Abstract
The Amazon Kindle eBook reader supports a wide range of capabilities beyond reading books. This functionality includes an inbuilt cellular data connection known as Whispernet. The Kindle provides web browsing, an application framework, eBook delivery and other services over this connection. The historic data left by user interaction with this device may be of forensic interest. Analysis of the Amazon Kindle device has resulted in a method to reliably extract and interpret data from these devices in a forensically complete manner.
Keywords: forensics, digital forensics, kindle, mobile, embedded, ebook, ereader
1. INTRODUCTION
The Amazon Kindle eBook reader provides significant functionality aside from that of simply reading eBooks. As the Kindle is an embedded computing platform it is possible to deploy a wide range of functionality due to the use of general computing hardware (see Table 1 for details). The Kindle platform has grown to include a web browser, which utilizes an inbuilt cellular data connection, an application framework, music player, image viewer, AGPS and numerous other capabilities. The presence of this functionality leads to a situation where the ability to provide forensic analysis of these devices would be quite desirable due to the potential for nefarious use of such features.
The 2GB of flash storage is divided into four file systems (see figure 1), the last of these is mapped to act as a USB mass storage device and is the only file system that can be accessed, viewed or in any other way interacted with when the kindle is in its secure state. The other three partitions contain the root Linux file system, configuration files and a debug file system respectively.
Existing digital forensics software packages have implemented limited support for Kindle devices, however there are is currently no support for examination of the flash memory other than the FAT32 partition (MacForensicsLab, 2010). In the same vein research has been performed by a number of individuals in an attempt to derive forensic methodology for the Kindle, however this research has also only focused on the FAT32 partition exposed as a USB mass storage device (Huber, 2010b; Hughes, 2010; newinforensics, 2010).
2. SECURITY
The Kindle utilizes a firmware update mechanism that allows for over the air (OTA) or manual updates. In the case of both the update file is placed in the root of the mass storage portion of the file system. The update is then applied once the user activates this functionality from the system menu of the device.
The update files themselves are essentially signed TAR archives, these are extracted and a shell script contained within executed to facilitate the update functionality. The signing mechanism relies on RSA encryption in which the update is signed with amazon's private key and verified with amazon's public key, which is pre-installed on the Kindle device (Hannay, 2010).
The security functionality can however be defeated as the tar archive is extracted prior to signature verification. The most commonly employed exploit to leverage this involves setting the absolute path to the public key store in the tar archive, as such prior to signature validation a new public key is added to the store. The result of this exploit is that the ability to sign arbitrary updates is gained. The jailbreak process described here is illustrated below in Figure 2.
3. ACQUISITION METHODOLOGY
Prior to commencement of this section it is important to note that knowledge of best practice in terms of hashing, evidence preservation and documentation are assumed and as such are out of scope of this paper. The investigator should ensure that he/she understands the impact that writing data to a device can have and the implications on forensic integrity.
In order to accomplish the acquisition and analysis of the Kindle we must first gain access to the device beyond what is available by default. This access is achieved through use of the exploit identified in the previous section, the implementation we will be using in this example is the Kindle Jailbreak (based on AVNard's earlier work), this utility includes a standard public/private key pair which is known publicly as well as an installation framework (NiLuJe, 2010). At this stage in the process we now have the ability to install custom software via the update system.
In order to gain complete access to the device it is necessary to install some form of remote access software on the device. In our case a telnet & SSH server will be installed along side scripts which allow for the USB port to be remapped as a USB Ethernet Gadget. The package commonly used to achieve this is the "USBNetwork" package, so named as it restores the USB networking functionality that was originally present in early versions of the Kindle firmware (NiLuJe, 2010). Once this has been accomplished it is possible to establish to start the USBNetwork service by issuing the ";debugOn" and ""usbNetwork" commands on the device (without quotes) as shown in Figure 3.
Once the USBNetworking package is installed and enabled it is possible to start acquisition. This is accomplished through the use of telnet, dd and netcat, this methodology has been commonly implemented in live system acquisitions (Burdach, 2005). In this configuration the host system is configured to listen for the data transmission, piping the output to dd. Then a telnet connection is established to the kindle and data transfer initiated, this process is shown in Figure 4 below.
