1. Using a Digital Intelligence Tableau Ultrablock USB write-blocker, I connected my forensic computer to the device through the micro-USB cable that was provided with the Kindle.
2. Realizing that it was necessary to power on the device, I did so. I noted the date/time to compare this with the date/time stamps that were likely to change upon boot.
3. When powered on, I immediately checked to ensure the 3G/Wireless was turned off. Select "Menu", toggle the five-way controller up to "Turn Wireless Off" and select the five-way controller (center button). Alternatively, I could conduct the acquisition within our Faraday tent.
4. Using FTKImager v184.108.40.206, identified the physical drive attributed to the Kindle.
5. As noted, the drive recognized as "Kindle Internal Storage" with a size of 3240MB. I noted that this differs from the stated size of the device (4GB). Specifically, Amazon states the device has "Storage 4GB internal (approximately 3GB available for user content)." I then acquired the physical drive as a RAW (DD) format to allow a more robust selection of analysis tools.
Here's what the partition looks like:
And contents of the "documents" directory:
6. Made note of the filesystem, and VBR header - as noted in the following screenshot.
The filesystem is FAT32, formatted with mkdosfs - DOS formatting within a Linux environment. From looking at the USER partition which was available, I'm asking whether the SYSTEM partition is ARM Linux Kernel (?).
While admittedly, my Kindle had not been populated with a lot of user interaction, the Kindle definitely does not appear to readily give up information. It was obvious what books and documents were on my Kindle, and what the last document I accessed was, but as far as other artifacts, my brief analysis was not overly productive. I have surfed the Internet, opened several websites and likely populated the device with considerable Internet History. I could not readily locate any of this history.
Just for heck of it, I through Jad's Internet Evidence Finder at it - nothing. I'm thinking that a GREP search for Internet History might have more success. I'm also interesting in running a search for my Wireless Access Point SSID and see what other artifacts might show up.
Other things I found:
- IMEI (3G) information on the device.
- lots of deleted information.
- a significant number of dictionary terms (including in the unallocated space).
Eric Huber has a posting on the Kindle at A Fistful of Dongles - more great information.
More to come....perhaps I'll see how a boot CD such as Caine interacts with the device. I'm going to continue to see what the imaged USER image is willing to give up in terms of forensic artifacts. ps..EnCase will also be involved.
Any thoughts or ideas are welcome.