Re: Forensics on Palm Devices

From: Eoghan Casey (eoghan.caseyat_private)
Date: Tue Oct 02 2001 - 07:34:59 PDT

Next message: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"

Previous message: wim.remes: "RE: Recovering data from a wiped HD"
In reply to: Shue David R Contr AFRL/IFGB: "Re: Forensics on Palm Devices"
Next in thread: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"
Reply: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Shue,

The PalmOS does not have a file system as such. It uses "databases" as
described at:

http://oasis.palm.com/dev/kb/faq/FileFormat/PDB+PRCFormat.cfm

Don't get too excited about the time stamps. You can fabricate a
database with any date stamp and load it into a device (the modified
time will be updated but the creation and backup times will remain
forged).

To become more familiar with the inter workings of the PalmOS, I
recommend obtaining the Palm Debugger and Emulator from the Palm
developers site (http://oasis.palm.com/dev/kb/). Also, spend some time
looking through the Knowledge Base articles. Another useful toolset is
pilot-link on Unix.

In some instances it many be necessary to access the hardware directly
to capture all evidence. Extending this thought, has anyone come across
tools that access the DragonBall processor directly to reach into Flash
memory beyond what is accessible via the Palm API?

Eoghan Casey
Information Security Office
Yale University

Shue David R Contr AFRL/IFGB wrote:
> 
> Hello,
> I stumbled upon this address doing research. I am looking for Palm
> information(specifically Windows CE and Palm)to get a better understanding
> of the forensic part of them.  I am looking for directory structure, and
> what makes them work internally.  Dealing with their storage mediums, slack
> space, and pretty much anything forensic wise dealing with their memory
> storage.  If you could direct or help me in any way that would be much
> appreciated.  Thanks for your time.
> 
> David
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"
Previous message: wim.remes: "RE: Recovering data from a wiped HD"
In reply to: Shue David R Contr AFRL/IFGB: "Re: Forensics on Palm Devices"
Next in thread: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"
Reply: Joseph D. Knape, CISSP: "Re: Forensics on Palm Devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 07:38:32 PDT