Abstract
Data hiding creates serious problems for digital forensic practitioners attempting to recover evidence. It is possible to conceal large amounts of sensitive data in handheld devices in a manner that prevents their recovery using standard forensic tools. This paper describes a technique for recovering data stored in the slack memory of Windows CE based devices. A case study involving data hiding in a Toshiba E740 PDA is discussed.
Chapter PDF
Similar content being viewed by others
References
M. Breeuwsma, Forensic imaging of embedded systems using JTAG (boundary-scan), Digital Investigation, vol. 3(1), pp. 32-42, 2006.
M. Breeuwsma, M. De Jongh, C. Klaver, R. van der Knijff and M. Roeloffs, Forensics data recovery from flash memory, Small Scale Device Forensics Journal, vol. 1(1), pp. 1-17, 2007.
W. Chisum and B. Turvey, Evidence dynamics: Locard’s exchange principle and crime reconstruction, Journal of Behavioral Profiling, vol. 1(1), 2000.
P. Gershteyn, M. Davis and S. Shenoi, Forensic analysis of BIOS chips, in Advances in Digital Forensics II, M. Olivier and S. Shenoi (Eds.), Springer, New York, pp. 301-314, 2006.
M. Gorman, Understanding the Linux Virtual Memory Manager, Prentice-Hall, Upper Saddle River, New Jersey, 2004.
W. Hengeveld, RAPI tools (www.xs4all.nl/itsme/projects/xda/to ols.html), 2003.
K. Kendall and J. Kornblum, Foremost (version 1.5.3) (foremost.sourceforge.net).
Microsoft Corporation, Remote API 2 (RAPI2), Redmond, Washington (msdn2.microsoft.com/en-us/library/aa920150.aspx).
Microsoft Corporation, Windows CE overview, Redmond, Washington (msdn2.microsoft.com/en-us/library/ms899235.aspx).
Paraben Corporation, Device Seizure v1.2, Orem, Utah (www.paraben-forensics.com/catalog).
A. Savoldi and P. Gubian, Data hiding in SIM/USIM cards: A steganographic approach, Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 86-100, 2007.
A. Savoldi and P. Gubian, SIM and USIM file system: A forensics perspective, Proceedings of the ACM Symposium on Applied Computing, pp. 181-187, 2007.
A. Silberschatz, P. Galvin and G. Gagne, Operating System Con- cepts, John Wiley and Sons, Hoboken, New Jersey, 2005.
U.S. Department of Defense, Department of Defense Trusted Com- puter System Evaluation Criteria, Technical Report DOD 5200.28- STD, Washington, DC, 1985.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Savoldi, A., Gubian, P. (2008). Data Recovery from Windows CE Based Handheld Devices. In: Ray, I., Shenoi, S. (eds) Advances in Digital Forensics IV. DigitalForensics 2008. IFIP — The International Federation for Information Processing, vol 285. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-84927-0_18
Download citation
DOI: https://doi.org/10.1007/978-0-387-84927-0_18
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-84926-3
Online ISBN: 978-0-387-84927-0
eBook Packages: Computer ScienceComputer Science (R0)