user may communicate through the following
types of account:
Guest Account – No data is automatically synchronized between the device and the
PC, unless explicitly initiated by the user.
User Account – Upon connection, data is synchronized automatically between the
device and PC. The user predefines what data is synched and which device takes
precedence. Most handheld devices are configured to synchronize new data, such as
messages, address book entries, and agenda information.
Synchronization of information may occur at either the record level or the file level. When
done at the file level, any discrepancies from the last synchronization date and time result in
the latest version automatically replacing the older version. Occasionally manual intervention
may be needed if both versions were modified independently since the last synchronization
occurred. Record level synchronization is done similarly, but with more granularity whereby
only out-of-date parts of a file are resolved and replaced.
With Palm OS devices, record level synchronization is the norm. The core PIM databases that
can be synchronized include the following: Address Book, Date Book, Memo Pad, Note Pad,
and To Do List. With Pocket PC devices, file level synchronization is the norm. The core
PIM application files that can be synchronized include the following: Calendar, Contacts,
Inbox, Pocket Access, Tasks, and Favorites. Synchronization software other than that built
into the operating system also exists and may provide a more extensive or different set of
capabilities. Because the synchronized contents of a PDA and personal computer tend to
diverge quickly over time, additional information may be found in one device or the other.
Digital devices are typically populated with data from the PC during the synchronization
process. Data from the PDA can also be synchronized to the PC, through user-defined
preferences in the synchronization software. The synchronization software and the device type
determine where PDA files may be stored on the PC. Each synchronization protocol has a
default installation directory, but the locale can be user specified. Palm’s HotSync manager
keeps a log of data transfers containing: dates, location of the data, and what information was
Guidelines on PDA Forensics
Memory Cards
A wide array of memory cards exists on the market today, ranging from the size of a stamp to
that of a matchbook. Removable media storage capacity ranges from 8MB to beyond 2GB.
As technological advances are made, such media becomes smaller and offers larger storage
densities. Removable media extends the storage capacity of PDAs, allowing individuals to
store additional files beyond the device’s built-in capacity. Memory cards provide another
avenue for sharing data between multiple users that have compatible hardware.
Unlike RAM within a device, removable media is non-volatile storage and requires no battery
to retain data. Fortunately, such media can be treated similarly to a removable disk drive, and
imaged and analyzed using conventional forensic tools with the use of an external media
reader. Memory card adapters exist that support an Integrated Development Environment
(IDE) interface. Such adapters allow removable media to be treated as a hard disk and used
with write blocker software, which ensures that the removable media remains unaltered. Data
contained on the media can be imaged, searched, and deleted files can be recovered providing
possibilities of uncovering evidence. Below is a brief overview of several common storage
media in use today that may contain significant information related to an investigation.
Compact Flash Cards (CF) - Compact Flash memory is a solid-state disk card with
a 50-pin connector, consisting of two parallel rows of 25 pins on one edge of the card.
Compact Flash cards are designed for PCMCIA-ATA functionality and compatibility,
have a 16-bit data bus, and are used more as a hard drive than as RAM. They use
flash memory technology, a non-volatile storage solution that retains its information
once power is removed from the card. Compact Flash cards are about the size of a
matchbook (length-36.4 mm, width-42.8 mm, thickness-3.3 mm for Type I and 5mm
for Type II) and consume a minimal amount of power.
Microdrives - The Hitachi Microdrive digital media is a high-capacity, rotating mass
storage device that is in a Compact Flash Type II package with a 16-bit data bus. A
tiny glass disk serves as the storage media, which is more fragile than solid-state
memory and requires energy to spin. Similar in function to the solid-state Flash
memory cards, the 4GB Microdrive storage card is preformatted with a FAT32 file
system. FAT32 is required to allow for storage over 2GB. By moving to FAT32,
more storage space can be accessed, but cameras and other devices must support the
newer file system. Many digital cameras and most PDAs support FAT32.
