digital investigation 6 (2010) 147–167
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/diin
5 Windows Mobile advanced forensics
C. Klaver*
Netherlands Forensic Institute, Dept. Digital Technology and Biometrics, Digital Technology Group, Postbus 24044, 2490 AA Den Haag, The Netherlands article info abstract
Article history: Windows CE (at this moment sold as Windows Mobile) is on the market for more than 10 Received 31 December 2009 years now. In the third quarter of 2009, Microsoft reached a market share of 8.8% of the Received in revised form more than 41 million mobile phones shipped worldwide in that quarter. This makes it 9 February 2010 a relevant subject for the forensic community. Most commercially available forensic tools Accepted 10 February 2010 supporting Windows CE deliver logical acquisition, yielding active data only. The possi- bilities for physical acquisition are increasing as some tool vendors are starting to imple- Keywords: ment forms of physical acquisition. This paper introduces the forensic application of freely Windows mobile available tools and describes how known methods of Physical Acquisition can be applied to NAND flash Windows CE devices. Furthermore it introduces a method to investigate isolated Windows TFAT file system CE database volume files for both active and deleted data. Live forensics ª 2010 Elsevier Ltd. All rights reserved. Heap CEDB/EDB database Logical/physical acquisition
1. Introduction MSAB’s.XRY and Cellebrite’s UFED support logical acquisition of WCE devices. In Ayers et al. (2005), a comprehensive over- With Windows CE on the market for more than 10 years now, view of forensic tools for mobile devices is given. Microsoft has a market share that makes it a relevant subject MSAB is implementing physical acquisition of WCE devices for the forensic community. The first versions of Windows CE in its tool XACT (MSAB). Cellebrite is supporting physical were not very successful on the hand-held electronics market. acquisition for Windows CE devices in their Physical-Pro However, with the release of Windows Mobile 6, based on version of UFED (Cellebrite). Since 2003 Hengeveld (2009) is Windows CE 5.2 (Herrera, 2009), Microsoft has gained a market publishing his open source XDA tools. With this toolset, share of 13.6% of the nearly 40 million mobile phones shipped among other things, an acquisition of RAM and flash memory worldwide in the third quarter of 2008, but appears to be inside WCE devices can be done. All these tools assume a WCE falling in 2009 (Canalys, 2009). device that is not device locked by a handset security code. Currently most commercial forensic tools that support Revealing or circumventing security codes is beyond the scope Windows CE (WCE) acquire data from the device through the of this paper, but physical acquisition methods like chip standard Remote Application Programmers Interface (RAPI). extraction, or the use of JTAG or a boot loader, work around This results in the acquisition of only the active data. The handset security codes. More advanced protection of a smart capturing of deleted data is not possible using just this method. phone would encrypt user data, imposing a new challenge to In 2005, PDA Seizure was one of the first tools that supported forensic examination of such a mobile device. This is also logical acquisition of WCE devices. Nowadays, other tools like beyond the scope of this paper.
5 The Netherlands government is authorized to reproduce and distribute reprints of this paper for governmental purposes notwith- standing any copyright notation there on. * Tel.: þ31 (0)70 888 6423; fax: þ31 (0)70 888 6559. E-mail address: c.klaver@nfi.minjus.nl 1742-2876/$ – see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2010.02.001 148 digital investigation 6 (2010) 147–167
This paper takes forensic examination of WCE devices 2.2. Flash memory beyond logical acquisition with commercial, off-the-shelf forensic tools. In section 2 relevant aspects of the typical Flash memory is widely used for non volatile storage of data. hardware of a WCE device are described and physical loca- There are two main types of flash memory, NOR and NAND tions that can contain user data are identified. Section 3 flash (Knijff). Flash has specific properties that have forensic describes software components in a WCE device that are relevance. For instance, as data cannot be updated in place in involved in storing user data or can be used in a forensic flash memory, first the data has to be copied from flash to acquisition. Section 4 describes the process of acquiring RAM, changed and then copied back to a different, empty a forensic duplicate of data on a WCE based device. Section 5 location in flash. The data before the change might be avail- covers methods for performing a physical acquisition of able after the change through physical acquisition for quite a WCE device. Section 6 presents tools and techniques for a while. (Breeuwsma et al., 2007). analyzing results of a physical acquisition. Section 7 discusses results and future work is identified in section 8. 