pdd (Palm dd) is a Windows-based tool for memory imaging and forensic acquisition of data from the Palm OS family of PDAs. pdd will preserve the crime scene by obtaining a bit-for-bit image or "snapshot" of the Palm device's memory contents. Such data can be used by forensic investigators, incident response teams, and criminal and civil prosecutors.

pdd has been integrated into Paraben's Device Seizure tool (formerly PDA Seizure), the most popular and fully-supported acquisition and analysis tool for mobile devices (including, but not limited to, Palm OS, Windows CE/Pocket PC, BlackBerry, Symbian, and Psion/EPOC16/EPOC32 handhelds, Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung phones, and GSM SIM cards). A legacy version of pdd is available below.

Version: 1.11 (26 June 2002)
Platforms: Win 95/98/NT/2K (tested with Palm OS v1.0 to v4.0)
Win32: pdd_v1_11.zip
Source: pdd_v1_11_src.zip

This paper introduces pdd and presents the Palm OS internals (hardware, file system, and debugger functionality), pdd details (usage, process, flowchart, and timing), and forensic analysis results (flash memory, record removal and deletion, retrieval of system passwords, and telephony applications). Describes security issues and forensic acquisition and analysis techniques for Palm OS handhelds.

Paper: pdd: Memory Imaging and Forensic Analysis of Palm OS Devices

Published by the Forum of Incident Response and Security Teams in the Proceedings of the 14th Annual Computer Security Incident Handling Conference, Waikoloa, Hawaii, June 24-28, 2002.