Scribd
Upload
173 views43 pages

Mobile Memory Dumps, MSAB and MPE+ Data Collection Information Recovery Analysis and Interpretation of Results

Physical extraction of mobile device memory can be performed either destructively by removing memory chips or non-destructively using a data cable. This provides raw data that requires specialized tools and knowledge to interpret. Hex editors and forensic software suites can be used to analyze memory dumps to recover deleted information such as call logs, messages, contacts and files. Time stamps and identifiers like IMEI, IMSI and ICCID can provide investigative leads when recovered from memory.

Uploaded by

muhammad fahad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
173 views43 pages

Mobile Memory Dumps, MSAB and MPE+ Data Collection Information Recovery Analysis and Interpretation of Results

Physical extraction of mobile device memory can be performed either destructively by removing memory chips or non-destructively using a data cable. This provides raw data that requires specialized tools and knowledge to interpret. Hex editors and forensic software suites can be used to analyze memory dumps to recover deleted information such as call logs, messages, contacts and files. Time stamps and identifiers like IMEI, IMSI and ICCID can provide investigative leads when recovered from memory.

Uploaded by

muhammad fahad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

Mobile memory dumps, MSAB and MPE+

Data collection
Information recovery
Analysis and interpretation of results
Physical Extraction
• Physical extraction involves either
– Removing chips from circuit board and
“dumping” contents (destructive)
– Via a data cable (e.g. service ports on
many Nokias)
• Data is supplied in a “raw” form
– Interpretation requires time and specialist
knowledge
– Provides a lot of data including deleted
handset information
• JTAG test and debug access port
– A complete forensic image can be produced
– The risk of changing data is minimized
– Not all embedded systems are JTAG enabled
– http://en.wikipedia.org/wiki/Jtag
Hex editors - WinHex
• Color mappings
• Bookmarks
• Structure
definitions
• Using the
bookmark
functionality of
WinHex to dissect
a deleted missed
call record of a
partial NOR flash
copy from a Nokia
1600 phone
Hex editors – IDA Pro
• In IDA Pro using IDC scripts or the plugins framework
– Could be used to load data from an embedded system memory that contains
data encoding functions and to reverse engineer them to reconstruct relevant
system and user information
– A more practical approach is to (ab)use IDA as an advanced hex editor with
additional functionality for repeated decoding of memory data
– Do the following examining the dump in 4 steps with scripts:
• StructureDefinition.idc, StructureSearch.idc, StructureDecode.idc,
InformationExtract.idc
MSAB Forensic Office
• All visible data may not be possible to extract!
MSAB XRY
MSAB XRY Wizard 1
MSAB XRY 2
MSAB XRY 3
MSAB XRY
SIM Id Cloner

SIM_id-Cloner.pdf
International Mobile Subscriber Identity
http://en.wikipedia.org/wiki/IMSI
http://pt.com/page/tutorials/gsm-tutorial
• IMSI uniquely identifies a subscriber
– Always provisioned in the phone/SIM (GSM), USIM (3G) or CSIM (CDMA)
– Usually 15 digits in length
• Ex. IMSI: 240011234567890
– The first 3 digits are the Mobile Country Code (MCC)
– Followed by the Mobile Network Code (MNC)
• Either 2 digits (EU standard) or 3 digits (North American standard)
– The remaining digits are the Mobile Station Identification Number (MSIN)

IMSI = MCC + MNC + MSIN

• IMSI analysis
– The process of examining a subscriber's IMSI to identify which network the
IMSI belongs to and whether subscribers from that network are allowed to
use a given network
Integrated Circuit Card Identifier
• ICCID uniquely identifies the SIM card, one can determine issuing
service provider and country code from ICCID
• International Standard ISO/IEC 7812
– http://en.wikipedia.org/wiki/ISO_7812
– 19 or 20 digits in length and always stored in the card
– Normally printed on the outside (may be abbreviated)
• Issuer Identification Number (IIN)
– Major Industry Identifier (MII), 2 digits, 89 for telecommunication purposes
– Country code, 1-3 digits, as defined by ITU-T recommendation E.164.
– Issuer identifier 1-4 digits, ( Total all 6 digits including the MII)
• Individual account
identification
– Max 12 digits
plus
– Parity check digit
MSAB XRY
SIM Id Cloner
• Phones without a SIM Card
• Phones with PIN Locked SIM cards
• Phones with the security lock set
• To recover deleted evidence
• Where SIM cards have been swapped
– Automatic erasure of call lists when SIM card is changed is a
standard feature in most phones
• Possible on handsets with minor damage
• Forensic tools like XRY, UFED and FTS Hex use flash
loader techniques for forensic acquisition of data
– Instead of directly using the built-in boot loader functionality
they use the primary boot loader to transfer custom executable
code to one of the writable device memories and start
executing that code producing a ”dd” dump
UFED Physical Analyzer
MSAB XACT 1
MSAB XACT 2
MSAB XACT 3