Once this acquisition is complete it may be desirable to split this file into the four file systems that are contained within. The details of these can be extracted using fdisk as shown in Figure 1. Once these partition boundaries are known we can extract the individual partitions into their own files for subsequent analysis as shown in Figure 5.
The completion of this splitting leads us to the point where these images can be analysed using traditional computer forensics methodologies. The next section includes information on the various file systems and location of data that has been deemed to be of forensic interest.
4. DATA OF INTEREST
5. CONCLUSION
eBook devices such as the Kindle are gathering increased interest from the forensic community as they become increasingly popular. The included cellular data capability of the Kindle specifically may make it a candidate for nefarious purposes, as the there is no data cost associated with the global data service (Hannay, 2010). In addition to data functionality the inclusion of an application framework and development kit in beta release will only lead to increased use of the product for purposes that were once met by the traditional computing paradigm.
The initial efforts of the forensic community have focused on acquisition of only a portion of the internal storage of the device as this area is readily accessible as a USB mass storage device (Huber, 2010a, 2010b; Hughes, 2010; MacForensicsLab, 2010; newinforensics, 2010). This paper has gone beyond the existing methodologies and provided a mechanism for the acquisition of the complete internal NAND memory and analysis of same. In order for this result to be achieved however some data must be written to the device and in doing so there is the possibility of data being overwritten. However aside from invasive hardware based acquisition there are no current known techniques that would allow for complete acquisition without this approach.
Research into small and embedded device forensics is ongoing, with increased focus on complete acquisition of all relevant data from these systems, including flash storage, memory and data stored on individual microcontrollers.
6. REFERENCES
Amazon. (2010). Kindle Wireless Reading Device, Wi-Fi, Graphite, 6" Display with New E Ink Pearl Technology. Retrieved January 7th, 201 1, from http://www.amazon.com/gp/product/B002Y27P3M?ie=UTF8&tag=10inchlapt op20&linkCode=as2&camp= 1 789&creative=3 90957&creativeASIN=B002Y27P 3M
Burdach, M. (2005). Digital forensics of the physical memory. Warsaw University.
Hannay, P. (2010). Hooray for Reading: Hacking the Kindle. Retrieved January 3rd, 2011, from http://openduck.com/2010/ll/27/hooray-for-reading-hacking-the-kindle/
Huber, E. (2010a). Additional Thoughts on Kindle Forensics Retrieved January 19th, 2011, from http://ericjhuber.blogspot.com/2010/04/additional-thoughts-on-kindleforensics.html
Huber, E. (2010b). A Cursory Look at Kindle Forensics. Retrieved January 19th, 2011, from http://ericjhuber.blogspotxom/2010/04/cursory-look-at-kindle-forensics.html
Hughes, A. (2010). Forensics Beyond the Hard Drive: Kindle 2 Logging. Retrieved Febuary 6th, 2011, from http://inforensics.vidocrazor.com/2009/06/26/forensics-beyond-the-hard-drivekindle-2-logging/
MacForensicsLab. (2010). Forensic Imaging of the Amazon Kindle. Retrieved January 12th, 201 1, from htQ)://www.macforensicslab.com/ProductsAndServices/index.php?main_page= document_general_info&cPath=5_ 1 8&products_id=3 3 8&zenid=be46 1 f672b2 45e5f78e3800158c920e5
newinforensics. (2010). Kindle 3G Wireless Reading Device - forensically speaking. Retrieved January 9th, 201 1 , from http://newinforensics.blogspot.com/2010/10/kindle-3g-wireless-readingdevice.html
NiLuJe. (2010). Fonts & ScreenSavers hacks for Kindles Retrieved Janurary 2nd, 2011, from http://www.mobileread.com/forums/showthread.php?t=88004
Peter Hannay
SECAU
School of Computer and Security Science
Edith Cowan University
Perth, Australia
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Copyright Association of Digital Forensics, Security and Law 2011
Abstract
The Amazon Kindle eBook reader supports a wide range of capabilities beyond reading books. This functionality includes an inbuilt cellular data connection known as Whispernet. The Kindle provides web browsing, an application framework, eBook delivery and other services over this connection. The historic data left by user interaction with this device may be of forensic interest. Analysis of the Amazon Kindle device has resulted in a method to reliably extract and interpret data from these devices in a forensically complete manner. [PUBLICATION ABSTRACT]
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer