Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sergioramos
New Today: 1
New Yesterday: 0
Overall: 29353

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce
 Computer Forensic as component in Information Security
 Small Business - Do You Prepared?

Computer Forensics World Forums


Pages Served
We received
51186816
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Sony PlayStation Portable
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Sony PlayStation Portable

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
dnmalott
Newbie
Newbie


Joined: Dec 06, 2006
Posts: 15
Location: savannah ga

PostPosted: Thu Dec 07, 2006 12:33 am    Post subject: Sony PlayStation Portable Reply with quote

I was wondering if anyone has had the priviledge to search a PSP for evidence, and if so.....was it of value. I connected the PSP to the forensic computer via USB, but (so far) it does not acknowledge it. Any suggestions?

Rolling Eyes
Back to top
View user's profile
jcw
Newbie
Newbie


Joined: Dec 07, 2006
Posts: 1

PostPosted: Thu Dec 07, 2006 11:51 pm    Post subject: Reply with quote

Get a memory stick duo reader and attach it to a freeBSD or Linux box.
after it is attached, dmesg | tail to see what the device name is (in freebsd I am 99% sure that it will be "da0).

Then use dd to create your image:

dd if=/dev/da0 of=$HOME/psp.img

Once you have the device imaged, you can search through the file, attempt to mount it on any number of platforms, duplicate it, etc.

There should be a write-protection switch on the back of the card. If there is not (the stock 32 meg unit on my beloved PSP does not), examine a 3rd party card to see where the switch is and what it does. Worse comes to worse you can always use tape or elmer's white glue (which is easily removed) to simulate the write protect switch temporarily.

Make sure the card is write protected before you attempt insertion for imaging.

after the image has been produced use md5 to hash the image and the card:

md5 /dev/da0
md5 $HOME/psp.img

the hashes should be the same.

chmod 444 the psp.img file to inhibit unwated and potentially hash-changing writes.

encase, mac forensics lab, and sleuthkit should be able to handle this image.


jcw
PS: I am looking for work in the Philadelphia, Chicago, NYC, or Persian Gulf and I am willing to relocate.
Back to top
View user's profile
AlanOne
Newbie
Newbie


Joined: Nov 19, 2005
Posts: 233
Location: Illinois

PostPosted: Fri Dec 08, 2006 3:10 am    Post subject: Reply with quote

I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.

Tim, CCE
Back to top
View user's profile Yahoo Messenger
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Fri Dec 08, 2006 4:35 pm    Post subject: Reply with quote

Regarding the "Write protect" switch, I would advise using a USB write blocking device.

We've had instances were the write protect switch on a device does nothing (not PSP by the way).

Chris
Back to top
View user's profile Send e-mail Visit poster's website
dnmalott
Newbie
Newbie


Joined: Dec 06, 2006
Posts: 15
Location: savannah ga

PostPosted: Fri Dec 08, 2006 10:02 pm    Post subject: Reply with quote

AlanOne wrote:
I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.

Tim, CCE


I have FTK imager, but the device isn't recognized....Is it passworded, wite protected, or what? Also, was your snooping of value? Any emails saved? I'm involved in a child molestation case (PSP is the girl's), we don't have the suspect computer.
Back to top
View user's profile
dnmalott
Newbie
Newbie


Joined: Dec 06, 2006
Posts: 15
Location: savannah ga

PostPosted: Fri Dec 08, 2006 10:27 pm    Post subject: Reply with quote

jcw wrote:
Get a memory stick duo reader and attach it to a freeBSD or Linux box.
after it is attached, dmesg | tail to see what the device name is (in freebsd I am 99% sure that it will be "da0).

Then use dd to create your image:

dd if=/dev/da0 of=$HOME/psp.img

Once you have the device imaged, you can search through the file, attempt to mount it on any number of platforms, duplicate it, etc.

There should be a write-protection switch on the back of the card. If there is not (the stock 32 meg unit on my beloved PSP does not), examine a 3rd party card to see where the switch is and what it does. Worse comes to worse you can always use tape or elmer's white glue (which is easily removed) to simulate the write protect switch temporarily.

Make sure the card is write protected before you attempt insertion for imaging.

after the image has been produced use md5 to hash the image and the card:

md5 /dev/da0
md5 $HOME/psp.img

the hashes should be the same.

chmod 444 the psp.img file to inhibit unwated and potentially hash-changing writes.

encase, mac forensics lab, and sleuthkit should be able to handle this image.


jcw
PS: I am looking for work in the Philadelphia, Chicago, NYC, or Persian Gulf and I am willing to relocate.



You sound like you know what you're talking about. I use FTK or EnCase for imaging, but the problem now is that the device isn't recognized or assigned a drive letter (needed for EnCase). FTK can see just a "USB device," but it isn't there...
PS. I believe that Digital Intelligence has an office in Chicago, and my mentor when working on EnCase Certification was in Chicago. Contact me for more info at dnmalott@yahoo.com
Back to top
View user's profile
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Fri Dec 08, 2006 10:30 pm    Post subject: Reply with quote

Hi dnmalott,

My experience is that if FTK does not recognize the volume/file system you can do a DD acquire, but the resulting image will still remain a mystery for both FTK and Encase.

Regardless, it is always good to get a DD.
You can always try to carve it using a tool such as scalpel.

Cheers,

Chris
Back to top
View user's profile Send e-mail Visit poster's website
AlanOne
Newbie
Newbie


Joined: Nov 19, 2005
Posts: 233
Location: Illinois

PostPosted: Sat Dec 09, 2006 2:10 am    Post subject: Reply with quote

dnmalott wrote:
AlanOne wrote:
I'm able to attach mine to a USB port and connect to it. The computer should read it as a flash drive. I've used FTK Imager to image it and X-Ways Forensics to analyze it. I haven't done anything extensive with it yet though. Just snoop around.

Tim, CCE


I have FTK imager, but the device isn't recognized....Is it passworded, wite protected, or what? Also, was your snooping of value? Any emails saved? I'm involved in a child molestation case (PSP is the girl's), we don't have the suspect computer.


I was thinking, when you are hooking the PSP up to a PC, are you selecting the "USB connection" option under "Settings" on the PSP? When you hook a PSP up to a computer, it does not automatically connect via USB. You have to go to that menu option and select it before the computer will see it. Just an idea...

The only thing I have done with the PSP so far is look at the information it saves when used as a web browser. The PSP stores web sites visited, typed history, and bookmarks. The website cache is only stored on the 2MB internal memory. I have not found a utility that will allow the capture or examination of the 2MB internal memory. I've been keeping my eye out for a homebrew package that will allow you to get to it.

Tim, CCE
Back to top
View user's profile Yahoo Messenger
nn
Newbie
Newbie


Joined: May 30, 2008
Posts: 1

PostPosted: Sat May 31, 2008 10:06 am    Post subject: Sony PSP Reply with quote

My recommendation is look at "Pandora Battery" and something called Time Machine. it will let you put firmware on your own memory card, boot off it (by way of the special battery telling the PSP to boot from memory stick-rather than internal flash), If you place a utility such as PSP filer on your memory stick in the psp/game/ folder, you will have access to the flash0 and flash1 contents, which you could retrieve via USB and analyze. Feel free to PM if you need more information. The main point obviously- dont try to install the custom firmware onto the flash0, simply run it from Time Machine on your own MS. You should already know how to image a MS card if you're in these forums with a 5$ usb reader.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.