I tried using ProDiscover but unfortunatly that didn't work out in the end becuase there is no distribution of the software that works on a linux PDA.
We tried doing a straightup dd of the mounted device but that does not seem to work it only dd's lik 1.2MB instead of the whole 64.
Right now I am working on building a boot SD, kinda like a live CD but with a SD, and seeing if through that I can access the internal flash and dd it. If anyone has had any luck with this I would appreciate some tips. I have like 3 or 4 guides from the internet on how to do it but they all seem to not explain some steps so I am sometimes left with just guessing and hoping it works 😕 .
I've talked to a couple of folks who have done this sort of thing, and what they've said is to take the process for putting Linux on the PDA (in this case, an iPaq) and just reverse the process. To me, this makes sense.
So check this out and see if you find the info you're looking for:
I then expanded my search a little and found:
I hope this helps…
H. Carvey
"Windows Forensics and Incident Recovery"
Yea thats a great suggestion for iPAQ's. Thanks 😀 .
But what about linux PDA's that are nativly Linux like the Sharp Zaurus and the Yopy. I am currently still working on that boot SD for it, alot harder in practice than in theory. 😡
Success 😀 . I succsessfully networked the Zaurus 5000 through the usb networking protocol and was able to NetCat the data through the network. I obtained the data in the following directories that I think hold the NVRAM and the RAM:
- /dev/mtdblock0
/dev/mtdblock1
/dev/mtdblock2
/dev/mtdblock3
/dev/ram0
/dev/ram1
/dev/ram2
/dev/ram3[/list:u]
I still have to find out if one can make sense of the data 😕 . If anyone else is trying to recover data from a zaurus I will list how I did it. You must use a linux box to do this, I used Ubuntu. You will need the netcat and ip up/down protocol to do this so make sure you have at least 2.6 and load these if necessary.
- Zaurus: In the Zaurus terminal enter passwd root <enter><enter> This sets the root password to null.
Zaurus: Configure the IP address thru the network application to have a set IP of 192.168.129.201 and a netmask of 255.255.255.0
Zaurus: Edit /etc/securetty and add ttya1, ttya2,…, ttya7. I used the vi command to edit the file.
Zaurus: Edit /etc/inetd.conf and uncomment out all occurances of tell net. There should be two lines with telnet in it. Use vi and just enter after the # sign on those lines to uncomment them.
Zaurus: Put the Zaurus in the cradle and leave it powered on.
PC: Open a terminal as root and enter the following commands.
PC: modprobe usbserial
PC: modprobe usbnet
Zaurus: Press the Sync button on the cradle.
PC: hotplug start
PC: ifconfig usb0 192.168.129.200 netmask 255.255.255.0
PC: route add -host 192.168.129.201 usb0
PC: telnet 192.168.129.201
PC: Login as root and just hit enter for password and now your in the handheld.
PC: Open up another terminal, call it T2 and our orginal T1.
PC T2: nc -l -p 9000 | dd of=<recievingfilename.dd>
PC T1: dd if=/dev/<one of the previously listed file paths> | nc 192.168.129.200 9000[/list:u]
That's how I did it but I am sure there are better methods. I actually know of one that puts the files to a CF in the Zaurus but I don't like it as much. If anyone has any questions or comments, please post here. 8)
Randy - excellent post.
Andy