pdd (Palm dd)
pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or “snapshot” of the Palm device’s memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.
pdd was integrated into Paraben’s Device Seizure (formerly PDA Seizure) through version 3.2. The legacy release of pdd is available here.
Version: 1.11 (26 June 2002)
Platforms: Win 95/98/NT/2K (tested with Palm OS v1.0 to v4.0)
Win32: pdd_v1_11.zip
Source: pdd_v1_11_src.zip
This paper introduces pdd and presents the Palm OS internals (hardware, file system, and debugger functionality), pdd details (usage, process, flowchart, and timing), and forensic analysis results (flash memory, record removal and deletion, retrieval of system passwords, and telephony applications). Describes security issues and forensic acquisition and analysis techniques for Palm OS handhelds.
Paper: pdd: Memory Imaging and Forensic Analysis of Palm OS Devices
Published by the Forum of Incident Response and Security Teams (FIRST) in the Proceedings of the 14th Annual Computer Security Incident Handling Conference, Waikoloa, Hawaii, June 24-28, 2002.