Friday, April 16, 2010

Additional Thoughts on Kindle Forensics

We're in an exciting time in digital forensics. It seems like each week we have a sharp digital forensic researcher discovering some new method or creating a new tool for us. We have seen incredible advances in traditional hard drive forensics and we have the wonderful and relatively new world of mobile device forensics to explore.

I've been doing digital forensics many years now and one of the things I've noticed about digital forensics people is that we sometimes tend to engage in catastrophic thinking when it comes to advances in technology and the future of digital forensics. We've all seen the various predictions that hard drive sizes, thin clients, encryption and other advances would spell the end for digital forensics. In fact, these advances show that our skills will become more in demand. However, we will have to constantly keep our edge sharp or we will fall behind. There will always be some sort of digital technology that will require a digital forensics practitioner to examine. Digital forensics will no more fade way than will technology or law, but it will be a constantly changing field.

The Kindle is a great example of how technological advances will provide examiners new opportunities for their examinations, but why examiners need to invest a considerable amount of time keeping their technological edge. The Kindle isn't a computer and it's not a cell phone, but it has qualities of both.

I recently received an Amazon gift certificate from a friend of mine. Amazon can distribute their gift certificates through email. In this case, the gift certificate was sent to my email address and included a code that I could enter into my Amazon profile to credit my account for the proper amount. Of course, I used that amount to purchase several books for my Kindle.

The Kindle book store can be accessed by the Kindle itself through the device's 3G network connection. There isn't any need to connect the device to a computer to download purchased content like you would for something like iTunes. You merely access the Kindle store via your Kindle device and you can purchase your books using your Amazon account. Another option is that you can log onto the Kindle bookstore on a computer using the Amazon website. You can then shop for Kindle books, purchase them through the website and have the content delivered to your Kindle via the wireless network. This is what I did with my gift certificate and after I had made my purchase, I picked up my Kindle and the books were on my device.

Great stuff for the consumer, but something that a forensic examiner would need to be very aware of when dealing with the Kindle as evidence. The last thing you want is to have a Kindle sitting in your evidence room waiting to be examined and to have additional content land on the machine and potentially overwrite existing evidence.

My advice is to treat the Kindle like you would any other mobile device examination up to and including using a shielded environment where the device can't phone home. A good research project for someone would be to determine whether or not it's safe to keep the device outside of a shielded environment if the 3G network is disabled by the examiner.


3 comments:

  1. Hi Eric. My name is Marcus Thompson. I came across your blog from a simple Google search of "Kindle Forensics." I am a first year Master's student at Purdue, and I am considering doing research on my new Kindle. Have you done any more work on this or do you have further suggestions for research? Thanks!

    ReplyDelete
  2. Thanks very much for the comment, Marcus. No, I haven't done anything additional with this topic since I first put this information out. I realized that I wouldn't have a lot of time to dig into it which is one of the reasons I put the information on the blog. I figure people like you could take what I found and run with it to create something cool for the community. Good luck!

    ReplyDelete
  3. Thanks for the response, Eric. I have my broad topic of Kindle Forensics approved by my professor. I will be sure to let you know what I find at the end of this semester.

    ReplyDelete