This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.
Joined: Dec 06, 2006 Posts: 13 Location: savannah ga
Posted: Thu Dec 07, 2006 12:33 am Post subject: Sony PlayStation Portable
I was wondering if anyone has had the priviledge to search a PSP for evidence, and if so.....was it of value. I connected the PSP to the forensic computer via USB, but (so far) it does not acknowledge it. Any suggestions?
Get a memory stick duo reader and attach it to a freeBSD or Linux box.
after it is attached, dmesg | tail to see what the device name is (in freebsd I am 99% sure that it will be "da0).
Then use dd to create your image:
dd if=/dev/da0 of=$HOME/psp.img
Once you have the device imaged, you can search through the file, attempt to mount it on any number of platforms, duplicate it, etc.
There should be a write-protection switch on the back of the card. If there is not (the stock 32 meg unit on my beloved PSP does not), examine a 3rd party card to see where the switch is and what it does. Worse comes to worse you can always use tape or elmer's white glue (which is easily removed) to simulate the write protect switch temporarily.
Make sure the card is write protected before you attempt insertion for imaging.
after the image has been produced use md5 to hash the image and the card:
md5 /dev/da0
md5 $HOME/psp.img
the hashes should be the same.
chmod 444 the psp.img file to inhibit unwated and potentially hash-changing writes.
encase, mac forensics lab, and sleuthkit should be able to handle this image.
jcw
PS: I am looking for work in the Philadelphia, Chicago, NYC, or Persian Gulf and I am willing to relocate.
Joined: Nov 19, 2005 Posts: 233 Location: Illinois
Posted: Fri Dec 08, 2006 3:10 am Post subject:
I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.
Joined: Dec 06, 2006 Posts: 13 Location: savannah ga
Posted: Fri Dec 08, 2006 10:02 pm Post subject:
AlanOne wrote:
I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.
Tim, CCE
I have FTK imager, but the device isn't recognized....Is it passworded, wite protected, or what? Also, was your snooping of value? Any emails saved? I'm involved in a child molestation case (PSP is the girl's), we don't have the suspect computer.
Joined: Dec 06, 2006 Posts: 13 Location: savannah ga
Posted: Fri Dec 08, 2006 10:27 pm Post subject:
jcw wrote:
Get a memory stick duo reader and attach it to a freeBSD or Linux box.
after it is attached, dmesg | tail to see what the device name is (in freebsd I am 99% sure that it will be "da0).
Then use dd to create your image:
dd if=/dev/da0 of=$HOME/psp.img
Once you have the device imaged, you can search through the file, attempt to mount it on any number of platforms, duplicate it, etc.
There should be a write-protection switch on the back of the card. If there is not (the stock 32 meg unit on my beloved PSP does not), examine a 3rd party card to see where the switch is and what it does. Worse comes to worse you can always use tape or elmer's white glue (which is easily removed) to simulate the write protect switch temporarily.
Make sure the card is write protected before you attempt insertion for imaging.
after the image has been produced use md5 to hash the image and the card:
md5 /dev/da0
md5 $HOME/psp.img
the hashes should be the same.
chmod 444 the psp.img file to inhibit unwated and potentially hash-changing writes.
encase, mac forensics lab, and sleuthkit should be able to handle this image.
jcw
PS: I am looking for work in the Philadelphia, Chicago, NYC, or Persian Gulf and I am willing to relocate.
You sound like you know what you're talking about. I use FTK or EnCase for imaging, but the problem now is that the device isn't recognized or assigned a drive letter (needed for EnCase). FTK can see just a "USB device," but it isn't there...
PS. I believe that Digital Intelligence has an office in Chicago, and my mentor when working on EnCase Certification was in Chicago. Contact me for more info at dnmalott@yahoo.com
Joined: Jan 03, 2006 Posts: 255 Location: The Netherlands
Posted: Fri Dec 08, 2006 10:30 pm Post subject:
Hi dnmalott,
My experience is that if FTK does not recognize the volume/file system you can do a DD acquire, but the resulting image will still remain a mystery for both FTK and Encase.
Regardless, it is always good to get a DD.
You can always try to carve it using a tool such as scalpel.
Joined: Nov 19, 2005 Posts: 233 Location: Illinois
Posted: Sat Dec 09, 2006 2:10 am Post subject:
dnmalott wrote:
AlanOne wrote:
I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.
Tim, CCE
I have FTK imager, but the device isn't recognized....Is it passworded, wite protected, or what? Also, was your snooping of value? Any emails saved? I'm involved in a child molestation case (PSP is the girl's), we don't have the suspect computer.
I was thinking, when you are hooking the PSP up to a PC, are you selecting the "USB connection" option under "Settings" on the PSP? When you hook a PSP up to a computer, it does not automatically connect via USB. You have to go to that menu option and select it before the computer will see it. Just an idea...
The only thing I have done with the PSP so far is look at the information it saves when used as a web browser. The PSP stores web sites visited, typed history, and bookmarks. The website cache is only stored on the 2MB internal memory. I have not found a utility that will allow the capture or examination of the 2MB internal memory. I've been keeping my eye out for a homebrew package that will allow you to get to it.
Posted: Sat May 31, 2008 10:06 am Post subject: Sony PSP
My recommendation is look at "Pandora Battery" and something called Time Machine. it will let you put firmware on your own memory card, boot off it (by way of the special battery telling the PSP to boot from memory stick-rather than internal flash), If you place a utility such as PSP filer on your memory stick in the psp/game/ folder, you will have access to the flash0 and flash1 contents, which you could retrieve via USB and analyze. Feel free to PM if you need more information. The main point obviously- dont try to install the custom firmware onto the flash0, simply run it from Time Machine on your own MS. You should already know how to image a MS card if you're in these forums with a 5$ usb reader.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
