Forensic Acquisition for Windows Mobile Pocketpc
Total Page:16
File Type:pdf, Size:1020Kb
MIAT-WM5: FORENSIC ACQUISITION FOR WINDOWS MOBILE POCKETPC Fabio Dellutri, Vittorio Ottaviani, Gianluigi Me Dip. di Informatica, Sistemi e Produzione - Universita` degli Studi di Roma “Tor Vergata” Via del Politecnico 1, 00133 Rome, Italy Email: fdellutri,ottaviani,[email protected] KEYWORDS nectors for every single mobile device. In fact, current Mobile Forensics, Data Seizure, PDA, PocketPC, Win- acquiring tools, adopted by forensic operators, extract the dows Mobile internal memory remotely (typically via USB), with pro- prietary mobile phone connectors: a forensic tool run- ning on a laptop is connected with the target device and, ABSTRACT using the OS services, it extracts the data like SMS, A PocketPC equipped with phone capabilities could be MMS, TODO list, pictures, ring tones etc. This approach seen as an advanced smartphone, providing more com- has the advantage putational power and available resources. Even though several technologies have emerged for PDAs and Smart- • to minimize the interaction with the device and phones forensic acquisition and analysis, only few tech- • to automate the procedure of the interpretation of nologies and products are capable of performing foren- the seized data. sic acquisition on PocketPC platform; moreover they rely on proprietary protocols, proprietary cable-jack and pro- However, the main disadvantage is the partial access of prietary operating systems. This paper presents the Mo- the file system, which relies on the communication pro- bile Internal Acquisition Tool for PocketPC devices. The tocol. As discussed above, since many protocols are pro- approach we propose in this paper focuses on acquir- prietary, we can not see how many effects the data ex- ing data from a mobile device’s internal storage memory, changed have on the memory status. For this reason, copying data to an external removable memory (like SD, we have developed a tool to acquire mobile phone mem- mini SD, etc.). Such task is performed without the need ory by a SD/MMC (Secure Digital / MultiMediaCard) of connecting the device to PC. Thanks to this, foren- memory inserted in the available mobile phone SD/MMC sic operators could avoid to travel with luggage plenty of slot, called MIAT (Mobile Internal Acquisition Tool) for one-on-one tools for every single mobile device. Finally, Symbian (Me et al., 2008). In the fourth quarter of we will show some experimental results, comparing this 2007, Canalys estimated that Symbian had a 65% share methodology with standard products on real world de- of worldwide converged device shipments, ahead of Mi- vices. crosoft on 12% and RIM on 11% (Canalys, 2007). In this paper we present the MIAT for the PocketPC platform INTRODUCTION running Windows Mobile (MIAT-WM5), which cannot be considered, roughly, as a porting because of the differ- The mobile phone can be considered the ultimate dis- ences between Symbian and Windows Mobile operating ruptive technology: in fact, like telephony, radio, tele- systems. For this reason, the MIAT-WM5 takes advan- vision, and the Internet, mobile phones are dramatically tage of Windows Operating system characteristics (e.g. changing nearly every aspect of daily life, both inside filesystem, memory management etc) to maximize the businesses and in the daily lives of individuals, providing outcome of the acquisition phase for Windows devices. more applications and collecting more private data. The enriched capabilities of new smartphones (118 million in 2007, Canalys), such as multi-connectivity (HDSPA, STATE OF ART Bluetooth, IR, WLAN) and multimedia recording, make The term PocketPC refers to a Microsoft specification the content of the mobile device memory very interest- that sets various hardware and software requirements for ing from a criminal investigation perspective. In par- a handheld-sized computer (PDA, Personal Digital As- ticular, the growing prominence of forensic sciences, sistant) that runs the Windows Mobile operating system in the investigation chain, led to a broad use of foren- (Wikipedia, Pocket PC definition). As reported in Ta- sic tools to acquire mobile phone memory content, to ble 1, many tools perform forensic operations on a PDA. witness the evidence of a crime. However, as rule of However, as Ayers et al. assert in (Ayers et al., 2007, thumb, the crime-scene usually offers many different mo- 2004, 2005), the only NIST certified tool on a Pock- bile phone/smartphone models, causing the forensic op- etPC is Paraben’s PDA Seizure. Such tool performs data erators to be overwhelmed by using the one-on-one con- seizure of internal memory in a remote way. Actually, the Proceedings of the 2008 High Performance Computing & Simulation Conference ©ECMS Waleed W. Smari (Ed.) ISBN: 978-0-9553018-7-2 / ISBN: 978-0-9553018-6-5 (CD) Currently, the memory is split in two section (see Fig- Table 1: PDA forensic tools Palm OS PocketPC Linux PDA ure 1): the RAM is aimed