8/9/2019 IFIP-WG-11-savoldi
1/15
FourthAnnualIFIPWG11.9InternationalConferenceonDigitalForensics2730January2008,Kyoto,Japan
AntonioSavoldiDepartmentofElectronicforAutomation,UniversityofBrescia,Italy
DATAHIDINGANDRECOVERYONWINCEBASEDHANDHELD
8/9/2019 IFIP-WG-11-savoldi
2/15
WinCEbasedhandhelddevices
WinCEOScharacteristics
How
to
co ect
t e
w o e
memory
content
Hardwareandsoftwareapproaches
Imagingtoolshavebeenused
,
DataHidingandRecoveryinROM/RAM
2730/01/2008 2IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
3/15
PortableDigitalAssistant
Differenttypesofmedia
ma s,
users
con ac s,
p c ures,
v eos Differenthardwarecapabilities
128256MbofRAM
64
128
Mb
of
ROM
(NAND,
NOR) Manywirelessbuiltincapabilities
WiFi,Bluetooth,HSDPA,UMTS,GPS
2730/01/2008 3IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
4/15
Steganographic techniquesappliedatthe
Withinimages,audiofiles
y
us ng
e
s ac
space RAM(byaddressingarbitraryblocks stealth
ma waretec n ques
Covert
channels
creation
Covertstoragechannels
Coverttimin channels
2730/01/2008 4IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
5/15
Supportedbydifferentembeddedprocessors Xscale
MIPS
ARM
Hitachi
SH
Usedforsmallscalefactordevices
RealtimeOS,multitasking,multithreaded
deterministicinterrupt
latency
DifferentWinCEflavors: AutoPC,PocketPC 2000/2002,Mobile2003,5.06.0
RAM
is
divided
in
two
blocks ectstore: eav rtua s
Programmemory: heapandstackforprograminexecution
2730/01/2008 5IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
6/15
WinCE
deals
at
most
with
32
processes,
each
one
.
Userspace
2730/01/2008 6IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
7/15
Howtoaccessthememorycontent?
CommoninterfacetoaccessaWinCEdevicefrom
Manipulationofthefilesystem, mountedvolumes
directaccesstothememorycontent(RAM/ROM)
2730/01/2008 7IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
8/15
Physicalacquisition:JTAGinterface,
Thewholerawcontentcanberecovered
xpens ve,
me
consum ng
Logicalacquisition:
EmbeddedOSes provideinterfacestoaccess
directlythe
memory
(Palm,
WinCE,
Symbian)
Integrityproblem:Locards exchangeprinciple
2730/01/2008 8IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
9/15
HowtocollectthewholeROMandRAM
,
2002
Opensourcebundleoftoolsprovidedby xda
Pmemdump.exevirtual_address block_size
_ .
Virtual_address fortheROM=0x80000000
_ =
2730/01/2008 9IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
10/15
Pmemmap.exev
mapping)
blockis
mapped
to
the
corresponding
physical
v8000000080400000 pa0100000a05000004096Kbytes
v8040000082000000
pa0400000
02000000
28672
Kbytes
TheentireROM,32Mbytes,canbegathered
2730/01/2008 10IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
11/15
v9050000094000000 pa0500000a400000060Mbytes
v980000009c000000
p2c000000
30000000
64
Mbytes
v9c000000a0000000 p3c0000004000000064Mbytes
vb0500000b4000000 pa0500000a400000060Mbytes
vbc000000c0000000
p3c000000
40000000
64
Mbytes
Experimentallyonlythe60Mbytesblockcanbe
recovered
wecan
address
onl
the
virtual
memory)
Itispossibletocarveoutalltheknowndata
2730/01/2008 11IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
12/15
Experimentally,itcanbeshownthatabout
the
0%of
the
binar
firmware
is
em t
Theslackpart,about40%ofthetotalcapacity,canbeusedascovertchannel
Utilitiesfor
re
flashing
have
checksum
control
ReverseEngineering >bypassthecontrol
Quiteeasytoimplement
Toshiba
PDA
E740
has
a
sort
of
back
door Reflash bymeansofstandardprocedureofsoftreset
Startingthedeviceinreflash mode
2730/01/2008 12IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
13/15
Differentstrategiestoallocatearbitrarydataintheslack
partof
the
original
firmware.
K
blocks
of
slack
space,
p
blockstoallocate.
)},,(),...,,,(),,,{(222111 kkktot esnesnesnS =
Wecan
allocate
a
certain
file
splitted
in
p
blocks
accordingtodifferentscramblingpolicies
!kk
=
)},,(),...,,,(),,,{(222111
1
ppp esnesnesnF =
)()()()(11 FDimFDimibFDim
p
==
2730/01/2008 13IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
14/15
DetectionofamodifiedROMimage
onehasbeengathered
Datacarvingtechniquestosortoutdatatypes
Steganalysis methodology
escram ng ec n ques, a a ngsc emedetection
2730/01/2008 14IFIPWG11.9DigitalForensicConference
8/9/2019 IFIP-WG-11-savoldi
15/15
Collectionatlogicallevelispossiblewiththe
mentionedtools
EntireROMandmostoftheRAMcanberecovered
Datahiding
is
possible
at
the
level
of
the
ROMb usin theslacks ace About12Mbover32Mboffirmware
,
Symbian OS,todenythepossibilityof
2730/01/2008 15IFIPWG11.9DigitalForensicConference