Kindle Paperwhite Forensics

[chooko]

Hello Everyone,

I've been searching the web and this forum for some info on this, but haven't been able to find it anywhere! It seems like research in this area is pretty scarse, but maybe y'all can help me.

I'm an advanced IT sudent in the University, and I'm currently in a Mobile Forensics Class. I chose to do my 10+ page research paper on Kindle Forensics (mainly for two reasons: 1-Not a lot of research has been done in this fields, and 2-I really wanted to buy a Kindle paperwhite!)

All things aside, I have access to a lot of professional forensic software (through the school) and of course my kindle.

My main research questions are:

Does “jailbreaking” the paperwhite give access to necessary (or additional) parts of the filesystem?

Are there any artefacts from library books I have “checked out” but are now expired? How does Amazon deal with “removing” those books? (Including screenshots and explainations as to how this process works)

Does the kindle store all the wifi networks it connects to and locations/IPs? If so, where and how?


ANY help that anyone could give on this would be great. Thanks!

~B

[knc1]

Quote:

Originally Posted by chooko

Does “jailbreaking” the paperwhite give access to necessary (or additional) parts of the filesystem?

- - - - -

ANY help that anyone could give on this would be great. Thanks!

~B

The word "jailbreak" in the context of the grayscale Kindles is just the addition of a signature certificate that allows the Kindle's updater to install the Mobileread packages.

"necessary (or additional)" - as contrasted to what?

In contrast to that available over the console serial port: NO

Directly allowing additional access: NO

Allowing after market MR packages that do give such "necessary (or additional)" access: YES
(I.E: Indirectly, yes - example: install the USBnetworking package).

- - - -

Are you sharing the credit you will receive from doing your paper?
Or at least giving credit to where you are getting your answers from (when not your own effort)?

That is: "research" once meant doing the discovery work yourself, not just asking someone for the answers.

[chooko]

Quote:

Originally Posted by knc1

The word "jailbreak" in the context of the grayscale Kindles is just the addition of a signature certificate that allows the Kindle's updater to install the Mobileread packages.

"necessary (or additional)" - as contrasted to what?

In contrast to that available over the console serial port: NO

Directly allowing additional access: NO

Allowing after market MR packages that do give such "necessary (or additional)" access: YES
(I.E: Indirectly, yes - example: install the USBnetworking package).

All great questions here. I didn't make myself very clear. The necessary parts of the filesystem meaning areas on the Kindle where books and network information may be stored, as well as library loaned books may have been stored and deleted (or rather marked for deletion).

Does the USBnetworking package offer any particular forensic value to the Kindle?

Quote:

Originally Posted by knc1

Are you sharing the credit you will receive from doing your paper?
Or at least giving credit to where you are getting your answers from (when not your own effort)?

That is: "research" once meant doing the discovery work yourself, not just asking someone for the answers.

I will glady share credit to anyone! I'm an honest student, not presenting anything received by others as my own. I'm not asking anyone here to write this paper for me, I'm more than happy to do it on my own. But with such a new device and not a lot current/past research (at least that I can find) I need a little bit of help in the right direction.

So far, I've imaged my Kindle with FTK Imager and dug through it with Forensic Tool Kit 4.2. There's a lot of interesting information contained in that image, but I can't find any information relating to remembered WiFi networks, or books that I've had on it in the past. A lot of it seems encrypted (perhaps DRM?)

Again, I didn't explain myself very clearly. I don't need word for word answers here that many other students might just copy-paste into their BS paper. I'm looking for serious help on a forensic analysis of the Kindle PaperWhite.

[eschwartz]

Jailbreaking does nothing but install one file, an additional developer certificate, allowing update.bin files signed by the MobileRead Kindle Developers' tools, to authorize them so the Kindle will run them. Those updates however, will typically modify all sorts of things.

Expired library loans are treated as regular books, except that Amazon's servers will silently delete them, and report a message that the book is a loan and has expired, if you try to download them again. Without WiFi/3G, it will simply tell you to connect, leading me to believe the info is not stored locally. They will also send a personal document "letter" to notify you that the loan has expired. All this I know from day-to-day use, so there may be other traces left in the filesystem, I do not know.

I know the Kindle stores the WiFi info, since it remembers networks and automatically connects (with passwords saved) but I have no idea where.

[dsmid]

Wi-Fi networks are stored in an encrypted file /var/local/system/wifid.conf .

[knc1]

Quote:

Originally Posted by chooko

All great questions here. I didn't make myself very clear. The necessary parts of the filesystem meaning areas on the Kindle where books and network information may be stored, as well as library loaned books may have been stored and deleted (or rather marked for deletion).

Books are stored in the USB accessible storage area (a small sub-set of the file system tree).

The supporting data you mention may be stored there also.
AND/OR:
There is another sub-set of the file system tree, /var/local, where device and application specific data is stored. This area is NOT visible in "USB storage mode".

Quote:

Originally Posted by chooko

Does the USBnetworking package offer any particular forensic value to the Kindle?

It is one that allows command line access to the entire installed file system, rather than just the sub-set of the file system tree seen over the USB cable.

But so does using the operator's console serial port.

So here "forensic value" is a subjective -

If avoiding opening the kindle and connecting to the SMT serial port connector is considered a challenge (mechanically - it is);
then having an equivalent access via a software install might be considered of "forensic value".

Once the kindle has completed its entire boot sequence, then there is little or no difference between serial port access and software command line access.

PRIOR TO the kindle completing its entire boot sequence, the serial port connection is about the only thing available with any forensic value.
(The Kindles are multiple boot sequence devices, and the serial port access gives you access to the early parts of the boot sequence - before the final run-time Kernel is loaded and ran.)