Multi-Media Cards (MMC) - A Multi-Media Card (MMC) is a solid-state disk card
with a 7-pin connector. MMC cards have a 1-bit data bus. As with CF cards, they are
designed with flash technology, a non-volatile storage solution that retains
information once power is removed from the card. The cards contain no moving parts
and provide greater protection of data than conventional magnetic disk drives. MultiMedia Cards are about the size of a postage stamp (length-32 mm, width-24 mm, and
thickness-1.4 mm). Reduced Size Multi-Media cards (RS-MMC) also exist. They
are approximately one-half the size of the standard MMC card (length-18mm, width24mm, and thickness-1.4mm). Though they were designed specifically for mobile
phones, they can potentially be used with PDAs. An RS-MMC can be used in a full
size MMC slot with a mechanical adapter. A regular MMC card can be also used in
RS-MMC card slot, though part of it will stick out from the slot. MMCplus and
Guidelines on PDA Forensics
MMCmobile are higher performance variants of MMC and RS-MMC cards
respectively that have a 13-pin connector and an 8-bit data bus.
Secure Digital (SD) Cards - Secure Digital (SD) memory cards (length-32 mm,
width-24 mm, and thickness-2.1mm) are comparable to the size and solid-state design
of MMC cards. In fact, SD card slots can often accommodate MMC cards as well.
However, SD cards have a 9-pin connector and a 4-bit data bus, which afford a higher
transfer rate. SD memory cards feature an erasure-prevention switch. Keeping the
switch in the locked position protects data from accidental deletion. They also offer
security controls for content protection (i.e., Content Protection Rights Management).
MiniSD cards are an electrically compatible extension of the existing SD card
standard in a more compact format (length-21.5 mm, width-20 mm, and thickness-1.4
mm). They run on the same hardware bus and use the same interface as an SD card,
and also include content protection security features, but have a smaller maximum
capacity potential due to size limitations. For backward compatibility, an adapter
allows a MiniSD Card to work with existing SD card slots.
Memory Sticks - Memory sticks provide solid-state memory in a size similar to, but
smaller than, a stick of gum (length-50mm, width-21.45mm, thickness-2.8mm). They
have a 10-pin connector and a 1-bit data bus. As with SD cards, Memory Sticks also
have a built-in erasure-prevention switch, to protect the contents of the card. Memory
Stick PRO cards offer higher capacity and transfer rates than standard Memory Sticks,
using a 10-pin connector, but with a 4-bit data bus. Memory Stick Duo and Memory
Stick PRO Duo, smaller versions of the Memory Stick and Memory Stick PRO, are
about two-thirds the size of the standard memory stick (length-31mm, width-20mm,
thickness-1.6mm). An adapter is required for a Memory Stick Duo or Memory Stick
PRO Duo to work with standard Memory Stick slots.
Extended Memory Cards - Memory cards may support extensions for additional
functionality. For example, the X-Mobile Card from Renesas is a MultiMedia card
that contains both a smart card and a memory chip and able to function in either
USB Memory Drives
Many manufacturers produce USB memory drives of various capacities. Currently, however,
very few PDA devices support host USB ports, which are needed to interface with these
peripherals. Moreover, few if any USB drive manufacturers provide the necessary drivers for
PDA operating systems. This situation is understandable giving that host USB specifications
intend for an interface to be capable of supporting multiple devices sharing the port, which if
permitted would place a significant power drain on the battery of the device. Other factors
include the restrictions in mobility imposed by a USB drive sticking out of the side of a PDA
compared to the benefits of providing one or more memory card slots that completely contain
a card when inserted.
As with memory card extensions, USB drives may offer additional capabilities such as a
wireless interface. Access to memory contents may also be protected through a built-in
fingerprint reader or some other mechanism such as a smart card, which complicates the
acquisition process. However, for the reasons mentioned above these peripherals are not
normally associated with PDA devices.
Guidelines on PDA Forensics
7. Examination and Analysis
The examination process gives light to probative data. The results, gained through applying
established scientifically based methods, should describe the content and state of the data
completely. Such documentation allows all parties to discover what is contained, including
information that may have been hidden or obscured. Once all the information is exposed, data
reduction can begin, thereby separating relevant from irrelevant information. The analysis
process differs from examination in that it looks at the product of the examination for its
significance and probative value to the case [ACPO]. Examination is a technical process that
is the province of the forensic specialist. However, analysis may be done by roles other than
the forensic analyst, such as the investigator or the forensic examiner. One individual may
perform all the roles involved.
