The Amazon Kindle is currently the most popular ebook reader on the market. With expected sales of 5 million Kindles in 2010 and up to 11.5 million in 2012, the popularity looks to continue to increase. The Kindle can store a wealth of information, not only limited to ebooks but also notes, music, search information, and other items of interest to a forensic investigator. It can also be used as a USB storage device. With 4GB of internal storage, the Kindle 3 can hold a wealth of data. Other Kindle models have less internal storage but can still valuable suspect data.
Examining the Amazon Kindle
Connecting the Kindle
The Kindle uses a standard Micro USB cable (not to be confused with Mini USB which looks similar but is slightly larger). Attach a Micro USB to USB cable to the USB port on the Kindle and plug the standard USB end into a USB write blocker, such as the WiebeTech USB WriteBlocker™, then connect the write blocker to the forensic workstation (first making sure to disable Disk Arbitration on the Mac first, for an extra layer of protection against accidental mounting of the device).
Imaging the Kindle
Once the Kindle has been connected to a USB write blocker and connected to the forensic workstation, the device should appear in the MacForensicsLab Device/Volume area. Select the "Kindle Internal Storage" device from the Device/Volume area and then click Acquire at the bottom of the window. Set your imaging options and then run the acquisition. Once the imaging is complete (should take only a couple minutes), detach the Kindle device using the Detach option in the 'File' menu of MacForensicsLab and then physically detach the device from the forensic workstation.
Examining the contents of the image
Once the device is detached, re-enable Disk Arbitration using the Disk Arbitration... option in the 'Window' menu. Next, select Attach Disk Image... from the 'File' menu. Select the Kindle image. You may now use MacForensicsLab to examine the contents of the Kindle for items of forensic interest.