Quote:

Originally Posted by chooko

I will glady share credit to anyone! I'm an honest student, not presenting anything received by others as my own. I'm not asking anyone here to write this paper for me, I'm more than happy to do it on my own. But with such a new device and not a lot current/past research (at least that I can find) I need a little bit of help in the right direction.

No insult intended.
But such request do show up here (and on IRC).

Quote:

Originally Posted by chooko

So far, I've imaged my Kindle with FTK Imager and dug through it with Forensic Tool Kit 4.2. There's a lot of interesting information contained in that image, but I can't find any information relating to remembered WiFi networks, or books that I've had on it in the past. A lot of it seems encrypted (perhaps DRM?)

There is very little of the Kindle's internals that are encrypted.

But there are a lot of file system image files used and several database systems files.
If your forensic tool does not detect that a file contains these types of structured data, then they will certainly look encrypted.

Quote:

Originally Posted by chooko

Again, I didn't explain myself very clearly. I don't need word for word answers here that many other students might just copy-paste into their BS paper. I'm looking for serious help on a forensic analysis of the Kindle PaperWhite.

Give us some details of your background, we could help you better.

What is your general *nix (or Linux) system background?
Have you done *nix (or Linux) system forensics before?

Do you have a Kindle Paperwhite available?
Do you have serial port access to it?

[knc1]

An added note -
You are in the right place for these sorts of questions -

Every time a new model is introduced, the developers here that support the after-market add-ons we publish must do a lot of forensic investigation.
At least of those parts of the system that effects their modification add-ons.

I don't think any one developer has "done it all", from power-on to end-user run-time.
But there are many very well examined "pockets of information" that are known.

We specifically try to avoid publishing all that we know about the system -
because that would reveal to Amazon/Lab126 those areas we are weak in.

In the battle between Amazon/Lab126 to keep the device "closed" and ourselves to keep the device "open" -
We try not to give Lab126 too many lessons in what they have over-looked or screwed up.

[NiLuJe]

Which leads to my next question: what exactly have you "imaged"? After knc1's explanation of the partition layout, you should be able to answer that.

On a sidenote, official updates > 5.3.x contain a full rootfs image so you don't even technically need a device to start looking at stuff.

[knc1]

oops -
thanks for the credit.

but I forgot to mention the device and owner specific information stored outside of the file systems.
for that, the O.P. needs a device and some study of Geekmaster's backup procedures.

and probably the warning:
if you get the Kindle into "Diags mode" **DO NOT** try the "erase all" option - it works.
and without having done a "Geekmaster backup" your data outside of the file systems is then gone.

[chooko]

Wow! There's tons of great information here. Thanks to ALL, especially knc1!

Anything anyone else has will still be appreciated. Slowly I'm getting through this paper.

[chooko]

Quote:

Give us some details of your background, we could help you better.

What is your general *nix (or Linux) system background?
Have you done *nix (or Linux) system forensics before?

Do you have a Kindle Paperwhite available?
Do you have serial port access to it?

I'm a Senior in my IT department at the University. I'd say I have moderate to advanced understand/experience in Linux system concepts. I'm not scared of a terminal shell.

I have moderate theoretical forensic experience, but not a lot of practical experience. We just got these awesome forensic computers at the school, so they're excited to start incorporating them into the curriculum.

I rooted my Android cell phone, and haven't ever been scared of doing technical things with my devices.

I have my personal Paperwhite, which I am willing to play around with, as long as I can keep functionality on it.

By serial port access, I'm not sure what you mean exactly. I can plug the USB cord into it, but I assume there's a serial port on the inside that you are referring to. I haven't cracked that open yet for access, nor am I sure if I have a cable for it.

Edit: I do have access to tools to take it apart if I need to.

[chooko]

Quote:

Originally Posted by NiLuJe

Which leads to my next question: what exactly have you "imaged"?

I've done a simple physical aquisition of my Paperwhite through the USB port, using FTK Imager. I think it basically runs a -dd command on it and takes everything bit for bit.

[NiLuJe]

Meaning the userstore, so, yeah, (nearly) nothing interesting there.

[knc1]

Quote:

Originally Posted by chooko

Edit: I do have access to tools to take it apart if I need to.

Yes, there is a serial port on the inside.
The teardown of a PW2 is the same as the original Paperwhite.

npoland was the first to jailbreak the PW2 (over the serial port).
you can find a photo of the serial port connector on the mainboard here: https://www.mobileread.com/forums/sho...=222229&page=2

Those are very small contacts - matching parts:
https://www.mobileread.com/forums/sho...d.php?t=228044

I think the few people who have used the PW(1/2) serial port just used a tiny amount of solder paste and hot air to directly connect 30 gage wire extensions to the pads.

There is one thread here with a neat example of bringing the serial port connection out a connector on the lower edge of the PW2.

You can probably find someone with access to a hardware lab. to help. Those almost microscopic pads are best dealt with the proper tools, which any University electronics lab will have.

The adapter to use should be a 1.8v to USB serial port adapter.
(all Kindles use the same 1.8v to USB serial port adapter - connectors differ among the models.)

Check the master index for more information links:
https://wiki.mobileread.com/wiki/Prefix_Index
(We never added a PW/PW2 specific page, so look under: "K5")

[chooko]

Well everyone, I finished my paper and submitted it!

Thank you all for ALL your help.

I think I gave good credit where credit was due.

Just FYI.

https://www.dropbox.com/s/weoar0khn1...FinalDraft.pdf