The examination process begins after a forensic workstation has been set up with the
appropriate tools and a copy of the evidence acquired from the device. If available, the
examiner should have studied the case and become familiar with the parameters of the offence,
the parties involved, and potential evidence that might be found. Conducting the examination
in a partnership with the forensic analyst or the investigator guiding the case construction is
advisable for the examiner. The investigator or analyst provides insight into the types of things
sought, while the forensic examiner provides the means to find relevant information that might
be on the system [Wol03].
If the forensic examiner performs the analysis independently, without conferring with the
forensic analyst or investigator, the knowledge gained by studying the case should provide
ideas about the specific keywords or phrases to use when searching the image acquired from
the device. Fortunately, compared with classical examination of individual workstations or
network servers, the amount of acquired data, in terms of raw image size, is many times
smaller (i.e., Mbytes vs. Gbytes).
Depending on the type of case, the strategy varies. A case about child pornography may begin
with browsing all of the graphic images on the system, while a case about an Internet-related
offence might begin with browsing the Internet history files [Wol03]. Examination often
reveals not only potentially incriminating data but also useful information such as passwords,
network logon names, and Internet activity. In addition to evidence directly related to an
incident, information can be uncovered about the lifestyle of a suspect, their associates, and the
types of activities in which they are involved.
Locating Evidence
Standard PDAs typically offer similar information handling features and capabilities, including
Personal Information Management (PIM) applications, support for e-mail, and Web browsing.
Hybrid devices that incorporate both PDA and cell phone functionality also exist. Potential
evidence on these devices includes [DOJ01]:
Address book
Guidelines on PDA Forensics
Text messages
Phone book
Voice messages
Generally, two types of computer forensic investigations take place. The first is where some
incident has occurred, but the identity of the offender is unknown (e.g., malicious code attack,
hacking incident, etc.). The second is where the offender and the incident are both known
(e.g., a child-porn investigation). Armed with the knowledge of the circumstances of the
incident, the forensic examiner and analyst can proceed toward accomplishing the following
Gather information about the individual(s) involved {who}.
Determine the exact nature of the events that occurred {what}.
Construct a timeline of events {when}.
Discover what tools or exploits were used {how}.
Uncover information that explains the motivation for the offense {why}.
Table 5 below provides a cross reference of generic evidence sources found on PDAs and their
likely contribution toward satisfying the above objectives. Most of the source information
comes from PIM data, and Internet related information. Other support applications that run on
the device potentially provide other evidence sources. User files placed on the device for
rendition, viewing, or editing are also another important evidence source. Besides graphic
files, other relevant file content includes spreadsheets, presentation slides, and similar items.
For hybrid devices, such as PDA phones or GPS PDAs, additional evidence sources exist, for
example, the last dialed number or coordinates to some destination.
Table 5: Cross Reference of Sources and Objectives
Owner Info
To Do List
E-mail Contact
Web URLs/Content
Graphic Files
Other File Content
Knowledge and experience with multiple tools for acquiring and examining the contents of
PDAs is extremely valuable. For instance, one tool may perform better than another in
Guidelines on PDA Forensics
specific areas such as file identification or search facilities; tools may report, acquire, and
examine the contents of acquired data differently; and some tools may be platform specific.
Therefore, using a toolkit that offers the best set of features for recovering and analyzing
evidence from a specific device is advantageous.
Applying Tools
Once the acquired image has been copied, the next step is to begin searching the data, creating
bookmarks, and developing the contents of a final report. Forensic examination tools are a
crucial component in this process as they translate data from raw bit images to a format and
structure that is understandable by the examiner and can be effectively used to identify and
recover evidence. It is important to note that tools have the possibility to contain some degree
of error. For example, the implementation of the tool may have a programming error; the
specification of a file structure used by the tool to translate bits into data comprehensible by the
examiner may be inaccurate or out of date; or the file structure generated by another program
as input may be incorrect, causing the tool to function improperly [Car02]. Therefore, having
a high degree of trust and understanding of the tool’s ability to perform its function properly is
essential. In addition, a knowledgeable suspect may tamper with device information, such as
purposefully misnaming a file extension to foil the workings of a tool or apply a wiping tool to
remove or eliminate data. Over time, experience with a tool provides an understanding of its
limitations, allowing an examiner to compensate for them and avoid error.