2.2.1. NOR flash This type of flash memory has a RAM-like interface; it has a data bus, an address bus and control lines. NOR flash is 2. Typical WCE hardware mapped in the processor’s memory map and processor code can be executed directly from it (this is called ‘execute in This section describes hardware elements in a typical WCE place’; XIP). NOR flash can also be used as storage location for device that can be relevant for a forensic examination of such user data. Many older WCE devices have a single folder in the a device. Only a general overview will be given of aspects of root directory that is mapped to a section in NOR flash. With the processor, flash memory and RAM. Description of other, a special driver, like Intel’s Persistent Storage Manager more specialized hardware components fall outside the scope (Intel, 2005) the part of the NOR flash memory that is not used of this paper. for code can be used for user data. In a forensic investigation, this folder should not be overlooked. This folder is for 2.1. Processor example very suitable for storing system backups and because it resides in flash, deleted data can persist. When With WCE Microsoft intends to deliver an Operating System a device with a completely drained battery makes a full (OS) that can run on a range of hardware platforms. Currently system reset, this folder might still contain a recent backup four families of processor cores are supported: ARM, MIPS, SH4 of all user data. and x86 (Microsoft 1). Of these, ARM currently is most common in consumer electronics like smart phones, PDAs and naviga- 2.2.2. NAND flash tion devices. This paper focuses on ARM based devices. NAND flash can be regarded as the solid state equivalent of The ARM processors used in WCE devices are coming from a hard disk. It has an interface with an I/O bus and control various vendors. To name some that we have come across the lines connecting the memory chip to the processor. Over this last years: Intel PXA2x0/PXA30x XScale family of processors. I/O bus, commands, addresses and data are sent. As NAND Intel sold their activities in this field to Marvell (Intel, 2006). flash memory is not mapped in the memory space of the Texas Instruments has its OMAP series (Texas Instruments). processor, code stored in a NAND flash chip can not be Another player on this market is Samsung with its S3Cxxxx executed directly, but has to be loaded into RAM first, again range (Samsung). much like a hard disk. One of the interesting aspects of all of this range of After reset, boot loader code is loaded into RAM through processors is that nearly all peripheral devices needed to build some mechanism that is dependant of the type of flash a smart phone are integrated into one chip. These processors memory used. Some flash memory types are capable of pre- are also referred to as System on Chip (SoC). This means that senting a boot block of flash memory through a NOR flash a lot of relevant information that might be needed for physical interface, allowing the processor to boot from this block. The data extraction on a device powered by such a SoC must come code in this block will contain instructions to access the rest of from datasheets of this SoC. To be able to make a copy of the the blocks, in order to load the OS into RAM. Typical behavior NOR flash memory in the device by using Boundary Scan of WCE smart phones is that after the OS is loaded, it will technique it might be necessary to know the memory layout of detect whether it is a cold reset. In that case, it will install a smart phone, which chip select lines are connected to which customization .cab files from the customization flash parti- type of memory chip. Finding datasheets however is getting tion, often TFAT. After these files are installed, the device is harder because many SoCs are designed specifically for the rebooted and it is ready for use. mobile handset builders and distribution of datasheets is Flash memory must be erased to all 1s before reuse and strictly controlled. Where these datasheets do not become flash can only be erased in fairly large blocks, typically available, the necessary information can only be gained by between 128 and 512 kB. An erase block that mainly contains reverse engineering an exemplar device of the same make and expired pages can be made fully expired by copying away the model as the evidence. The latest SoCs even contain the RAM last few active pages and subsequently be erased. This means and flash dies inside one package, which makes physical that inactive data will be wiped beyond recovery by the extraction of memory even more challenging. Besides that, system itself, even in ‘quiescent’ state. Flash memory is worn SoCs might contain special secure memory for storing data out by erasing. To minimize this effect, flash manufacturers like cryptographic keys. supply so called Wear Leveling algorithms with their digital investigation 6 (2010) 147–167 149 hardware. Wear leveling is the process in a flash Memory 0x01FF-FFFF manager that takes care of the evenly spreading of erase RAM based dlls actions across the whole flash memory range.
