| Home |  |
 |
|
| Start Ticket | |
|
|
| View Ticket | |
|
|
| Video Training | |
|
|
| FAQ |  |
|
|
| Contact Us | |
|
|
FREQUENTLY ASKED QUESTIONS FOR DEVICE SEIZURE
For registration questions, please visit the Registration FAQ page.
Q: I installed Paraben's Device Seizure. When I rebooted my computer, I got an error message saying 'The requested operation was unsuccessful' listing an error with 'lsass.exe'.
A: The error message listed above is a common message associated with the installation of Microsoft ActiveSync, not with Device Seizure. This error is caused by a corruption in the registry and only occurs when you install ActiveSync. Luckily this is an easy fix. Press F8 during boot and select "Last Known Good Configuration" from the menu. This will restore the corrupted registry key to the system, and all should operate without error. Once the registry is repaired you will not receive this error in the future, unless you redo your entire system, then at that time you would need to repeat the repair above. Sadly, Paraben has no control over this error because it is associated with ActiveSync not with Device Seizure.
Q: What platforms does Device Seizure officially support?
A: Device Seizure officially supports Microsoft Windows 2000, Windows XP and later. Windows 95, 98, and ME are NOT supported.
Q: Does this mean Device Seizure won't run on Windows 95, 98 and ME?
A: It doesn't mean that Device Seizure won't necessarily run on those platforms it's just that they aren't supported.
Q: When syncing a Palm PDA device, it says the port is used by another application. What's wrong?
A: Usually, this is caused because the machine that Device Seizure is installed on also has the Palm Desktop HotSync manager running as well. Disable the HotSync manager and the acquisition procedure should proceed as normal. Also, this can be caused by the device being in console mode. To ensure this is not the problem, perform a soft reset by pressing the indented reset button on the back of the device, it may be under the battery cover.
Q: When I try to acquire my Palm III, Device Seizure keeps losing its connection. What is wrong?
A: On some of the Palm devices, an automatic screen saver will start if the device seems idle. Because Device Seizure is a non-intrusive process, the screen saver will turn on. Simply tap on the screen of the devices during the acquisition to insure communication is continuing.
Q: When syncing my Palm PDA it keeps losing connection between the desktop and the device, what is wrong?
A: Usually, this is caused by an overflow in the port. This can be remedied by adjusting the speed of the acquistion through the COM port to the lowest speed and then starting acquisition again.
Q: What do I do if the device has a password?
A: If the device has a password, the password must be recovered for the acquisition to commence. There are many good tools available for password recovery. Paraben recommends the use of it's own password recovery software, Paraben's Decryption Collection. In order for the recovery to be done on the Palm, the examiner must have access to the desktop machine the Palm synced with. In the future, other methods for recovery will be explored for Device Seizure. If the device is below Palm OS 4.0 the override password option can be used through the main acquisition dialog.
Q: Does information on the device change when I acquire the data?
A: Because PDAs store all data in memory it is impossible to not have a slight change occur in the acquisition process. However, the changes that occur are so minor that they do not affect the integrity of the user's data.
Q: Device Seizure shuts down after 10 minutes into acquisition?
A: Chances are that you are running a personal firewall on the same machine that you are using Device Seizure on. The personal firewall will block the communication between your device and the computer. Disable the firewall and start the acquisition process again.
Q: What is the "ignore_my_docs" file?
This is a zero byte file on their storage card or ROM file store and was created to help people who had trouble finding data on their storage card unless they had specifically created a \My Documents\ folder. So, the Pocket PC 2002 now looks at the storage card when you insert it. If \My Documents\ doesn't exist, it puts a hidden file called "ignore_my_docs" on the card. It also has done this to the HP Safe Store or iPAQ File Store. So, what does it do? Pocket PC 2002 apps see this hidden file and look at the root of the storage card for everything. The file itself does not change in the process of acquisition.
Q: Why does the file "DB_notify_register" change when I acquire the device?
A: The file DB_notify_register is changing all the time. Simply plugging the WinCE device into the charging cradle changes it. Windows CE handles two types of notification events: timer events and system events. Timer events indicate that a specified time has arrived, such as an appointment or a meeting. System events are triggered when the device encounters a change, such as AC power connection or disconnection. To support these two types of notification events, the base notification engine maintains two databases: DB_notify_queue for timer events and DB_notify_register for system events.
Q. How do I put my Palm OS 5 unit into console mode?
A: Palm OS 5 units only require one . (dot) to place the device into console mode as opposed to the traditional two dot method with other devices.
Q: I am getting a signal while my phone is in the Wireless Stronghold Bag, why is that?
A: The most common reason is improper utilization. Please refer to this document: ftp://customer:bodyrazemust@207.108.168.225/Device_Seizure/STRONGHOLD.doc
Q: I'm trying to install Device Seizure and I keep seeing this error message: .NET Framework 1.1 not installed. What's wrong?
A: This problem is happening because Microsoft's .NET Framework 1.1 isn't currently installed on the machine. To fix this error you simply need to install .NET Framework 1.1 which can be found on the Microsoft website or you can find it on the Device Seizure CD within Programs-Device.
Q: What brands of cell phones are currently supported with Device Seizure?
A: We currently support a broad range of Ericsson, Motorola, LG, Nokia, Samsung, Siemens and Sony/Ericsson model phones.
Q: Does Device Seizure support the acquisition of SIM cards that are located in many GSM phones?
A: Yes, Device Seizure supports full acquisition of GSM SIM cards from all manufacturers.
Q: I have Device Seizure and a pile of cell phones but I can't find the correct data cable to connect the phone to the PC. Where can I find the correct data cables?
A: Paraben offers a Device Seizure Toolbox that includes most of the data cables you will need for Ericsson, Motorola, Nokia, Samsung, Siemens and Sony/Ericsson model phones as well as most PDA's and Smartphones. For more information on the Paraben Device Seizure toolbox, you can check it out here. As new software support is added, we also add new cable connection support.
Q: The Paraben Device Seizure Toolbox doesn't include the cable that I need. What now?
A: Paraben will be happy to help you locate the cables you require. Please send an e-mail to forensicsupport@paraben.com.
Q: Does Device Seizure support the acquisition of PDA phones such as the Treo, BlackBerry, and others?
A: Device Seizure supports PDA phones or Smartphones using one of the PDA OS plugins (i.e. a Palm Treo 650 would be run as a Palm OS device) If your devices operating system is not supported, then the device is most likely not supported either.
Q: I have a question with Device Seizure and can't find the answer in the FAQ or Help File. Where can I get more help regarding Device Seizure?
A: Paraben has an online forum located at http://www.paraben-forensics.com/forum. You can find more answers to questions as well as post new questions and comments there. We also have e-mail support for Device Seizure. You can reach us by sending an e-mail to forensicsupport@paraben.com with your question or problem or you can call the Paraben offices directly.
Q: I acquired a GSM phone and later on I acquired the same GSM phone and I had more results the second time around. What is causing this?
A: The first time you performed the acquisition the SIM card in the phone hadn't fully initialized yet. When you power a phone with a SIM card in it, it takes anywhere from one to three minutes for the SIM card to fully initialize. If you perform the acquisition before the SIM card is done initializing, then Device Seizure won't be able to acquire all the data located on the SIM card. The solution to this is to wait one to three minutes before starting your acquisition.
Q: I have X phone from Y manufacturer and I get the message that the phone isn't supported. Why isn't this particular phone supported yet?
A: There are currently thousands of models of phones out on the market and new phones being introduced everyday. It is impossible for Device Seizure to support and test every make and model that is available. We are trying to add support for all the most popular model phones on the market and are adding more model support every month. If you have a model that isn't currently supported, please follow these instructions for submitting log files:
A: Yes, yes and YES! Paraben is always in need of more phones for testing and adding support. If you have a device that you would like to donate to Paraben please send an e-mail to donations@paraben.com. People that donate phones will also receive a free Paraben polo shirt as a way of saying thanks.
Q: Can Device Seizure recover deleted text messages from the phone and the SIM card?
A: Yes. Device Seizure can recover deleted SMS text messages from SIM cards and phones. However, there is a possibility that some data recovered will be in fragments and not complete. This all depends on when the message was deleted and what other information had been written to the phone or SIM card.
Q: Can Device Seizure acquire graphics/pictures from cell phones?
A: Depending on the make and model of the phone, yes, Device Seizure can acquire pictures that are either downloaded or created through the use of the built in camera.
Q: What reporting options are available in Device Seizure?
A: Currently Device Seizure generates reports in HTML: TreeView and Simple. TEXT: Simple Text which is a tab delimited text file. More reporting schemes will become available in the future.
Q: I thought that Device Seizure was adding support for Excel in the reports. Why doesn't it?
A: Device Seizure does not generate an .xls Excel file. However, once you have generated a tab delimited text report, you can select all the data (CTRL-A) and paste it into a blank Excel workbook (CTRL-V). Once you do this, you can format the cells to fit the data. Now you have a Device Seizure report in Excel format.
Q: How is the MD5 calculated with Device Seizure?
A: MD5 is calculated just after the data acquisition from device. You can see the MD5 for each binary data entity in its properties. This MD5 is the exact hash of the binary data portion which can be stored from any binary (image, sound etc.) entity from hex view. The same MD5 goes into the report and is shown near the file info in the report. The MD5 value that you see in workspace view in the properties window (and in reports) is calculated just once and stored in a database. It reflects the original data state. This MD5 goes into the report as well.
So you can check data integrity by doing the following:
A: SCA - Service Center Address
This term is used to identify the recipients address, thus on a sent or unsent message this would be the other phone and on received the suspect phone.
OA - Originating Address
This term is used to identify the senders address. On a sent or unsent message this would be the suspects phone and reversed for received.
Some other common abbreviations are:
SCTS - Service Centre Time Stamp
Information element by which the SC informs the recipient MS about the time of arrival of the short message at the SM-TL entity of the SC. The time value is included in every SMS-DELIVER being delivered to the MS.
VP - Validity Period
Parameter identifying the time from where the message is no longer valid.
DA - Destination Address
Address of the destination SME.
RA - Recipient Address
Address of the recipient of the previously submitted mobile originated short message.
SCTS - Service Center Time Stamp
Parameter identifying time when the SC received the previously sent SMS-SUBMIT.
DT - Discharge Time
Parameter identifying the time associated with a particular ST outcome.
Q: I installed Paraben's Device Seizure. When I rebooted my computer, I got an error message saying 'The requested operation was unsuccessful' listing an error with 'lsass.exe'.
A: The error message listed above is a common message associated with the installation of Microsoft ActiveSync, not with Device Seizure. This error is caused by a corruption in the registry and only occurs when you install ActiveSync. Luckily this is an easy fix. Press F8 during boot and select "Last Known Good Configuration" from the menu. This will restore the corrupted registry key to the system, and all should operate without error. Once the registry is repaired you will not receive this error in the future, unless you redo your entire system, then at that time you would need to repeat the repair above. Sadly, Paraben has no control over this error because it is associated with ActiveSync not with Device Seizure.
Q: What platforms does Device Seizure officially support?
A: Device Seizure officially supports Microsoft Windows 2000, Windows XP and later. Windows 95, 98, and ME are NOT supported.
Q: Does this mean Device Seizure won't run on Windows 95, 98 and ME?
A: It doesn't mean that Device Seizure won't necessarily run on those platforms it's just that they aren't supported.
Q: When syncing a Palm PDA device, it says the port is used by another application. What's wrong?
A: Usually, this is caused because the machine that Device Seizure is installed on also has the Palm Desktop HotSync manager running as well. Disable the HotSync manager and the acquisition procedure should proceed as normal. Also, this can be caused by the device being in console mode. To ensure this is not the problem, perform a soft reset by pressing the indented reset button on the back of the device, it may be under the battery cover.
Q: When I try to acquire my Palm III, Device Seizure keeps losing its connection. What is wrong?
A: On some of the Palm devices, an automatic screen saver will start if the device seems idle. Because Device Seizure is a non-intrusive process, the screen saver will turn on. Simply tap on the screen of the devices during the acquisition to insure communication is continuing.
Q: When syncing my Palm PDA it keeps losing connection between the desktop and the device, what is wrong?
A: Usually, this is caused by an overflow in the port. This can be remedied by adjusting the speed of the acquistion through the COM port to the lowest speed and then starting acquisition again.
Q: What do I do if the device has a password?
A: If the device has a password, the password must be recovered for the acquisition to commence. There are many good tools available for password recovery. Paraben recommends the use of it's own password recovery software, Paraben's Decryption Collection. In order for the recovery to be done on the Palm, the examiner must have access to the desktop machine the Palm synced with. In the future, other methods for recovery will be explored for Device Seizure. If the device is below Palm OS 4.0 the override password option can be used through the main acquisition dialog.
Q: Does information on the device change when I acquire the data?
A: Because PDAs store all data in memory it is impossible to not have a slight change occur in the acquisition process. However, the changes that occur are so minor that they do not affect the integrity of the user's data.
Q: Device Seizure shuts down after 10 minutes into acquisition?
A: Chances are that you are running a personal firewall on the same machine that you are using Device Seizure on. The personal firewall will block the communication between your device and the computer. Disable the firewall and start the acquisition process again.
Q: What is the "ignore_my_docs" file?
This is a zero byte file on their storage card or ROM file store and was created to help people who had trouble finding data on their storage card unless they had specifically created a \My Documents\ folder. So, the Pocket PC 2002 now looks at the storage card when you insert it. If \My Documents\ doesn't exist, it puts a hidden file called "ignore_my_docs" on the card. It also has done this to the HP Safe Store or iPAQ File Store. So, what does it do? Pocket PC 2002 apps see this hidden file and look at the root of the storage card for everything. The file itself does not change in the process of acquisition.
Q: Why does the file "DB_notify_register" change when I acquire the device?
A: The file DB_notify_register is changing all the time. Simply plugging the WinCE device into the charging cradle changes it. Windows CE handles two types of notification events: timer events and system events. Timer events indicate that a specified time has arrived, such as an appointment or a meeting. System events are triggered when the device encounters a change, such as AC power connection or disconnection. To support these two types of notification events, the base notification engine maintains two databases: DB_notify_queue for timer events and DB_notify_register for system events.
Q. How do I put my Palm OS 5 unit into console mode?
A: Palm OS 5 units only require one . (dot) to place the device into console mode as opposed to the traditional two dot method with other devices.
Q: I am getting a signal while my phone is in the Wireless Stronghold Bag, why is that?
A: The most common reason is improper utilization. Please refer to this document: ftp://customer:bodyrazemust@207.108.168.225/Device_Seizure/STRONGHOLD.doc
Q: I'm trying to install Device Seizure and I keep seeing this error message: .NET Framework 1.1 not installed. What's wrong?
A: This problem is happening because Microsoft's .NET Framework 1.1 isn't currently installed on the machine. To fix this error you simply need to install .NET Framework 1.1 which can be found on the Microsoft website or you can find it on the Device Seizure CD within Programs-Device.
Q: What brands of cell phones are currently supported with Device Seizure?
A: We currently support a broad range of Ericsson, Motorola, LG, Nokia, Samsung, Siemens and Sony/Ericsson model phones.
Q: Does Device Seizure support the acquisition of SIM cards that are located in many GSM phones?
A: Yes, Device Seizure supports full acquisition of GSM SIM cards from all manufacturers.
Q: I have Device Seizure and a pile of cell phones but I can't find the correct data cable to connect the phone to the PC. Where can I find the correct data cables?
A: Paraben offers a Device Seizure Toolbox that includes most of the data cables you will need for Ericsson, Motorola, Nokia, Samsung, Siemens and Sony/Ericsson model phones as well as most PDA's and Smartphones. For more information on the Paraben Device Seizure toolbox, you can check it out here. As new software support is added, we also add new cable connection support.
Q: The Paraben Device Seizure Toolbox doesn't include the cable that I need. What now?
A: Paraben will be happy to help you locate the cables you require. Please send an e-mail to forensicsupport@paraben.com.
Q: Does Device Seizure support the acquisition of PDA phones such as the Treo, BlackBerry, and others?
A: Device Seizure supports PDA phones or Smartphones using one of the PDA OS plugins (i.e. a Palm Treo 650 would be run as a Palm OS device) If your devices operating system is not supported, then the device is most likely not supported either.
Q: I have a question with Device Seizure and can't find the answer in the FAQ or Help File. Where can I get more help regarding Device Seizure?
A: Paraben has an online forum located at http://www.paraben-forensics.com/forum. You can find more answers to questions as well as post new questions and comments there. We also have e-mail support for Device Seizure. You can reach us by sending an e-mail to forensicsupport@paraben.com with your question or problem or you can call the Paraben offices directly.
Q: I acquired a GSM phone and later on I acquired the same GSM phone and I had more results the second time around. What is causing this?
A: The first time you performed the acquisition the SIM card in the phone hadn't fully initialized yet. When you power a phone with a SIM card in it, it takes anywhere from one to three minutes for the SIM card to fully initialize. If you perform the acquisition before the SIM card is done initializing, then Device Seizure won't be able to acquire all the data located on the SIM card. The solution to this is to wait one to three minutes before starting your acquisition.
Q: I have X phone from Y manufacturer and I get the message that the phone isn't supported. Why isn't this particular phone supported yet?
A: There are currently thousands of models of phones out on the market and new phones being introduced everyday. It is impossible for Device Seizure to support and test every make and model that is available. We are trying to add support for all the most popular model phones on the market and are adding more model support every month. If you have a model that isn't currently supported, please follow these instructions for submitting log files:
- Once the device is connected properly, begin the acquisition.
- When acquiring a PDA, you will need to create the following folder C:\Program Files\Paraben Corporation\Device Seizure\logs. This is where logs for PDA's will be located.
- After the acquisition finishes (timeout, error, problem), close Device Seizure.
- Browse to the location that Device Seizure was installed.
- Default C:\Program Files\Paraben Corporation\Device Seizure.
- If the device is a phone, the logs should be here. If the device is a PDA, they will be in the logs folder in this directory.
- Find the log that corresponds to the manufacturer of the phone you tried to acquire. The log files will be named: siemens.txt, sonyericsson.txt, motorola.log, nokialog.txt, or samsung_log.txt.
- Please rename the log file to include the model number of the phone. For example motorola.log renamed to motorola_c331.log
- Check the size of the log file to ensure that information from the acquisition was captured. If the file is a zero byte file, try acquiring the phone again.
- Once the log file has been renamed, place the file in a .zip archive to ensure that when we receive the file the data has been unaltered. Some mail servers alter the data contained in .txt files. Sending it in a zip file ensures that this does not happen.
- Send an e-mail to cslogs@paraben.com with the zipped log files attached. Also include information such as your name, the make and model of the phone in question, and a description of the problem that occurred.
A: Yes, yes and YES! Paraben is always in need of more phones for testing and adding support. If you have a device that you would like to donate to Paraben please send an e-mail to donations@paraben.com. People that donate phones will also receive a free Paraben polo shirt as a way of saying thanks.
Q: Can Device Seizure recover deleted text messages from the phone and the SIM card?
A: Yes. Device Seizure can recover deleted SMS text messages from SIM cards and phones. However, there is a possibility that some data recovered will be in fragments and not complete. This all depends on when the message was deleted and what other information had been written to the phone or SIM card.
Q: Can Device Seizure acquire graphics/pictures from cell phones?
A: Depending on the make and model of the phone, yes, Device Seizure can acquire pictures that are either downloaded or created through the use of the built in camera.
Q: What reporting options are available in Device Seizure?
A: Currently Device Seizure generates reports in HTML: TreeView and Simple. TEXT: Simple Text which is a tab delimited text file. More reporting schemes will become available in the future.
Q: I thought that Device Seizure was adding support for Excel in the reports. Why doesn't it?
A: Device Seizure does not generate an .xls Excel file. However, once you have generated a tab delimited text report, you can select all the data (CTRL-A) and paste it into a blank Excel workbook (CTRL-V). Once you do this, you can format the cells to fit the data. Now you have a Device Seizure report in Excel format.
Q: How is the MD5 calculated with Device Seizure?
A: MD5 is calculated just after the data acquisition from device. You can see the MD5 for each binary data entity in its properties. This MD5 is the exact hash of the binary data portion which can be stored from any binary (image, sound etc.) entity from hex view. The same MD5 goes into the report and is shown near the file info in the report. The MD5 value that you see in workspace view in the properties window (and in reports) is calculated just once and stored in a database. It reflects the original data state. This MD5 goes into the report as well.
So you can check data integrity by doing the following:
- Store the data entity from the hex view and then calculate its MD5 with any external tool. Then compare calculated MD5 to one shown in the properties window - they should be equal to prove data integrity (when you store the file to disk, its MD5 is calculated automatically and stored near the file itself).
For the report, you can calculate the MD5 for data files stored in the report files directory (find the exact file following the link) and compare the MD5 to the one shown in report in the file info.
A: SCA - Service Center Address
This term is used to identify the recipients address, thus on a sent or unsent message this would be the other phone and on received the suspect phone.
OA - Originating Address
This term is used to identify the senders address. On a sent or unsent message this would be the suspects phone and reversed for received.
Some other common abbreviations are:
SCTS - Service Centre Time Stamp
Information element by which the SC informs the recipient MS about the time of arrival of the short message at the SM-TL entity of the SC. The time value is included in every SMS-DELIVER being delivered to the MS.
VP - Validity Period
Parameter identifying the time from where the message is no longer valid.
DA - Destination Address
Address of the destination SME.
RA - Recipient Address
Address of the recipient of the previously submitted mobile originated short message.
SCTS - Service Center Time Stamp
Parameter identifying time when the SC received the previously sent SMS-SUBMIT.
DT - Discharge Time
Parameter identifying the time associated with a particular ST outcome.