Forensic Examination of Digital Evidence – A Guide for Law Enforcement, produced by the
U.S. Department of Justice [DOJ04], offers the following suggestions for the analysis of
extracted data:
Timeframe analysis – Determine when events occurred on the system to associate
usage with an individual by reviewing any logs present and the date/time stamps in
the filesystem, such as the last modified time.
Data hiding analysis – Detect and recover hidden data that may indicate knowledge,
ownership, or intent by correlating file headers to file extensions to show intentional
obfuscation; gaining access to password-protected, encrypted, and compressed files;
gaining access to steganographic information detected in images; and gaining access
to reserved areas of data storage outside the normal filesystem.
Application and file analysis – Identify information relevant to the investigation by
examining file content, correlating files to installed applications, identifying
relationships between files (e.g., e-mail files to e-mail attachments), determining the
significance of unknown file types, examining system configuration settings, and
examining file metadata (e.g., documents containing authorship identification).
Ownership and possession – Identify the individuals who created, modified, or
accessed a file, and the ownership and possession of questioned data by placing the
subject with the device at a particular time and date, locating files of interest in nondefault locations, recovering passwords that indicate possession or ownership, and
identifying contents of files that are specific to a user.
The capabilities of the tools, the richness of features, and the operating system (e.g., Windows
CE, Palm OS, Linux) and type of device under examination determines what information can
Guidelines on PDA Forensics
be found, recovered, and reported, and the amount of effort needed. Areas of variability
include the search and recovery of deleted information, information on reset devices, or
information within compressed file archives or files with misnamed extensions [Aye04]. For
example, some tools used to search for evidence may identify files by file extension where
others use a file signature database. The latter feature is preferable since it eliminates the
possibility of masking data based upon an inconsistent file extension. This is especially true
for graphics files of various types, since by their very nature they generally are shrouded from
textual searches.
The search engine plays a significant role in the discovery of information used for the creation
of bookmarks and final reporting. Searching data for positive results on incriminating
evidence takes patience and can be time consuming. Some tools have a simple search engine
that matches an input text string exactly, allowing only for elementary searches to be
performed. Other tools house more intelligent and feature rich search engines, allowing for
grep (generalized regular expression patterns) type searches, including wildcard matches;
filtering of files by extension, directory, etc.; and batch scripts that search for specific types of
content (i.e., e-mail addresses, URLs, etc.). Similarly, the ability to find and gather images
automatically into a common graphics library facility can differ among tools. The greater the
tool’s capabilities, the more the experience with and knowledge of the tool become valuable
for the forensic examiner.
To uncover evidence, specialists must first gain a background of the suspect and offense and
determine a set of terms for the examination. Search expressions should be developed in a
systematic fashion, such as using contact names that may be relevant. By doing this, the
specialist creates a profile for potential leads that may unveil valuable findings. To eliminate
all possibility of omitting valuable evidence, the data should be thoroughly looked through
from beginning to end in a memory window provided by either the tool or a hex editor.
Additionally, specialists should have a database of file signatures to locate the headers and
footers of specific files that may lead to further evidence such as: graphics files, avi files, etc.
Once the data has been thoroughly searched and relevant items bookmarked, it is time to create
a report. Many forensic applications come with a built-in reporting facility that imports
bookmarked data, allowing the specialist to organize the report, choose its style, and customize
other aspects of the report. Reports may include the following: Specialists Name, Case
Number, Date, Title, Suspect Name, Categories for evidence, and relevant evidence found.
The software-generated report is only a small part of the overall final report. The final report
contains the software-generated report alongside the documentation accumulated throughout
the entire cycle, which summarizes the actions of the forensic examination and presents the
results of the analysis, including any evidence uncovered.
The following criteria have been suggested as a fundamental set of requirements for forensic
tools [Car02], and should be considered when a choice of tools is available:
Usability – the ability to present data in a form that is useful to an investigator.
Comprehensive – the ability to present all data to an investigator so that both
inculpatory and exculpatory evidence can be identified.
Accuracy – the quality that the output of the tool has been verified and a margin of
error ascertained.
Guidelines on PDA Forensics
Deterministic – the ability for the tool to produce the same output when given the
same set of instructions and input data.
Verifiable – the ability to ensure accuracy of the output by having access to
intermediate translation and presentation results.
Other factors in choosing among software tools include the Daubert considerations mentioned
earlier in section 4.2 (particularly Acceptance) and the following items:
Quality – technical support, reliability, and upgrade version path
Capability – supported feature set, performance, and richness of features with regard
to flexibility and customization
Affordability – cost versus benefits in productivity
Guidelines on PDA Forensics
8. Reporting
Reporting is the process of preparing a detailed summary of all the steps taken and conclusions
reached in the investigation of a case. Reporting depends on all participants carefully
maintaining a record of their actions and observations, reporting the results of tests, and
explaining the inferences drawn from the evidence. The basis of a good report is solid
documentation, notes, sketches, photographs, and tool-generated reports.
Reporting of the results of a forensic examination tend to follow predefined templates,
customized as required by the specific circumstances of each investigation. Reports of
forensic examination results should include all the information necessary to identify the case
and its source, outline the test results and findings, and bear the signature of the individual
responsible for its contents. In general, the report may include the following information
Identity of the reporting agency
Case identifier or submission number
Case investigator
Identity of the submitter
Date of receipt
Date of report
Descriptive list of items submitted for examination, including serial number, make,
and model
Identity and signature of the examiner
The equipment and set up used in the examination
Brief description of steps taken during examination, such as string searches, graphics
image searches, and recovering erased files.
Supporting materials such as printouts of particular items of evidence, digital copies of
evidence, and chain of custody documentation
Details of findings:
Specific files related to the request
Other files, including deleted files, that support the findings
String searches, keyword searches, and text string searches
Internet-related evidence, such as Web site traffic analysis, chat logs, cache
files, e-mail, and news group activity
Guidelines on PDA Forensics
Graphic image analysis
Indicators of ownership, which could include program registration data
Data analysis
Description of relevant programs on the examined items
Techniques used to hide or mask data, such as encryption, steganography,
hidden attributes, hidden partitions, and file name anomalies
Report Conclusions
Many forensic software applications have reporting facilities built-in. Examiners should
include only relevant findings in the report to minimize size and confusion among those
reviewing it. Automated reports typically contain the following key components: Case
Number, Date, Examiner Name, Suspect Name, and Files Acquired (showing hash, ASCII
data, graphical representation of data, etc.).
Digital evidence, as well as the tools, techniques and methodologies used in an examination, is
subject to being challenged in a court of law or other formal proceedings. Proper
documentation is essential in providing individuals the ability to re-create the process from
beginning to end. As part of the reporting process, making a copy of the software used and
including it with the output produced is advisable. This is especially pertinent for custom
tools, since confusion about the version of the software used to create the output is eliminated,
should it become necessary to reproduce forensic processing results at a later time. The same
practice applies to commercial software tools, which could be upgraded after an examination is
completed [NTI].
Guidelines on PDA Forensics
9. References
[ACPO] Good Practice Guide for Computer-based Electronic Evidence, Association of
Chief Police Officers, <URL:>.
[Aho01] Jukka Ahonen, PDA OS Security: Application Execution, Helsinki University of
Technology, Seminar on Network Security, Fall 2001, <URL:>.
Manfred Aigner, Elisabeth Oswald, Power Analysis Tutorial, Seminar Paper,
Institute for Applied Information Processing and Communication, <URL:>.
[Aye04] Rick Ayers, Wayne Jansen, PDA Software Tools: Overview and Analysis, NIST
Interagency Report (IR) 7100, August 2004, <URL:>.
[Bob04] Tanker Bob, JackSprat and JackFlash for Palm OS, PDA Buyer’s Guide, May
2004, <URL:>.
[Cha02] Steve Chapin, Douglas F. Calvert, David Walter, K. Reid Wightman, Niranjan
Sivakumar, Multiple Security Vulnerabilities in Sharp Zaurus, Beyond Security Ltd,
November 2002, <URL:>.