2.3. RAM Free space RAM in WCE devices can contain various types of data that can have forensic relevance. As modern devices can have hundreds of MB of RAM, it is essential to know where to look stack for relevant data. In WCE versions prior to 6.0 a process has heap a virtual1 address space of 32 MB (Boling, 2002). Fig. 1 shows a simplified diagram of how various items are located within code the 32 MB address space. From the bottom up, first the code of 0x0000-0000 the process itself is loaded. From the highest address down, Fig. 1 – Simplified memory layout of a WCE process. dlls needed by the process are loaded. In between are the stack and the heap for the process. The stack and the heap are the locations where variables are stored during the life- is normally an unconditional jump to the address where the time of the process. From WCE 6.0 on, memory management actual bootloader code is located. Bootloaders sometimes has changed quite drastically. For instance the addressable have the functionality to copy various types of memory from Virtual Memory space for a process is no longer restricted to the device to external media, but the functionality is not 32 MB (Microsoft 2). always accessible. Because it could facilitate SIM unlocking or other forms of hacking, handset manufacturers make it diffi- 2.4. Other cult to access this functionality. If a bootloader has accessible functionality to read memory, Beside NAND and RAM, a WCE device might have additional then this is a very safe and fast way of obtaining memory memory for special purposes. Inside the processor for copies. If the bootloader functionality to read memory is not instance, special registers can reside to hold for instance accessible, one can replace the bootloader (risky), patch the cryptographic data. A register holding a unique number might bootloader (risky), find out why the functionality is not acces- function as a master key for encryption of data. For instance, sible, for instance a password block, and finding a way around the Texas Instruments (2009) OMAP35x processors have a 128 this. All of these steps are time consuming and labor intensive. bit CONTROL_DIE_ID at address 0x4830A218. When applying this method, with the objective to search for deleted data, one must be sure to avoid booting into the OS. This might enable the OS to reorganize flash memory, erasing 3. Typical WCE software components deleted data beyond recovery.
This section describes software components in a WCE device 3.2. Heap that are involved in storing user data or can be used in a forensic context. An important notion when looking at WCE A heap is a portion of memory reserved for an application to devices is the difference between the kernel that the WCE use to allocate and free memory on a per-byte (Microsoft 3). device is based on, and the version name of the retail OS The heap holds variables that are created with OS functions (Herrera). For instance, all Windows Mobile 6 versions are like ‘malloc()’2. Functions like this return a pointer to the based on WCE 5.2. memory chunk offered by the OS, if the requested amount of memory is available. 3.1. Bootloader Investigating the heap of a process can yield very inter- esting data. Often buffers for various purposes are located on In some WCE devices the bootloader can be used as a tool to the heap. Think for instance of a buffer for receiving data from get a physical image of memory in a WCE device. Some other devices like NMEA data from an external GPS receiver, bootloaders already have capabilities for this, sometimes a buffer to hold text that is to be printed on the screen or though barred by some security mechanism like a password a scratch pad for email composition. or insertion of a special memory card. Other devices would Once a process no longer needs the memory it has allo- need an adapted bootloader to provide the needed function- cated, it will (when well programmed.) return the memory to ality for creating a physical image. the OS by calling an OS function like ‘free()’, with a pointer to A reset on an ARM platform forces the processor to execute the memory it wants to return to the OS. the code at the reset vector. The reset vector is the (physical) On the heap itself however, the data is not changed just address from where the first instruction is fetched. For ARM because of freeing its location to the OS. The only thing that this address generally is 0x0000:0000. At the reset vector there happens is that the memory region is made available to the OS
1 See for a brief introduction of virtual memory www. 2 The ‘c’ version of this function is used. Other high level windowsfordevices.com/c/a/Windows-For-Devices-Articles/ languages might use the heap in other ways. This example is only What-is-virtual-memory/. illustrative. 150 digital investigation 6 (2010) 147–167
again. In the heap the status of a memory block(active or free) a number starting at 000 and counting up. The reason for the can be detected. presence of these files is not exactly clear at this moment. The software managing the heap will try to keep the heap They might be there to make sure that flash erase blocks that as clean as possible. When N bytes are requested through contain parts of File Allocation Tables, only contain FATs, and a call to ‘malloc(N)’, the heap manager will try to find a free not parts of regular files. If regular files share erase blocks with block (or contiguous free blocks) capable of holding at least FATs, changes to such a file will lead to copying that file and these N bytes. It might try to merge small free blocks into possible reallocation of the FATs to other erase blocks, a bigger free block by rearranging the heap. This is comparable possibly causing performance loss of the file system. to the defragmentation process that can be applied to a hard The user on a WCE device doesn’t see any of these files or disk. How well the heap manager succeeds in fitting requested directories, because the file system drivers hide them from the blocks in free blocks and how well it defragments will influ- user. When analyzing a WCE TFAT file system image with ence the lifetime of data in ‘free’ blocks. In any case it is forensic tools, one can safely ignore the ‘__TFA- possible to find data on the heap, either active or deleted, that T_HIDDEN_ROOT_DIR__’ and the ‘DONT_DELnnn’ entries. is otherwise not available to the user. 3.4. Databases
3.3. File systems In WCE versions earlier than 4.0, all user data was stored in the so called ‘object store’. The object store is a database con- Most modern WCE devices are equipped with flash memory taining the file system, the databases and the registry. The hosting (T)FAT partitions for user data or firmware exten- object store lived in RAM; when power failed, all user data was sions, and binary partitions with firmware and bootloader lost. From WCE 4.0 on, the roles are reversed; the file system is code (Rogers et al., 2005), see Fig. 2. File systems are usually now hosting the databases and the registry files. In devices not stored in NAND flash directly. The OS interfaces with a so where this file system is based on flash memory, user data is called Flash Translation Layer (FTL), which takes care of less dependent on battery life. storing File System blocks in NAND flash (Knijff, 2010, p. 390). Flash based file systems also allow for easier imaging of the When analyzing the storage devices at file system level on file system, compared to RAM based storage. After a flash a WCE device, both binary partitions as well as File System based file system image has been created from the WCE device, partitions can be found. Under normal use, the only partition the databases containing user data can be extracted from the interesting for forensic analysis is the partition containing the image. This can be done with normal forensic tools supporting user file system. This partition usually contains a FAT or a TFAT TFAT; as TFAT is compatible with FAT, most tools will load file system. TFAT is a Transaction Safe variant of FAT (Microsoft TFAT images without problems. Once loaded, the two most 4). As TFAT is transaction safe, sudden power loss, or other interesting databases are cemail.vol and pim.vol, both located interruptions of changes to the file system, will not lead to in the root directory of the file system, as seen by the user. a corrupt file system. When looking at a TFAT file system image with a forensic tool like EnCase or Ftk, one can notice that the root directory 4. WCE forensic investigation the user sees on the WCE device itself is often not the root directory of the file system. WCE can create a directory called When found during a criminal investigation, a WCE device has ‘__TFAT_HIDDEN_ROOT_DIR__’ and inside this directory all to be treated just like any other mobile phone. Mostly, the first files and directories are stored that are seen by the user goal is to avoid any further changes to the phone as much as (Microsoft 5). This means that the call possible. Phone data can be changed for instance by incoming CreateFile("\temp\myfile.dat") calls, received text messages, connecting to WiFi/Bluetooth networks, recorded GPS data and depleted batteries. In order resolves to to avoid these changes, the phone should be isolated from the CreateFile("__TFAT_HIDDEN_ROOT_DIR__\temp GSM and other networks, reception of GPS signals and pow- \myfile.dat") ered by an external power supply. A discussion on this subject can be found in Jansen et al. (2007), chapter 5.3 and 6. Another noticeable artifact is the presence of many Another cause of changes in phone data lies in the phone (deleted) file entries called ‘DONT_DELnnn’, where nnn is itself. While on, either in active or quiescent state, the phone’s OS is active. The OS might be trying to manage the various types of memory in the phone. The flash file system might TFAT TFAT User data fs Custom fs rearrange flash pages and erase flash blocks that only contain expired pages. The heap manager might be trying to rearrange Flash Translation FTL Firmware Boot the heap structure to join small free items into bigger ones. To Layer loader stop these processes, the phone has to be powered down, but this is not always wanted, for instance because it might acti- vate handset security code, hindering logical acquisition of the phone, or activate memory rearranging or garbage collection. Once connection to networks is properly prevented, data Fig. 2 – Flash memory in WCE devices. on the WCE device can be acquired. As mentioned already, digital investigation 6 (2010) 147–167 151
Table 1 – Relative risks for data during logical and physical acquisition. Risks Physical acquisition Logical acquisition
