dc.description.abstract | Every year thousands of new digital consumer device models come on
the market. These devices include video cameras, photo cameras, computers,
mobile phones and a multitude of different combinations. Most
of these devices have the ability to store information in one form or another.
This is a problem for law enforcement agencies as they need access
to all these new kinds of devices and the information on them in investigations.
Forensic analysis of electronic and digital equipment has become
much more complex lately because of the sheer number of new devices
and their increasing internal technological sophistication. This thesis tries
to help the situation by reverse engineering a Qtek S110 device. More
specifically we analyze how the storage system of this device, called the
object store, is implemented on the device?s operating system, Windows
Mobile. We hope to figure out how the device stores user data and what
happens to this data when it is "deleted". We further try to define a generalized
methodology for such forensic analysis of unknown digital devices.
The methodology takes into account that such analysis will have to
be performed by teams of reverse-engineers more than single individuals.
Based on prior external research we constructed and tested the methodology
successfully. We were able to figure our more or less entirely the object
store?s internal workings and constructed a software tool called BlobExtractor
that can extract data, including "deleted", from the device without
using the operating system API. The main reverse engineering strategies
utilized was black box testing and disassembly. We believe our results can
be the basis for future advanced recovery tools for Windows Mobile devices
and that our generalized reverse engineering methodology can be
utilized on many kinds of unknown digital devices. | |