Brian Carrier, Defining Digital Forensic Examination and Analysis Tools, Digital
Forensics Research Workshop II, August 2002, <URL:>.
Eoghan Casey, Chapter 13: Forensic Examination of Handheld Devices, Digital
Evidence and Computer Crime, Academic Press, March 2000.
[DOJ01] Electronic Crime Scene Investigation: A Guide for First Responders, U.S.
Department of Justice, NCJ 187736, July 2001, <URL:>.
[DOJ04] Forensic Examination of Digital Evidence: A Guide for Law Enforcement, U.S.
Department of Justice, NCJ 199408, April 2004, <URL:>.
Nils Faerber, You Sexy Thing: Compaq iPaq on test, Linux Magazine, Issue 3,
December 2000, <URL:>.
Nils Faerber, Pocket Power: Three new Linux PDAs in test, Linux Magazine, Issue
36, November 2003, <URL:>.
Guidelines on PDA Forensics
Ty Gast, Forensic Data Handling, Security Assurance Group, White Paper, 2003,
Windows CE Embedded PC: Developer’s Documentation, Version 3.0, Gesytec
GmbH, August 2003, <URL:>.
Joe Grand, pdd: Memory Imaging and Forensic Analysis of Palm OS Devices,
Proceedings of the 14th Annual FIRST Conference on Computer Security
Incident Handling and Response, June, 2002, <URL:>.
Chris Halsall, Linux on an iPAQ, Linux DevCenter, O’Reilly Media, Inc., June
2001, <URL:>.
Gary Hillerson, Palm OS File Format Specification, PalmSource Inc., Document
Number 3008-005, April 2003, <URL:>.
[Hon04] Martyn Honeyford, Running Linux on an iPAQ: Put a penguin in your pocket, IBM
developerWorks, September 2004, <URL:>.
Designing for On-Board Programming Using the IEEE 1149.1 (JTAG) Access
Port, Intel, Application Note, AP-630, November 1996, <URL:>.
XDA Bootloader, ITSX, <URL:>
Arto Kettula, Security Comparison of Mobile OSes, Helsinki University of
Technology, Seminar on Network Security, Fall 2000, <URL:>.
Joe Grand (Kingpin) and Mudge, Security Analysis of the Palm Operating System
and its Weaknesses Against Malicious Code Threats, August 2001, pp. 135-152,
Proceedings of the 10th Usenix Security Symposium, <URL:>.
Ronald van der Knijff, Chapter 11: Embedded Systems Analysis, Handbook of
Computer Crime Investigation, Edited by Eoghan Casey, Academic Press, 2002.
Warren G. Kruse II, Jay G. Heiser, Computer Forensics – Incident Response
Essentials, Pearson Education, September 26, 2001.
[Log01] Brett Logsdon, Compaq iPAQ Parrot Talks: How to flash your ROM by the
backdoor, Pocket PC Passion, February 2001, <URL:>.
Guidelines on PDA Forensics
[Man01] Kevin Mandia, Chris Prosise, Incident Response: Investigating Computer Crime,
McGrawHill Osborne Media, 2001.
[Meu02] Pascal Meunier, Sofie Nystrom, Seny Kamara, Scott Yost, Kyle Alexander, Dan
Noland, Jared Crane, ActiveSync, TCP/IP and 802.11b Wireless Vulnerabilities of
WinCE-based PDAs, Proceedings of the Eleventh IEEE International Workshops
on Enabling Technologies: Infrastructure for Collaborative Enterprises
(WETICE’02), June 2002, <URL: or>.
Computer Evidence Processing Steps, New Technologies Inc., <URL:>.
[Oco04] Thomas R. O'connor, Admissibility of Scientific Evidence Under Daubert, North
Carolina Wesleyan College, March 2004, <URL:>.
Claire Pieterek, How to get an extra 824K using FlashPro, PalmPower Magazine,
May 1999, <URL:>.
[Pmd02] Palm Security, How-To Guide,, 2002, <URL:>.