Chip extraction JTAG Bootloader (damaged chip) (damaged PCB, (‘bricking’) ‘bricking’)
Active data High High High Low Deleted data High High High –
two types of acquisition can be distinguished, physical investigator, and when a reference model is available, the acquisition and logical acquisition. Depending on the inves- absolute risks of physical extraction are acceptable. tigation, it has to be decided which of the two has to be done Physical acquisition might be the only option in cases where first, because either acquisition types have their own advan- there is an active phone lock or a non functioning phone. tages and disadvantages. Physical acquisition methods generally work at a low level and Physical acquisition can be a destructive operation. True are not hindered by the phone lock. The NAND flash of a broken physical acquisition can either mean physically removing phone might still be working, allowing physical chip extraction. memory from the device, using hardware techniques like There might be other situations where it is necessary to first JTAG to extract data from the device or use an (adapted) do a physical acquisition; when there is strong indication that bootloader to gain low level access to the device. Most of the the essential evidence is in deleted data, the risk of overwriting physical data extraction methods hold some risk of destroying this evidence by switching on the phone and doing a logical data, the device or both. acquisition might be considered higher than the risk of loosing For WCE devices there are ways to do an acquisition that is the evidence through a failed physical acquisition. somewhere in between a physical acquisition and a logical acquisition. A copy can be made of the flash file system over an 5. Physical acquisition ActiveSync connection. This requires a dedicated dll to be loaded into the system under investigation, thus overwriting In this section, several methods for getting a forensic image RAM and possibly flash memory. The result however is an image from a WCE device are described. The methods are described at file system level and not at flash hardware level. Because of in order of forensic soundness. One has to realize that the this, only unallocated clusters that reside in active flash pages success of the described methods greatly depends on the are in the image. Expired flash blocks that are no longer part of experience the investigator has with applying these methods. the file system but still might contain data will not be copied. In Incorrectly applying these methods may destroy the WCE this paper, it is referred to as pseudo physical acquisition. device, the data in it, or both. Logical acquisition is generally safer for active data. It does not have the risks of losing all active data because of risks 5.1. Physical chip extraction involved in physical extraction. However, setting up an ActiveSync connection to do a logical acquisition can change In a WCE device, the investigation of the file system residing in data related to the ActiveSync connection itself. Another flash memory is best done by accessing the flash memory downside is that during logical acquisition deleted data, that directly. This method ensures that the OS does not interfere with still resides in the system, might be erased beyond recovery. the data in memory. However, this type of acquisition might not Because logical acquisition uses the system that is being be feasible due to lack of necessary equipment. Section III-C, investigated, the processes in the phone that are used during Breeuwsma et al. (2007) describes how to remove a BGA acquisition are using memory, RAM and possibly flash. memory chip from a PCB and subsequently read the content of Another cause of permanent loss of deleted data is active the memory device. Desoldering the flash memory chip from Wear Leveling and Garbage Collection in a working system. a WCE device might be an option in the following cases: Garbage Collection is a phenomenon that occurs in RAM, where blocks of data that are no longer referred to by pointers Every risk of loosing deleted data has to be eliminated. are freed by the OS and made available for reuse. The device is not working anymore Sometimes logical acquisition is not possible, for instance No (known) possibility for access through JTAG when the device is broken beyond repair, or when the device does not have a standard interface to do the logical acquisition This method has some downsides: over. In cases where active data might be enough for the investi- TSOP/BGA rework equipment is required gation, doing a logical acquisition and a pseudo physical Memory reader equipment is required acquisition on a WCE device before doing a physical acquisition The memory reader tool might not support the target chip is the safest way to go. The risk of changing or destroying some The datasheet of chip equipment might not be available deleted data due to logical acquisition is then regarded less than the risk of loosing all data in a physical acquisition. Table 1 5.1.1. Case example shows relative risks for active and deleted data in physical and In an investigation Police seized a Fiat 500 equipped with logical acquisition. When executed by an experienced a Blue&Me multi media set. Blue&Me is an ‘‘in-car 152 digital investigation 6 (2010) 147–167
