August 02, 2004 (technical)
PDD Day 3
The 3rd day (Day 1 Day 2) of analysing pdd will be focusing on modifying pdd to not soft-reset the device, and also a look at PDA-Seizure, from Paraben Computer Forensic Software.
Modifying the pdd source, offering a chance to NOT soft-reset the palm after a successful acquisition - Process - 040802 10am
The 3 files i had to modify were main.c, pdd.h and pdd.c
Idea
The modifications to pdd.exe would allow an additional argument to be passed to the executable, allowing the option of NOT soft-resetting the palm device at the end of the acquisition. This argument would be passed like any of the other arguments that pdd.exe can take - when performing a pdd -h returns:
Joe Grand [jgrand@mindspring.com], June 2002 v1.11
NAME
pdd - Memory imaging tool for forensic analysis of Palm OS
platform devices
USAGE
pdd [ operand=value ... ]
Place the Palm device in the cradle or attach to a HotSync
cable connected to a serial port on the desktop PC. The Palm
OS Console Mode must be enabled.
OPERANDS
if=value : name of serial communications port [default = COM1]
of=value : name of output file [default = standard output]
card=n : Palm card number [default = 0 for built-in card]
type=value : Palm card memory type; RAM or ROM [default = RAM]
-? or -h : help [you're reading it]
So, the new argument would be in the format of reset=value, where value could either be yes or no (the default being yes - as in the original un-modified program)
File: main.c
The first change to the main.c file would be to add a variable declaration at the beginning of the main() function
After unsigned char of[FILENAME_MAX]; a new line was added:
unsigned char reset[FILENAME_MAX];
The 2nd change would be to set the default argument to the reset variable
after the line type = RAM; a new line was added:
strcpy (reset, "");
This set the reset value to be empty, which is the default value.
The 3rd change would be to add a check, in case the only argument was a reset=value argument
After strstr (argv[1], "type=") == NULL && a new line was added:
strstr (argv[1], "reset=") == NULL &&
This made sure that if pdd.exe was passed NO arguments, the usage() function would be called.
The 4th change would be to ensure that the argument was accepted by pdd.exe
After the else if ((delim = strstr(argv[c], "type=")) != NULL) /* memory type */ block of code, a new else if block was added:
else if ((delim = strstr(argv[c], "reset=")) != NULL) /* soft reset */
{
param = delim + 6;
if (*param) strncpy (reset, param, FILENAME_MAX-1);
else
usage(argv[0]);
}
This new block of code checked for the reset= argument (ie: != NULL) and then copied the value into the reset variable, which would later be passed to the pdd() call.
The 5th change was to add the new reset variable to the pdd() call
pdd (port, of, card, type);Was changed to:
pdd (port, of, card, type, reset);
The 6th and final modification to main.c was in the help() function, to add the text output describing the new argument
After the fprintf(stderr, "\n\ttype=value : Palm card memory type; RAM or ROM [default = RAM]"); line, the following line was added:
fprintf(stderr, "\n\treset=value : Soft-reset the palm; yes or no [default = yes]");
File: pdd.c
The 1st modification to pdd.c was to change the function definition of the pdd() function from:
void pdd (char* port, char* of, unsigned short cardNo, MemoryType memtype)
To:
void pdd (char* port, char* of, unsigned short cardNo, MemoryType memtype, char* reset)
The 2nd and final change to pdd.c would be to enclose the pdd_SysReset() call within an if block, which checks for the reset parameter, and if it equals 'no' then the pdd_SysReset() function call would not be called.
Instead of:
pdd_SysReset();
The code was changed to:
if ((*reset) && (!strcmp(reset,"no")))
{
fprintf(stderr, "\nNOT Resetting Palm OS Device.\n");
} else {
pdd_SysReset();
}
File: pdd.h
The only change to this file was adding the reset parameter to the pdd() function definition, so:
void pdd (char* port, char* filename, unsigned short cardNo, MemoryType memtype);
Was changed to:
void pdd (char* port, char* filename, unsigned short cardNo, MemoryType memtype, char* reset);
Using the modified pdd to perform 2 acquisitions, one after the other, without having to perform any activity on the palm in between - Process - 040803 12pm
Firstly the palm was soft-reset (by using a paperclip with the reset button on the back), then placed on the cradle and turned on - The "Stay on in Cradle" option was verified to be enabled, then on the desktop a new folder called pdd2 was created, with the new modified version of pdd.exe. On the desktop we used a cmd.exe to "cd pdd2" and then performed a "pdd of=040803-01.out reset=no" - which resulted in:
Enter console debug mode [<shortcut> .. 2]
I performed the shortcut on the palm, then the desktop responded:
pdd process beginning.
This process completed successfully, the desktop returning:
NOT Resetting Palm OS Device.
pdd successful. Exiting.
After this I immediately typed into the desktop "pdd of=040803-02.out reset=no", which started the pdd acquisition again:
Enter console debug mode [<shortcut> .. 2]
pdd process beginning.
This acquisition also completed successfully:
NOT Resetting Palm OS Device.
pdd successful. Exiting.
The two files, 040803-01.out and 040803-02.out are compared below:
040803-01.out ; size = 8,388,608 bytes ; md5 = 7d3b5880559db8712cbd870a9ffc12c2
040803-02.out ; size = 8,388,608 bytes ; md5 = 2dc8e755df721ef4d383e39c702919a6
From this we can determine that even though the palm device is not being soft-reset by pdd, the image files are still changing. This is most likely because the palm cannot be put into a read-only mode, or a halted mode - one of the changes occuring within the system would be some sort of clock function (at least).
A quick look at PDA Seizure (Demo) - Process - 040803 2.30pm
PDA Seizure, version 3.0.0.15, was installed on the desktop with no problems, once the program was started it reported that it was running as a DEMO version and was limited in the following ways:
- Generate Report is disabled
- Load is disabled
- Memory acquisition is limited to 4,000,000 bytes
- File acquisition is limited to 75 files
To perform an acquisition you simply click on the "Acquire" button, which opens up the "PDA Seizure Acquisition" Wizard dialogue. You have a choice of:
- Palm OS Devices
- Windows CE/Pocket PC Devices
- RIM Blackberry Devices
The options for palm acquisition are quite extensive, including options to Acquire Memory or just Acquire Files, an option to disable the soft-reset and an option to decode the password (for palm os < 4.0) (Screengrab)
Unfortunately because this version was only a demo it could only acquire images which were smaller than 4MB's, which meant that only half the RAM of our palm could be acquired properly - To see what files and images were acquired PDA Seizure was set to Acquire Memory and Acquire Files.
The next screen advises the user on how to place the palm device into console mode, this is followed by a screen showing options for which memory (and cards) to acquire from - for this demonstration i only selected the RAM image.
The software provided a nice clear progress dialog (Screengrab)
After the acquisition had been completed, the device reset itself - and the desktop was waiting for me to press the sync button on the cradle - after i did, PDA Seizure began downloading the individual databases from the palm to the software (Screengrab)
At the end of the file acquisition process PDA Seizure crashed and wouldn't restart again. After a restart of the desktop, the software restarted successfully.
The process was started as above and like above - crashed, except this time at the completion of only the acquisition, not the collection of files.
The process was tried one more time, this time just an acquisition of the files, not the RAM (as this works successfully using pdd) - but once again the software crashed.
This issue could be because the software was running as a demo, and further testing will be required using a fully licensed copy.
Posted by xntrik at August 2, 2004 11:40 AM | TrackBack