Forensic analysis of an unknown embedded device
Abstract
Every year thousands of new digital consumer device models come onthe market. These devices include video cameras, photo cameras, computers,mobile phones and a multitude of different combinations. Mostof these devices have the ability to store information in one form or another.This is a problem for law enforcement agencies as they need accessto all these new kinds of devices and the information on them in investigations.Forensic analysis of electronic and digital equipment has becomemuch more complex lately because of the sheer number of new devicesand their increasing internal technological sophistication. This thesis triesto help the situation by reverse engineering a Qtek S110 device. Morespecifically we analyze how the storage system of this device, called theobject store, is implemented on the device?s operating system, WindowsMobile. We hope to figure out how the device stores user data and whathappens to this data when it is "deleted". We further try to define a generalizedmethodology for such forensic analysis of unknown digital devices.The methodology takes into account that such analysis will have tobe performed by teams of reverse-engineers more than single individuals.Based on prior external research we constructed and tested the methodologysuccessfully. We were able to figure our more or less entirely the objectstore?s internal workings and constructed a software tool called BlobExtractorthat can extract data, including "deleted", from the device withoutusing the operating system API. The main reverse engineering strategiesutilized was black box testing and disassembly. We believe our results canbe the basis for future advanced recovery tools for Windows Mobile devicesand that our generalized reverse engineering methodology can beutilized on many kinds of unknown digital devices.