communication system’’, based on WCE for Automotive dimage dimage (BusinessWeek, 2006; Microsoft 6). The investigation required the examination of the content of the device, as it could Tffs.dll DoC Tffs.dll JTAG JTAG DoC contain information on gsm handsets paired to the B&M unit, PC hardware PC hardware WCE hardware SMS messages received with the handset or MP3 files played with it. As time was limited it was decided not to look at RAM Normal situation ‘dimage’ connects to WCE DoC through JTAG for ‘dimage’ data and only focus on flash memory. Three options for accessing the flash data were identified: Fig. 3 – Making a file system image of an M-Systems DoC through JTAG Technologies’ tools. Acquisition through the USB port on the board Acquisition through JTAG Desoldering the flash chip DiskOnChip (DoC) G3 type MD4331-d1 G-V3Q18X.4 After From a Fiat dealer several scrap units were obtained as having identified the JTAG pins on the device, and the exemplar devices. On these it was established that the flash configuration of the JTAG chain, we searched for tools that chips were of a well known type (Samsung K9F5608U0D- would be able to read the DoC. We found a tool set from JIBO) and because of component placement, it was rather a Dutch company called JTAG Technologies. Their tool set easy to do Physical Extraction as described in Breeuwsma provides a mechanism to let M-Systems’ own utility ‘dimage’, et al. (2007). Furthermore, no information could be designed to make an image of a DoC hosted by a PC, obtained in reasonable time on how to get access through communicate with a DoC in another device through the JTAG USB, nor on the JTAG Test Access Points (TAPs) in the device. protocol, as if the DoC is on the same PC as the dimage utility This led to the decision that desoldering and subsequent itself (JTAG). In this setup a file system image of the DoC in reading the memory chip with the NFI Memory Toolkit was a WCE device can be made. The Flash Translation Layer is in the quickest and most sound way to obtain a copy of the the tffs5 library. It is crucial that the right version of the tffs flash chip. software is used (Fig. 3). Details of the flash translation This procedure was first tested on the exemplar. The file apparently change even between minor versions. A 6.3 tffs dll system of the exemplar was reconstructed from the memory is not capable of reading a 6.2 formatted DoC. As this method copy and it appeared to contain: offers a file system level image, expired pages within the DoC are not found in the image, although these pages might - Bluetooth MAC addresses from devices connected to the contain relevant information. B&M set The result is shown in Fig. 4. The first 0x30 bytes show data - Full pathnames of MP3 files played indicating this is a dump from an M-Systems device. We also - Contact lists from paired phones recognize the TFFS version 6.2.20 in this part. Then at offset - Call history 0x10C0 a Master Boot Record can be recognized. At offset 0x12C0 the boot sector of a TFAT16 file system is recognized. Then the exhibit was processed the same way. It appeared Loading the image in EnCase is still problematic, this is that non of the phones found earlier in the investigation had currently being researched further. been paired to the Blue&Me kit, so no further investigation was necessary. As usual, new knowledge produces new questions: It is the above list is complete? Probably not. For 5.3. Bootloader example, the device is able to read out loud incoming SMS messages, which indicates that received SMS messages will An example of bootloaders that have been reverse engineered probably be stored in the B&M unit. by people at xda-developers.com is the HTC Hermes boot- loader (XDA Developer, 2008). Another example is a process where the bootloader is replaced by one with capabilities to 5.2. JTAG copy of the TFAT file system (XDA Developer, 2007). The author claims that the command ‘fat2sd 3’ will copy the In Breeuwsma (2006), a method is described on how to find internal NAND based file system is copied to SD at file system and use JTAG Test Access Points to obtain copies of level. Supposedly the flash translation is being executed by memory in JTAG enabled digital devices. In this paper, the bootloader, looking at output lines like ‘Nand2SDReorder a WCE device, the HP iPaq h1930 is investigated. It was start.’. The output presented on this site looks like a valid shown that it is possible to access SDRAM and flash Windows CE TFAT root directory, including cemail.vol and memory in this device. pim.vol files. More research is needed to explore the possibilities of 5.2.1. Case example these techniques on recent WCE devices. In a case we received an HP Hx2790, of which we would like to 3 acquire an image of the internal flash memory, an M-Systems 4 M-Systems announced this chip End Of Life (EOL) in october 2005, see www.sandisk.com.tw/Assets/File/OEM/Manuals/eol/ 3 M-Systems was acquired by SanDisk in 2006, see www. mdoc/EOL-DOC-0505.pdf, but the chip is still found in older sandisk.com/about-sandisk/press-room/press-releases/2006/ devices. 2006-11-19-sandisk-completes-acquisition-of-msystems. 5 TrueFFS (tffs) is the flash file system developed by M-Systems. digital investigation 6 (2010) 147–167 153
Fig. 4 – Three sections of the image of an M-Systems DiskOnChip from an HP HX2790.
