Forensic Profiling of an eBook Reader - a practical example

Introduction Ebook reader forensics Building the timeline
Forensic Proﬁling of an eBook Reader
A practical example
Mario Piccinelli
mario.piccinelli@ing.unibs.it
University of Brescia
Dept. of Information Engineering
Brescia, Italy
Mario Piccinelli mario.piccinelli@ing.unibs.it Forensic Proﬁling of an eBook Reader

Outline
1 Introduction
2 Ebook reader forensics
Ebook readers
Our example reader: Sony PRS-650
Accessing the data
Exploring the data
3 Building the timeline
Collected data
Sony Ebook Reader Time Proﬁler

Forensics Research
Aims to support investigatory and judicial processes by ﬁnding
traces in otherwise apparently unpromising raw material from
which it is possible to build a picture of events and activities.

Forensics Proﬁling
The study and exploitation of traces in order to draw a proﬁle
relevant to the investigation about criminal or litigious activities.
While traces may not be strictly dedicated to court use, they may
increase knowledge of the subject under investigation.
So, in this context every trace can be precious.

Ebook readers
Ebook readers are portable electronic devices designed primarily for
the purpose of reading digital books.

Ebook readers forensics
Ebook readers are often ignored by forensics examiners because of:
Lack of interest (not as interesting as smartphones, of course).
Lack of knowledge (which kind of data could I ﬁnd in this
device?).
Lack of instruments and protocols (each device diﬀerent from
the others, no standard procedure for examination).

Ebook reader forensics
As stated before, ANY kind of information can be useful during an
investigation. So, why ignore an ebook reader found on a crime
scene or in possession of a suspected oﬀender?
Each ebook reader is diﬀerent from the others, so at this stage we
can’t build a standard analysis protocol. In this presentation we
will work with a widely available modern ebook reader, the Sony
PRS-650.

Just to be clear..
I don’t work for Sony.
And surely this work is not endorsed in any way by Sony. It’s just
that I own this ebook reader, so I worked on it. Most of the
following results could be achieved with other ebook readers from
other vendors.

Sony PRS-650
The PRS-650 is a modern ebook reader manufactured by Sony.
E-paper display (6 inches, 800x600 pixels).
Main input: resistive touch screen.
Secondary input: 5 buttons.
OS: MontaVista Linux.
Storage: 2GB of internal ﬂash memory.
Other: removable SDHC and Memory
Stick PRO duo.

Sony PRS-650
Sony PRS-650 supported data:
Electronic books. Supported formats: E-book EPUB, Adobe
PDF, Microsoft Word, TXT, RTF, BBeB.
Audio ﬁles. Supported formats: MP3 and AAC without DRM.
Pictures. Supported formats: JPEG, GIF, PNG, BMP.

Sony PRS-650
Sony PRS-650 OTHER data:
Bookmarks.
Words highlighting.
Hands-free notes on books.
Hands-free and typed memos.
Books access and use.
Built-in dictionaries use.

Sony PRS-650
Sony PRS-650 OTHER data:
Bookmarks. ⇐ Timestamps
Words highlighting. ⇐ Timestamps
Hands-free notes on books. ⇐ Timestamps
Hands-free and typed memos. ⇐ Timestamps
Books access and use. ⇐ Timestamps
Built-in dictionaries use. ⇐ Timestamps
Timestamps help us draw a proﬁle of the user.

Accessing the data
PRS-650 provides an USB
interface to connect with host
computer. Sony provides
software to manage ebooks,
pictures, audio, notes and so
on (there are also open source
alternatives, such as Calibre).
But..

Accessing the data
The usb connection with the device is seen as a simple mass
storage, and can be treated with standard forensics procedures.
The reader is seen as four mass storage
devices.
One for the main storage area
(FAT32).
Two for the removable cards.
One for the installation ﬁles area
(FAT16).

Accessing the data
The data we are looking for is
stored in the main storage area
and in the removable cards (if
used). The structure is
replicated on each of these,
and starts from the ”database”
folder.

Media content
The folder ”media” contains
the multimedia elements
described before: audio,
pictures, books and notes.

Notes
The device can be used to
produce ”notes”. Notes can be
written on a virtual keyboard or
drawn on the touchscreen. In
both cases the are stored in
ﬁles with extension ”.note”, in
the ”notepads” directory seen
before.

Notes
The files with extension ”.note” are XML files. They can contain
drawn or typewritten notes.
Note the ”createDate” field. 1280660410000.000 in Unix time
(milliseconds) is Sun, 01 Aug 2010 11:00:10 GMT.

Markup folder
The folder ”markup” contains
a reproduction of the portion of
the ﬁlesystem in which the
ebooks are stored, starting
from the root dir. The root
element, i.e. the book itself, is
represented here by a directory
containing graphical ﬁles for
hands-free notes drawn on the
book.

Markups
For each note drawn on a book, two ﬁles are stored: a
low-resolution JPEG picture of the page with the note, and a
vectorial SVG description of the note itself.

Thumbnails folder
The folder ”thumbnails” has
the same structure of the
”markup” folder previously
described. For each multimedia
element on the device (not just
books) here is stored a
black-and-white thumbnail.
The creation date of the
thumbnail is the date of the
ﬁrst use of the reader after the
multimedia element has been
loaded on the device.

Cache folder
The ”cache” folder contains data related to the multimedia files
hosted on the device (or on the removable media). The data is
stored in XML files, created/updated when there could have been
a change in the multimedia content (removable media inserted,
device disconnected from host computer).
The cache folder in the removable media is slightly different, but
the file contents are almost the same.

Media.xml
The file ”media.xml”
contains a record for
each multimedia
element with
element-specific
information. Note the
”date” string, with the
creation date of the
file, and the bookmark
date.

cacheExt.xml
The ﬁle ”cacheExt.xml” contains a record for each multimedia
element in the device. For the ebooks records, the most interesting
sections are:
Current position.
History.
Markups.
Preferences.

cacheExt.xml: current position
The ”current position” ﬁeld describes the last position of the
document which was shown on the device. Note the timestamp
data.

cacheExt.xml: history
The ”history” ﬁeld contains a record for each time a page was
turned (max 100 elements), along with timestamp data.
This is one of our major sources of forensics data.

cacheExt.xml: markups
The ”markups” field contains a record for each markup in the
book, each with its creation timestamp. The different kinds of
markups are:
Annotation (highlighted words).
Freehand (freehand drawings).
Bookmark (bookmarked pages).
There is also a field named ”deletedMarkups”, with data about the
deleted markups. In these markups the date field holds the date in
which the markup was deleted (the creation date is lost).

The following is the record for the highlighting of a word.

The start and end position for the aforementioned markup are
filetype-specific and encoded in base64. After being decoded, they
appear like:
T1BTL0hldHR5X0ZlYXRoZXJfMDEwX2NoYXB0ZXIwMS5odG1
sI3BvaW50KC8xLzQvMi8yOC8xOjYpAA==
⇓ Base64 Decoder
OPS/Hetty_Feather_010_chapter01.html
#point(/1/4/2/28/1:6)
This form is EPUB specific.

The following is the record for a freehand drawing on the book.
Note the names of the two ﬁles shown before.

cacheExt.xml: preferences
The node ”preferences” contains user-deﬁned preferences about
the reading of the book (brightness, contrast, ..). The interesting
thing is that this node also stores information about the access to
the built-in dictionaries.

Building the timeline
In our analysis we collected a lot of timestamps, giving a clear
picture of how the owner used the device, when he did it and how
often.
For example, we found the timestamps for the following
operations:
last reading of a document;
creation date of a document;
creation date of a note;
reading of a page of a document;
creation and deletion of markups;
look up for words in the built in dictionaries.

Building the timeline
To analyze this data, we built a Python script to collect these
timestamps from the relevant files, order them and plot the
resulting timeline.
The script, which we named ”Sony Ebook Reader Time Profiler”,
is available for download at: http://github.com/PicciMario/
Sony-Ebook-Reader-Time-Profiler
The bundle is made by a python script which scans a directory
searching for ”cache.xml”, ”media.xml” and ”cacheExt.xml” files
and builds a data file, and a GnuPlot script to create a plot from
this data file.

Sample results
Sample graph: usage of the reader in a 2 months span.
X axis: time.
Y axis: book involved in the event.

Sample results
Sample graph: usage of the reader in a ten minutes span, for a
single book.
X axis: time.

Conclusions
Virtually each action performed on the device is logged.
It is possible to build a forensically sound timeline.
The evidence gathered this way could be used in court to:
draw a behavioural proﬁle of a suspected oﬀender;
support or deny an alibi;
provide additional useful information about the owner.

Conclusions
Thanks for listening!
Mario Piccinelli
Graduate Student in Computer Sciences
Digital Forensics Practitioner
Dept. of Computer Sciences
University of Brescia, Italy
mario.piccinelli@ing.unibs.it

Forensic Profiling of an eBook Reader - a practical example

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (13)

Último

Último (20)

Forensic Profiling of an eBook Reader - a practical example