Quote:
Originally Posted by chooko
All great questions here. I didn't make myself very clear. The necessary parts of the filesystem meaning areas on the Kindle where books and network information may be stored, as well as library loaned books may have been stored and deleted (or rather marked for deletion).
|
Books are stored in the USB accessible storage area (a small sub-set of the file system tree).
The supporting data you mention may be stored there also.
AND/OR:
There is another sub-set of the file system tree, /var/local, where device and application specific data is stored. This area is NOT visible in "USB storage mode".
Quote:
Originally Posted by chooko
Does the USBnetworking package offer any particular forensic value to the Kindle?
|
It is one that allows command line access to the entire installed file system, rather than just the sub-set of the file system tree seen over the USB cable.
But so does using the operator's console serial port.
So here "forensic value" is a subjective -
If avoiding opening the kindle and connecting to the SMT serial port connector is considered a challenge (mechanically - it is);
then having an equivalent access via a software install might be considered of "forensic value".
Once the kindle has completed its entire boot sequence, then there is little or no difference between serial port access and software command line access.
PRIOR TO the kindle completing its entire boot sequence, the serial port connection is about the only thing available with any forensic value.
(The Kindles are multiple boot sequence devices, and the serial port access gives you access to the early parts of the boot sequence - before the final run-time Kernel is loaded and ran.)
Quote:
Originally Posted by chooko
I will glady share credit to anyone! I'm an honest student, not presenting anything received by others as my own. I'm not asking anyone here to write this paper for me, I'm more than happy to do it on my own. But with such a new device and not a lot current/past research (at least that I can find) I need a little bit of help in the right direction.
|
No insult intended.
But such request do show up here (and on IRC).
Quote:
Originally Posted by chooko
So far, I've imaged my Kindle with FTK Imager and dug through it with Forensic Tool Kit 4.2. There's a lot of interesting information contained in that image, but I can't find any information relating to remembered WiFi networks, or books that I've had on it in the past. A lot of it seems encrypted (perhaps DRM?)
|
There is very little of the Kindle's internals that are encrypted.
But there are a lot of file system image files used and several database systems files.
If your forensic tool does not detect that a file contains these types of structured data, then they will certainly look encrypted.
Quote:
Originally Posted by chooko
Again, I didn't explain myself very clearly. I don't need word for word answers here that many other students might just copy-paste into their BS paper. I'm looking for serious help on a forensic analysis of the Kindle PaperWhite.
|
Give us some details of your background, we could help you better.
What is your general *nix (or Linux) system background?
Have you done *nix (or Linux) system forensics before?
Do you have a Kindle Paperwhite available?
Do you have serial port access to it?