Pulling criminal evidence from PDAs

Tech savvy criminals are just as likely as anyone else to use high-tech devices, such as personal digital assistants, to help keep track of their activities. PDAs are relatively inexpensive and highly portable and can store documents, spreadsheets, databases and many other resources usually associated with a laptop or desktop computer. When these devices are used in a crime, law enforcement investigators need to know how to find, properly retrieve and examine the information they store, even if the criminal tried to hide or delete the data.
From NIST:
Helping investigators gather crime evidence from PDAs

Tech savvy criminals are just as likely as anyone else to use high-tech devices, such as personal digital assistants (PDAs), to help keep track of their activities. PDAs are relatively inexpensive and highly portable and can store documents, spreadsheets, databases and many other resources usually associated with a laptop or desktop computer. When these devices are used in a crime, law enforcement investigators need to know how to find, properly retrieve and examine the information they store, even if the criminal tried to hide or delete the data.

Researchers from the National Institute of Standards and Technology recently examined a number of software tools designed to acquire information from operating systems used in most PDAs: Palm OS, Microsoft Pocket PC and Linux. The researchers examined the tools in a range of situations commonly encountered during a forensic examination of PDAs. For example, the researchers wanted to determine if tools could find information, including deleted information, associated with applications such as calendars, contacts and task lists. The tools also were examined to see if someone could obtain the user’s password and gain access to the contents of the device.

NIST’s review of the current state of the art of forensic software, PDA Forensic Tools: An Overview and Analysis (NISTIR 7100), will help investigators better understand the capabilities and limitations of these software tools. Sponsored by the Department of Homeland Security, the study was not intended to be exhaustive or serve as a formal product evaluation but to complement the more rigorous specifications and test methods being developed as part of the Computer Forensics Tool Testing project. The CFTT is a joint effort of NIST, the National Institute of Justice, and law enforcement organizations. For more information on the CFTT, see http://www.cftt.nist.gov/. The report is available at http://csrc.nist.gov/publications/nistir/index.html#ir7100.

A companion NIST report, which provides more detailed procedures on preserving, examining, analyzing and reporting of digital evidence on PDAs, will be available soon. A draft of this publication, Guidelines on PDA Forensics, is available at http://csrc.nist.gov/publications/drafts.html#sp800-72.


Substack subscription form sign up