[PPC04] Palm OS Programmer's Companion, Volume I, PalmSource, Inc., May 2004,
Mark Reith, Clint Carr, and Gregg Gunsch, An Examination of Digital Forensic
Models, International Journal of Digital Evidence, Fall 2002, Volume 1, Issue 3
[Wie02] Officer Fred J.Wiechmann, Processing Flash Memory Media, New Technologies
Inc., November 2002, <URL:>.
[Wol03] Henry B.Wolfe, Evidence Analysis, Computers and Security, May 2003, Volume
22, Issue 4, pp. 289-291, <URL:>.
[Woo01] David Woodhouse, JFFS : The Journalling Flash File System, Ottawa Linux
Symposium, July 2001, <URL:>.
JTAG testing with XJTAG, Version 0.1, XJTAG, March 2003, <URL:>.
[Zwi02] Thomas Zwinger, Leif Laaksonen, Linux on an iPAQ PDA, @CSC, CSC - Finnish
IT Center for Science, Issue 3, 2002 <URL:>.
Guidelines on PDA Forensics
Appendix A. Acronyms
API – Application Programming Interface
ASCII – American Standard Code for Information Interchange
CF – Compact Flash
Codec – Coder-Decoder
CIR – Consumer Infrared
CRC – Cyclical Redundancy Check
dd – duplicate disk/data dump
DLL – Dynamically Linked Library
GDI – Graphics Device Interface
GPS – Global Positioning System
GPRS – General Packet Radio Service
GSM – Global System for Mobile Communications
GWES – Graphics, Windowing, and Events Subsystem
IDE – Integrated Drive Electronics
IPsec – Internet Protocol Security
IrDA - Infra Red Data Association
JFFS2 – Journaling Flash File System, Version 2
JTAG – Joint Test Action Group
LCD – Liquid Crystal Display
LED – Light Emitting Diode
MMC – Multi-Media Card
OAL – Original Equipment Manufacture Adaptation Layer
OEM – Original Equipment Manufacture
OS – Operating System
Guidelines on PDA Forensics
PC – Personal Computer
PDA – Personal Digital Assistant
pdd – Palm data dump/duplicate disk
PFF – Palm File Format
PIM – Personal Information Management
PIN – Personal Identification Number
POSE – Palm Operating System Emulator
PPC – Pocket PC
PPTP – Point-to-Point Tunneling Protocol
RAM – Random Access Memory
RAPI – Remote Application Programming Interface
ROM – Read Only Memory
SD – Secure Digital
SHA1 – Secure Hash Algorithm, version 1
SSH – Secure Shell
TCP/IP – Transmission Control Protocol/Internet Protocol
TFT – Thin Film Transistor
UART – Universal Asynchronous Receiver/Transmitter
URL – Uniform Resource Locator
USB – Universal Serial Bus
WiFi – Wireless Fidelity
WinCE – Windows CE
XIP – eXecute In Place
Guidelines on PDA Forensics
Appendix B. Glossary
Acquisition – A process by which digital evidence is duplicated, copied, or imaged.
Analysis – The examination of acquired data for its significance and probative value to the
Authentication Mechanism – Hardware or software-based mechanisms that force users to
prove their identity before accessing data on a device.
Bluetooth – A wireless protocol that allows two Bluetooth enabled devices to communicate
with each other within a short distance (e.g., 30 ft.).
Brute Force Password Attack – A method of accessing an obstructed device through
attempting multiple combinations of numeric/alphanumeric passwords.
Buffer Overflow Attack – A method of overloading a predefined amount of space in a buffer,
which can potentially overwrite and corrupt memory in data.
Chain of Custody – A process that tracks the movement of evidence through its collection,
safeguarding, and analysis lifecycle by documenting each person who handled the evidence,
the date/time it was collected or transferred, and the purpose for the transfer.
Compressed File – A file reduced in size through the application of a compression algorithm,
commonly performed to save disk space. The act of compressing a file will make it
unreadable to most programs until the file is uncompressed. Most common compression
utilities are PKZIP and WinZip with an extension of .zip.
Cradle – A docking station, which creates an interface between a user’s PC and PDA, and
enables communication and battery recharging.
