Wednesday, September 26, 2007


Carrier: Verizon
I was unable to make a download the contents of the handset using the following products ENCASE, BITPIM, PARABEN or DD so I made backup copy of the internal contents in the most forensically sound manner possible using VERIZON WIRELESS SOFTWARE INSTALLATION DISC (A/N 185-10134-01).
I installed PALM DESKTOP SOFTWARE and used HOTSYNC to make back-up files of the TREO 360 file system. I then extracted and converted the recovered information in the following ways:
1. CALENDER: I used PALM DESKTOP to export the entire calendar to a Datebook Archive (dba) file named “datebook archive.dba”. I then used an empty calendar at YAHOO.COM to import “datebook archive.dba” and exported the contents to a file called “calender.csv”.
2. CONTACTS and TASKS: I used the SEND to > MS Excel in the PALM DESKTOP.
3. MEMOS: I used the SEND TO > MS WORD in the PALM DESKTOP.
4. CALLS: I took a copy of the file from “\XXXXXXXX\Backup\PhoneCallDB.PDB created during the “XXXXXXXX” HOTSYNC and converted it with a program called “CH”. (Download here – The program converted the input into a MICROSOFT EXCEL SPREADSHEET. The program “CH”, and the source code is included in the “Working Directory” in the forensic archive.
5. PHOTOS, IMAGES sand VIDEOS: Images were transferred from the handset during HOTSYNC and placed into the “XXXXXXXX” Folder. Using a hex editor on the file “Saved_prefrences.PRC “ I discovered the Phone Number of owner
The following is addition information regarding the forensic examination:
Computer connection using Cable 180-10017-00 REV B 0516 with HOT SYNC Button.
• The HOTSYNC automatically created the user file name of “XXXXXXXX” for the contents of the seized item.
• Consol Mode was achieved using the following key inputs:
 Option Button and Shift–find Button
 Input “s” and push ALT Button
 Scroll to bottom and choose “ dotted looped l”
 Enter “.”
 Enter 1

No comments: