It’s all in the upfront policies, handling of PDA evidence and knowledge of the incident team. Pictured are coauthor Dr. Eamon Doherty and a law enforcement officer practicing imaging a hard drive and then a PDA.


It’s the history of security – good and helpful things, in the wrong hands, can be threatening and harmful.

Personal data assistants, also called personal digital assistants, started as small “electronic organizers” in the 1970s that originally held limited data such as address books, calendars and to do lists.

In the 1980s, connectivity with computers became possible through the 9 pin serial port. In 2006, such devices morphed into small computers with miniature color screens, wireless Internet connectivity, e-mail applications and light versions of Microsoft Office. The HP hx2490 is one example of a commonly used PDA with wireless, Bluetooth and infrared connectivity.

LEGIT USES OF PDAS

Some corporations provide PDAs to employees after they sign various policies to govern use. They are then free to use PDAs to increase productivity by watching training videos, exchanging documents and keeping current with both office and customer e-mail while out of the office.

The problems and challenges stemming from corporate PDAs are as wide and deep as cyber security issues in general – theft of information, sexually and otherwise inappropriate messaging and communications, download and transmission of child pornography and other restricted or illegal data, and so on.

Seizing electronic devices can be a legal dilemma because many PDAs used in the workplace are purchased using personal funds. Furthermore, personal communications and business communications and data may be mixed on the same electronic device, establishing further complexity in the legal forum. To face these legal challenges, many enterprises, chief security officers and general counsels with foresight will create policies that proactively address employees using personal handheld devices such as PDAs carrying company data in and out of company space. These policies should also address device surrender issues and be signed, dated and notarized. If the PDAs are provided by the company, the same rules that govern laptop computers regarding surrender and monitoring should also apply to other digital devices.

INCIDENT RESPONSE AND SECURITY

If there is an allegation of misusing a PDA, then there needs to be an incident response team (IRT) which can act quickly according to an incident response policy to seize a PDA before the involved person has an opportunity to wipe the data or destroy the device. The chief security officer may also wish a member of his or her physical security staff to accompany the IRT because of potential workplace violence when an employee is confronted with an allegation. Sometimes it might even be beneficial to work with IT to have the suspected employee turn over his or her device for “upgrades” so that an examination can be done. This saves the employer from making a “too-soon” allegation and from the embarrassment if the suspected data is not found on the device. While this may create some further legal challenges, recognize that many enterprises covertly image employee hard drives over the network to conduct forensic analysis without the employee’s knowledge or permission.

This type of activity is all governed by the use agreement mentioned earlier.

Once the PDA is collected, it is recommended to seize any chargers, extra batteries, cables, manuals and software if possible so that volatile data is not lost if the investigation is delayed. If the same devices are used company-wide, this will not be an issue and if a charger cannot be found, a replacement can be easily located on the Internet.

PROTECT PDA FROM TAMPERING

It is a good idea to also put the device in a Faraday bag, which looks like an aluminum bag, to prevent further connectivity with other wireless devices and thus avoid potential evidence tampering or manipulation. A member of the IRT usually starts a chain of custody form showing what was taken and where it was processed and stored, just as an investigator would do with any other evidence.

What starts out as a policy investigation may ultimately become a police investigation, particularly in cases involving intellectual property theft, child pornography or harassment.

Paraben’s Device Seizure is one tool on the market which allows for PDA seizure. While the tools are relatively simple to use, it is recommended that security personnel focus on seizing and preserving the evidence. They should be trust credentialed security and computer forensic professionals using best practices for examination and reporting of the digital evidence. A certified and/or licensed examiner will not only be more qualified to find and report the evidence, but will be able to testify in court as to how that evidence was obtained from an electronic device. It is good for police, academics and private corporate security professionals to try out digital forensic tools with PDAs, cell phones, and hard drives and discuss best practices.