Cyclical Redundancy Check – A method to ensure data has not been altered after being sent
through a communication channel.
Deleted File – A file that has been logically, but not necessarily physically, erased from the
operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does
not always necessarily eliminate the possibility of recovering all or part of the original data.
Digital Evidence – Electronic information stored or transmitted in binary form.
Duplicate Digital Evidence – A duplicate is an accurate digital reproduction of all data
objects contained on the original physical item and associated media (e.g., flash memory,
Electromagnetic Interference – An electromagnetic disturbance that interrupts, obstructs, or
otherwise degrades or limits the effective performance of electronics/electrical equipment.
Electronic Evidence – Information and data of investigative value that is stored on or
transmitted by an electronic device.
Guidelines on PDA Forensics
Encryption – Any procedure used in cryptography to convert plain text into cipher text to
prevent anyone but the intended recipient from reading that data.
Examination – A technical review that makes the evidence visible and suitable for analysis;
tests performed on the evidence to determine the presence or absence of specific data.
Exculpatory Evidence – Evidence that tends to decrease the likelihood of fault or guilt.
eXecute in Place – A facility that allows code to be executed directly from flash memory
without loading the code into RAM.
File Name Anomaly – A mismatch between the internal file header and it external extension;
a file name inconsistent with the content of the file (e.g., renaming a graphics file with a nongraphics extension).
File Slack – Space between the logical end of the file and the end of the last allocation unit for
that file.
Filesystem – A software mechanism that defines the way that files are named, stored,
organized, and accessed on logical volumes of partitioned memory.
Flash ROM – non-volatile memory that is writable.
Forensic Copy – An accurate bit-for-bit reproduction of the information contained on an
electronic device or associated media, whose validity and integrity has been verified using an
accepted algorithm.
Forensic Specialist – Locates, identifies, collects, analyzes and examines data while
preserving the integrity and maintaining a strict chain of custody of information discovered.
Global Positioning System – A system for determining position by comparing radio signals
from several satellites.
Hardware Driver – Applications responsible for establishing communication between
hardware and software programs.
Hashing – The process of using a mathematical algorithm against data to produce a numeric
value that is representative of that data.
Heap – A software data structure used for dynamic allocation of memory.
Image – An exact bit-stream copy of all electronic data on a device, performed in a manner
that ensures the information is not altered.
Inculpatory Evidence – Evidence that tends to increase the likelihood of fault or guilt.
Loop-Back Mode – An operating system facility that allows a device to be mounted via a
loopback address and viewed logically on the PC.
Guidelines on PDA Forensics
Misnamed Files – A technique used to disguise a file’s content by changing the file’s name to
something innocuous or altering its extension to a different type of file, forcing the examiner to
identify the files by file signature versus file extension.
Password Protected – The ability to protect a file using a password access control, protecting
the data contents from being viewed with the appropriate viewer unless the proper password is
Personal Digital Assistant (PDA) – A handheld computer that serves as a tool for reading and
conveying documents, electronic mail, and other electronic media over a communications link,
and for organizing personal information, such as a name-and-address database, a to-do list, and
an appointment calendar.
Personal Information Management (PIM) Applications – A core set of applications that
provide the electronic equivalents of an agenda, address book, notepad, and business card
Probative Data – Information that reveals the truth of an allegation.
Steganography – The art and science of communicating in a way that hides the existence of
the communication. For example, a child pornography image can be hidden inside another
graphic image file, audio file, or other file format.
Synchronization Protocols – Protocols that allow users to view, modify, and transfer/update
PDA data from the PC or vice-versa. The two most common synchronization protocols are:
Microsoft’s ActiveSync and Palm’s HotSync.
Thread– A defined group of instructions executing apart from other similarly defined groups,
but sharing memory and resources of the process to which they belong.
Universal Serial Bus (USB) – A hardware interface for low-speed peripherals such as the
keyboard, mouse, joystick, scanner, printer, and telephony devices.
Volatile Memory – Memory that loses its content when power is turned off or lost.
Write-Blocker – A device that allows investigators to examine media while preventing data
writes from occurring on the subject media.
Write Protection – Hardware or software methods of preventing data from being written to a
disk or other medium.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF