forensic profiling of an ebook reader - a practical example

Introduction Ebook reader forensics Building the timeline

Forensic Profiling of an eBook ReaderA practical example

Mario [email protected]

University of BresciaDept. of Information Engineering

Brescia, Italy

Mario Piccinelli [email protected] Forensic Profiling of an eBook Reader

Outline

1 Introduction

2 Ebook reader forensicsEbook readersOur example reader: Sony PRS-650Accessing the dataExploring the data

3 Building the timelineCollected dataSony Ebook Reader Time Profiler


Forensics Research

Aims to support investigatory and judicial processes by findingtraces in otherwise apparently unpromising raw material fromwhich it is possible to build a picture of events and activities.



Forensics Profiling

The study and exploitation of traces in order to draw a profilerelevant to the investigation about criminal or litigious activities.

While traces may not be strictly dedicated to court use, they mayincrease knowledge of the subject under investigation.

So, in this context every trace can be precious.


Outline

1 Introduction




Ebook readers

Ebook readers are portable electronic devices designed primarily forthe purpose of reading digital books.



Ebook readers forensics

Ebook readers are often ignored by forensics examiners because of:

Lack of interest (not as interesting as smartphones, of course).

Lack of knowledge (which kind of data could I find in thisdevice?).

Lack of instruments and protocols (each device different fromthe others, no standard procedure for examination).



Ebook reader forensics

As stated before, ANY kind of information can be useful during aninvestigation. So, why ignore an ebook reader found on a crimescene or in possession of a suspected offender?

Each ebook reader is different from the others, so at this stage wecan’t build a standard analysis protocol. In this presentation wewill work with a widely available modern ebook reader, the SonyPRS-650.



Just to be clear..

I don’t work for Sony.

And surely this work is not endorsed in any way by Sony. It’s justthat I own this ebook reader, so I worked on it. Most of thefollowing results could be achieved with other ebook readers fromother vendors.



Sony PRS-650

The PRS-650 is a modern ebook reader manufactured by Sony.

E-paper display (6 inches, 800x600 pixels).

Main input: resistive touch screen.

Secondary input: 5 buttons.

OS: MontaVista Linux.

Storage: 2GB of internal flash memory.

Other: removable SDHC and MemoryStick PRO duo.



Sony PRS-650

Sony PRS-650 supported data:

Electronic books. Supported formats: E-book EPUB, AdobePDF, Microsoft Word, TXT, RTF, BBeB.

Audio files. Supported formats: MP3 and AAC without DRM.

Pictures. Supported formats: JPEG, GIF, PNG, BMP.



Sony PRS-650

Sony PRS-650 OTHER data:

Bookmarks.

Words highlighting.

Hands-free notes on books.

Hands-free and typed memos.

Books access and use.

Built-in dictionaries use.



Sony PRS-650

Sony PRS-650 OTHER data:

Bookmarks. ⇐ Timestamps

Words highlighting. ⇐ Timestamps

Hands-free notes on books. ⇐ Timestamps

Hands-free and typed memos. ⇐ Timestamps

Books access and use. ⇐ Timestamps

Built-in dictionaries use. ⇐ Timestamps

Timestamps help us draw a profile of the user.



Accessing the data

PRS-650 provides an USBinterface to connect with hostcomputer. Sony providessoftware to manage ebooks,pictures, audio, notes and soon (there are also open sourcealternatives, such as Calibre).But..



Accessing the data

The usb connection with the device is seen as a simple massstorage, and can be treated with standard forensics procedures.

The reader is seen as four mass storagedevices.

One for the main storage area(FAT32).

Two for the removable cards.

One for the installation files area(FAT16).



Accessing the data

The data we are looking for isstored in the main storage areaand in the removable cards (ifused). The structure isreplicated on each of these,and starts from the ”database”folder.



Media content

The folder ”media” containsthe multimedia elementsdescribed before: audio,pictures, books and notes.



Notes

The device can be used toproduce ”notes”. Notes can bewritten on a virtual keyboard ordrawn on the touchscreen. Inboth cases the are stored infiles with extension ”.note”, inthe ”notepads” directory seenbefore.



Notes

The files with extension ”.note” are XML files. They can containdrawn or typewritten notes.

Note the ”createDate” field. 1280660410000.000 in Unix time(milliseconds) is Sun, 01 Aug 2010 11:00:10 GMT.



Markup folder

The folder ”markup” containsa reproduction of the portion ofthe filesystem in which theebooks are stored, startingfrom the root dir. The rootelement, i.e. the book itself, isrepresented here by a directorycontaining graphical files forhands-free notes drawn on thebook.



Markups

For each note drawn on a book, two files are stored: alow-resolution JPEG picture of the page with the note, and avectorial SVG description of the note itself.



Thumbnails folder

The folder ”thumbnails” hasthe same structure of the”markup” folder previouslydescribed. For each multimediaelement on the device (not justbooks) here is stored ablack-and-white thumbnail.

The creation date of thethumbnail is the date of thefirst use of the reader after themultimedia element has beenloaded on the device.



Cache folder

The ”cache” folder contains data related to the multimedia fileshosted on the device (or on the removable media). The data isstored in XML files, created/updated when there could have beena change in the multimedia content (removable media inserted,device disconnected from host computer).

The cache folder in the removable media is slightly different, butthe file contents are almost the same.



Media.xml

The file ”media.xml”contains a record foreach multimediaelement withelement-specificinformation. Note the”date” string, with thecreation date of thefile, and the bookmarkdate.



cacheExt.xml

The file ”cacheExt.xml” contains a record for each multimediaelement in the device. For the ebooks records, the most interestingsections are:

Current position.

History.

Markups.

Preferences.



cacheExt.xml: current position

The ”current position” field describes the last position of thedocument which was shown on the device. Note the timestampdata.



cacheExt.xml: history

The ”history” field contains a record for each time a page wasturned (max 100 elements), along with timestamp data.

This is one of our major sources of forensics data.



cacheExt.xml: markups

The ”markups” field contains a record for each markup in thebook, each with its creation timestamp. The different kinds ofmarkups are:

Annotation (highlighted words).

Freehand (freehand drawings).

Bookmark (bookmarked pages).

There is also a field named ”deletedMarkups”, with data about thedeleted markups. In these markups the date field holds the date inwhich the markup was deleted (the creation date is lost).




The following is the record for the highlighting of a word.




The start and end position for the aforementioned markup arefiletype-specific and encoded in base64. After being decoded, theyappear like:

T1BTL0hldHR5X0ZlYXRoZXJfMDEwX2NoYXB0ZXIwMS5odG1

sI3BvaW50KC8xLzQvMi8yOC8xOjYpAA==

⇓ Base64 Decoder

OPS/Hetty_Feather_010_chapter01.html

#point(/1/4/2/28/1:6)

This form is EPUB specific.




The following is the record for a freehand drawing on the book.Note the names of the two files shown before.



cacheExt.xml: preferences

The node ”preferences” contains user-defined preferences aboutthe reading of the book (brightness, contrast, ..). The interestingthing is that this node also stores information about the access tothe built-in dictionaries.


Outline

1 Introduction




Building the timeline

In our analysis we collected a lot of timestamps, giving a clearpicture of how the owner used the device, when he did it and howoften.

For example, we found the timestamps for the followingoperations:

last reading of a document;

creation date of a document;

creation date of a note;

reading of a page of a document;

creation and deletion of markups;

look up for words in the built in dictionaries.



Building the timeline

To analyze this data, we built a Python script to collect thesetimestamps from the relevant files, order them and plot theresulting timeline.

The script, which we named ”Sony Ebook Reader Time Profiler”,is available for download at: http://github.com/PicciMario/

Sony-Ebook-Reader-Time-Profiler

The bundle is made by a python script which scans a directorysearching for ”cache.xml”, ”media.xml” and ”cacheExt.xml” filesand builds a data file, and a GnuPlot script to create a plot fromthis data file.


http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler

http://github.com/PicciMario/Sony-Ebook-Reader-Time-Profiler


Sample results

Sample graph: usage of the reader in a 2 months span.

X axis: time.

Y axis: book involved in the event.



Sample results

Sample graph: usage of the reader in a ten minutes span, for asingle book.

X axis: time.



Conclusions

Virtually each action performed on the device is logged.

It is possible to build a forensically sound timeline.

The evidence gathered this way could be used in court to:

draw a behavioural profile of a suspected offender;support or deny an alibi;provide additional useful information about the owner.



Conclusions

Thanks for listening!Mario Piccinelli

Graduate Student in Computer SciencesDigital Forensics Practitioner

Dept. of Computer SciencesUniversity of Brescia, Italy

[email protected]


forensic profiling of an ebook reader - a practical example

Technology

available modern ebook

example reader

timeline forensics proling

timeline sony prs

timeline forensic proling

data prs

timeline forensics research

forensics examiners