5.4. Pseudo physical acquisition ‘itsutils.dll’. This library will be copied onto the WCE device and loaded into memory by the RAPI server process. The tool There are several tools available for doing pseudo physical can then access specialized functions in the helper library. acquisition. In this paper, the focus is on RAPI tools. XACT is Fig. 5 shows this; the RAPI server interacts with the WCE well documented and not dealt with much deeper here. The device directly through the API functions (dotted arrow), and RAPI tools are not specifically designed for forensic acquisi- through the helper dll (dashed arrow). tion, so the use of these tools in a forensic context requires In early versions of the RAPI tools, the dll was always copied special care. into the directory \Windows. As of RAPI tools version 080731, the location on the WCE device where the helper library is 5.4.1. XACT copied to can be changed by adding a key to the PC’s registry: As of version 3.3 XACT supports the acquisition of the WCE file HKEY_CURRENT_USER\software\itsutils system, but for this it needs to load an ‘agent’ onto the device devicedllpath [ ’’\Storage Card\itsutils.dll’’ under investigation. The user has the option to store the agent on an external storage card, avoiding unnecessary changes to Also, itsutils.dll can write messages to a log file. By default, the device file system. Then the agent needs to be loaded into logging is off and when on, the log file is written to root. RAM to be able to be called by the ActiveSync server, thus Adding another key will set the log file destination and switch overwriting unallocated RAM. logging on or off: The result of an acquisition with XACT is a file system level copy of the device. PC Windows CE device
5.4.2. RAPI tools Another set of tools that can be used to obtain images from command line RAPI a live WCE device are the so called RAPI tools, developed by Active Sync shell server Hengeveld (2009). This toolset is a collection of some 30 command line programs which can be executed on a PC and that operate on the WCE device over an ActiveSync connec- itsutils.dll tion. All commands communicate with the RAPI server which is running on the WCE device. Some tools only use the native API that the RAPI server provides, other tools need to have more advanced access and these use a helper library called Fig. 5 – Software architecture of RAPI tools. 154 digital investigation 6 (2010) 147–167
the user has to give permission on the screen. Furthermore, a WCE can be configured so that there are restrictions on the execution of code through RAPI calls. To change restricting policies, one value in a registry key has to be changed. For this several options are available. One option is to use the rapi tool ‘prapi’ with the command line option –p 4097 1. This will set the registry key 0x1001 (4097d) in [HKLM\Security\Policies\- Policies] to 1. (Hengeveld). Some devices do not allow this key to be set through the RAPI. Then using a registry editor on the WCE device itself could be used to manipulate this key. If one doesn’t want to install a full blown registry editor, a small command line program could be created that just opens the registry key ‘‘Security\Policies\ Policies" in HKLM, by calling ‘‘RegCreateKeyEx’’ and subsequently set registry value 0x1001–1 by calling ‘‘RegSetValueEx’’. This program could then be loaded from an SD memory card, minimizing changes to RAM usage. Whichever method is chosen, some data on the target device will be changed. This might be violating the rule that Fig. 6 – Screen capture of WCE 5.2 Task Manager on an HTC ‘‘No actions performed by investigators should change data Blackstone100. contained on digital devices or storage media that may subsequently be relied upon in court’’ (ACPO). But as there often is no feasible alternative, the evidentiary implications of the changes should be evaluated first (maybe data related to HKEY_CURRENT_USER\Software\itsutils the ActiveSync connection is not relied upon in court) and devicelogpath [ "\Storage Card\itsutils.log" only after accepting the implications, the method can be logtype [ dword:00000002 applied. Log type has the following meaning: 0:no logging, 1:ker- The following sections discuss some useful RAPI tools. nellog, 2:file. The above allows for copying ‘itsutils.dll’ and writing the 5.4.2.1. pps. With the pps tool, all processes in the WCE log file to a memory card instead of the internal flash memory device can be listed. This is particularly interesting because of the WCE device, thus avoid overwriting unallocated flash the native WCE Task manager does not show all processes. As pages in the WCE device. shown in Figs. 6 and 7, pps shows a complete list of all Any non signed executable on a WCE device will only run processes running on the WCE device, whereas Task Manager after permission by the user. So for the helper dll to be loaded, only shows a few.
Fig. 7 – pps executed on same device. digital investigation 6 (2010) 147–167 155
Fig. 8 – Making a copy of the working memory of the tmail.exe process on a WCE device.
