pdd: memory imaging and forensic analysis of Palm OS devices
Joseph Grand
Abstract
One goal of incident response is to preserve the entire digital
crime scene with minimal or no modification of data. This paper
introduces pdd or ``Palm dd'', a Windows-based tool for memory
imaging and forensic acquisition of data from the Palm operating
system (OS) family of Personal Digital Assistants (PDAs). pdd will
preserve the crime scene by obtaining a bit-for-bit image or
``snapshot'' of the Palm device's memory contents. Such data can be
used by forensic investigators, incident response teams, and
criminal and civil prosecutors.
This paper also
presents the Palm OS internals (hardware, file system, and debugger
functionality), pdd details (usage, process, flowchart, and
timing), and forensic analysis results (flash memory, record
removal and deletion, retrieval of system passwords, and telephony
applications).