SANS Digital Forensics and Incident Response Blog: Category - Mobile Device Forensics

Examining Windows Mobile Devices Using File System Forensic Tools

Windows Mobile file systems have similarities with other Microsoft operating systems that make for an easy transition into mobile device forensics for anyone who has performed forensic examinations of Windows computer systems. As with a desktop or laptop computer, Windows Mobile devices retain substantial information about user activities that can be relevant in a digital investigation involving Web browsing, user created files, and Windows registry entries.

Windows Mobile uses a variation of the FAT file system called the Transaction-safe FAT (TFAT) file system, which has some recovery features in the event of a sudden device shutdown. Here is the volume information of a memory dump from a Windows Mobile device, showing that it is FAT.

$ fsstat SamsungBlackjack.bin

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16
OEM Name:

... Continue reading Examining Windows Mobile Devices Using File System Forensic Tools


SANS Mobile Device Forensics

sec563_8_785x90

The debut of SANS SEC563 Mobile Device Forensics course in Baltimore this month was very well-received. Attendees included information security professionals from private sector organizations, as well as forensic practitioners and government and law enforcement. Reactions from attendees demonstrate the value and practical usefulness of this course.

- CFE Graham Boyanich, #9996

...


Acquiring Data from Windows Mobile Devices

During the debut of SEC563 Mobile Device Forensics last week, Eugene Libster from ManTech brought to my attention the open sourceitsutils package for extracting from Windows Mobile devices. Components of this package, psdread and pdocread, can acquire more data from Windows Mobile devices than many commercial forensic tools, but there are several issues that forensic practitioners need to understand before using these utilities on an evidentiary device.

First, acquiring data using these utilities creates files on the device, necessarily overwriting data. Specifically, an executable file named "itsutils.dll" is copied onto the device, and an error log"itsutils.log"is created on the device. Second, these tools acquire data through a hardware

...


MIAT for Symbian & Windows Mobile Forensics

I recently became interested in mobile device forensics. This area covers a lot of ground, but a particularly interesting subfield is the forensics of Windows Mobile. As far as I was able to discover, not much has been written about this, which makes it perfect for a blog posting.

After a significant amount of Google research, I found a paper presented at the 2008 DFRWS conference. In it, the authors discuss a Mobile Internal Acquisition Tool, MIAT. They created this tool for extracting files from Smartphones running Symbian or Windows Mobile, and saving them to removable media. Another reference to the same work is presented here.

I was unable to locate a download site for the tool, so I contacted one of the presenters, Alessandro Distefano, as

...


Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)

Dealing with EPHD, or PC Guardian's Encryption Plus is not too bad provided it has been setup correctly. By being setup correctly, I mean that the PC administrators have created an account that anyone can use to get past the hard drive encryption. This account and password needs to be treated just like the admin account. Only those people who need to know it, should have the userid and password.

On a side note: If your corporation has not implemented for your laptops and mobile devices, I have to ask why not? Hard drive encryption is much cheaper to implement then letting your corporate secrets and customer data out into the public.

Before We Begin

Before doing anything talk with your management and legal with regard to how they want you to proceed with imaging the encrypted devices. They may feel that this methodology is not right for them. The other aspect to be aware of is do you image the drive in its encrypted state and then use the

... Continue reading Dealing with PC Guardian's Encryption Plus Hard Drive (EPHD)