5.4.2.2. pmemdump. With the exact names of the processes use the handle references #0 through #3, listed in the four rows in the listing in Fig. 7, a dump of the working memory of right below ‘STRG handles’. a process can be made. The tool has several options for this. In Fig. 10 we see three attempts to read the first page. The The most straight forward way is to make a complete dump. first attempt fails because in this case the tool tries to read Processes in WCE <6.0, have a process space of 32 M. Not all of a DiskOnChip memory, which apparently is not present on this this space is actually backed by physical memory, but one can WCE device. The second attempt fails; with the ‘-w’ option, the make a 32 M dump of the processes in the pps list. Fig. 8 shows tool now read the generic Windows file system API and not the how a copy is made of the RAM used by the process tmail.exe. DoC API, but still, the block size isn’t specified correctly. The The copy is 32 MB in size and stored in a file tmail.exe.bin. One third attempt succeeds; here the block size is specified to 0x800 of the interesting parts inside a dump like this is the heap. In bytes, which is the correct value here and a very common value Section 6.1, it will be shown how to find the heap inside in many WCE devices. In these first 0x200 bytes, a regular boot a memory dump and how to analyze the heap. sector can be found. Notice that the file system type here is TFAT. In the listing of the partitions in Fig. 9, we can see that the 5.4.2.3. pdocread. pdocread can be used to make a copy of partition under handle #0 has a size of 133.00 MB, which is partitions on storage devices inside a WCE device. Originally it 0x8500000 bytes. This size will be used to make a full copy of was aimed at copying the M-Systems DiskOnChip managed this partition. NAND flash chips that were found in many smart phones. The In Fig. 11 the next three partitions are checked. In none of program grew into a versatile tool to make copies of managed these a regular file system isrecognized,so they will be left alone. NAND flash of manufacturers like Samsung and Qualcomm. In Fig. 12 finally a full image of the partition under handle The first step is to find out what partitions are present at the #0 is made. The output is sent to the file htc_wing220_h0.bin. WCE device. This can be done by running ‘pdocread-l’. In Fig. 9 In Fig. 13 the dump is shown. Here we have a TFAT32 partition, this command is given to an HTC S730. with a sector size of 0x800 bytes. In Fig. 9 one can see that there are 4 partitions in this particular device, these are the partitions pointed out in Section 3.3. We are mainly interested in the partition containing user 6. Forensic analysis of the physical image data. The file system of the partition will be TFAT or FAT. As the file system type is stored in the boot sector of the partition, let’s In this section we are going to analyze the images and dumps look at the first 0x200 bytes of each partition. The easiest way is fromvarious sources that we havefound in the previoussection.
Fig. 9 – Output of pdocread, listing all partitions in a WCE device. 156 digital investigation 6 (2010) 147–167
Fig. 10 – Output of pdocread, trying to dump the first 0x200 bytes of partition #0.
6.1. Flash - While possible: B Get the file offset 6.1.1. Reconstructing the file system B Read 0x210 bytes Breeuwsma et al. (2007), section IV-A describes how to B State ¼ byte at 0x206 reconstruct the file system from a physical acquisition of B LBN ¼ bytes at 0x200 through 0x203 a NAND flash chip. This principle is also applicable to WCE B If state is 0xf9, store (file offset, LBN) / active pages list devices. In the WCE devices that we have come across, the file B If state is 0xf8, store (file offset, LBN) / expired pages list system could be reconstructed rather easily. Data in NAND B If state is 0xff, store (file offset, LBN) / free pages list flash is organized in pages. We have come across page size of - Sort active pages list to LBN 0x210 and 0x840 bytes. When the page size is 0x210, usually - While pages in active pages list: the last 0x10 bytes are spare areas. In the spare area, bytes 0–3 B Goto offset of page indicate the Logical Block Number (LBN), and byte 6 indicates B Read 0x200 bytes the state of the page. The state can be either: free (0xff), busy B Gap ¼ LBN-previous LBN (0xf9) or expired (0xf8). With the following pseudo code the B If gap>1: pages can be reordered to form a valid TFAT image. While gap>1:
Fig. 11 – Output of pdocread, dumping the first 0x200 bytes of partition #1 through #3. digital investigation 6 (2010) 147–167 157
Fig. 12 – Making a full image of partition #0.