to hold running processes pdd Acquisition NA NA data, whereas the ROM keeps core OS code and libraries Pilot-Link Acquisition NA NA (called modules), the registry, databases and user’s files. PDA Seizure Acquisition, Acquisition, NA Such memory, also called Persistent Storage and con- Examination, Examination, Reporting Reporting tained within a flash memory chip, can be built using EnCase Acquisition, NA Examination, many different technologies (Santarini, 2005): Examination, Reporting Reporting • XIP model, based on NOR memory and volatile POSE Examination, NA NA memory, this technology enables device to store Reporting dd NA NA Acquisition modules and executables in XIP (execute-in-place) format and allows the operating system to run appli- cations directly from ROM, avoiding to copy them forensic tool is connected to a device by cradle or USB first in the RAM section. NOR memory has poor cable and, through the Microsoft’s ActiveSync protocol, write performance. it extracts data such as user’s files, call logs, SMS, MMS, TODO list, etc. This approach has the advantage to min- • Shadow model, which boots the system from NOR imize the interaction towards the device and to automate and uses a NAND for the storage. This model is the process of seized data interpretation. The main dis- power-expensive, because the volatile memory re- advantage relies on the protocol closeness: we are not quires to be constantly powered on. able to measure any memory alteration caused by data • NAND store and download model, which re- exchange. Moreover, to perform the acquisition process, duces costs replacing NOR with OTP (one-time pro- PDA seizure degrades the evidence putting a dll file in grammable) memory model. the device’s file system. • Hybrid store and download model, which mixes POCKETPC INTERNAL MEMORY AND STOR- SRAM and NAND, covering them with a NOR-like AGE ARCHITECTURE access interface (to support XIP model). In Windows Mobile 2003 PocketPC and earlier, device’s Windows Mobile 5 and above place the great part of memory was split in two sections: a ROM section, con- the applications and system data in the Persistent Stor- taining all operating system core files, and a RAM sec- age. Core OS files, user’s files, databases and registry tion aimed in keeping the user storage (Storage Mem- are seen by applications and users in the same file system ory) and the memory space for running applications and tree, which is hold and controlled by the FileSys.exe pro- their data (Program Memory). The user can choose the cess. Such process is also responsible for handling the amount of memory to be reserved to Storage Memory Object Store, which maps objects like databases, registry and then to the Program Memory. The RAM chip was and user’s files in a contiguous heap space. The Object built on a volatile memory scheme, so a backup bat- Store’s role is to manage the stack and the heap mem- tery was required to keep the RAM circuitry powered ory, to compress and to expand files, to integrate ROM- up, even if the device was just suspended. In case bat- based applications and RAM-based data. For a com- tery power supply went down, all user’s data were lost. prehensive explanation about how Windows Mobile uses Such scenario forced user to recharge battery within a the Object Store and manages linear flash memory, see time limit of 72 hours (as mandatory by Microsoft to de- (Microsoft, Linear Flash Memory Devices on Microsoft vices manufacturers). Windows CE.) and (Microsoft, The Windows CE 5.0 Ob- Since Windows Mobile 5, memory architecture was ject Store.). redesigned to implement a non-volatile user storage. The strategy for storing data is based on a transactional model, which ensures that store is never corrupted after RAM ROM a power down while data is being written. Finally, the Storage Manager manages storage devices and their file 64M 64M systems, offering a high-level layer over storage drivers, partition drivers, file system drivers and file system fil- ters. Core OS Stuff User Storage 32M 32M OUR METHODOLOGY The approach we propose in this paper focuses on acquir- Memory sizes reported could change among different PPC models. ing data from a mobile device’s internal storage memory, copying data to an external removable memory (like SD, Figure 1: Windows Moble 5.0 memory architecture. mini SD, etc.). Such task is performed without the need Remove the has been done, SIM card could be removed and analysed Start memory card with specific tools (Oxygen Software, Forensic; Casadei yes et al., 2005). Put the Is there a Make Memory device in a IMPLEMENTATION DETAILS memory card no card for seizure Faraday plugged-in? and insert it in cage We have chosen to develop the application using a native C++ approach, fulfilling the requirement of having a tool to be launched from an external memory card, without the need of a pre-installed runtime environment (like java Is the device turn it on no virtual machine), neither the need to install the tool on turned on? the device.