Searching
MSAB XACT 4
SMS 7-bit Encoding

SMS - text end start


Decode images Wizard (XRY starts)
MSAB XACT
Phyton scripts
MSAB license limitations
• XRY - cannot do data extraction or new .xry projects
– SIM cloning is not possible without license
• XACT - image decoding and run MSAB Python scripts
– Can be done with your own tools if they are good

I have compiled my questions and answers from


MSAB regarding XACT, XRY and dumping
See the questions_msab*.pdf files at: [server]\embedded_forensics\MSAB.com
Extracting dump data
• Non file based Spare area may or may not be
included in MSAB phone dumps!
– Lock keys, IMEI, IMSI, ICCID
– SMS, time stamps?, call logs?..., etc.
• File based – for best results you need to get rid of the
NAND OOB/spare area (present in chip read dumps)
– MMS, audio files, call logs
– Videos - 3GP / MP4 with tools as NFI Defraser
– E-mail, social data
– Pictures, if damaged, the exif info may be intact (thumbnail)
– Contacts, notes, calendar, positions, ..., etc. everything!
• Recover the file system if possible via FTL translation
– If format is raw read from memory (chip physical)
– If dumped via software it ”should” be easier creating a filesystem
• Check out all the submissions to the DFRWS 2010
challenge for tools and ideas
– http://www.dfrws.org/2010/challenge/results.shtml
MSAB Building a file system
# Building a file system
# In this example we'll build a FAT file system on a memory which has 512 bytes of data
# and 16 bytes of spare area. The memory contains 1024 of these pages so the memory is
# 540672 bytes in total size. Our goal is to filter out these 16 bytes and keep the rest
# as data and remap this data into a linear partition so that the FAT file system parser
# can work with it.
import xact

__contact__ = "[email protected]" build_fat_fs.py


__version__ = "0.1.0"
__description__ = "FAT Sample"
from the XACT manual
# Entry point
def main(images):
# For each image which has the type set to "NAND:10000" we'll create a FAT
# file system. The type is arbitrary and not based on any phone in particular.
for image in filter(lambda i: i.type == "NAND:10000", images):

# Generate a list of tuples which will be the offset of each page


# and then the size of each page minus the spare area. See documentation
# for xact.Image.add_partition.
segments = list(zip(range(0, 540672, 528), [512] * 1024))

# The add_partition will automatically parse the FAT file system and
# generate the volumes.
partition = image.add_partition("FAT partition", segments, xact.PARTITION_FAT)

# Log informational message with the name of each FAT partition.


for volume in partition.volumes:
print("Decoded FAT partition:", volume.name)
Digital Forensics Framework
with winner of DFRWS 2010 Python module script

Recovery of the file system


via FTL translation
FTK >= 3.2 have YAFFS support
DMG dump from iPhone 3G

More iPhone dumps are


available from [server]
Oxygen Forensic Suite
Oxygen Forensics – many demo dumps on [server]
AccessData MPE+
Time stamps and search terms
• A wide variety of storage formats are used for storing
timestamp data in embedded system memories
• To illustrate - the timestamp "30 April 2008 14:30:59 UTC" is
encoded as follows in some formats found in different mobile
phone memories:
– 0x80400341039500 (ETSI SMS)
– 0xB19E0CA3 (Nokia)
– 0x07D8041E0E1E3B (Nokia)
– 0x26041E0E1E3B (Motorola)
– 0x00E129CB0E8B2EC0 (Symbian) http://www.digital-detective.co.uk/
– 0x481882A3 (POSIX)
• Regular Expressions and Search Terms for Phone Examiners
– http://www.controlf.net/regexps/
• Remember!
– Many forensic artifacs are stored in manufacturer-specific or
proprietary formats, it can even change between different models
and revisions from the same manufacturer!
JPG file structure and carving
• Scalpel/Photorec etc.
• JFIF = 0xFFD8FFE0
• Exif = 0xFFD8FFE1
• Beware of Samsung JPG
header 0xFFD8FFE3 thumbnail

• JPEG file structure


– JPEG header
– Exif header identifier
– Exif header
– Exif TIFF data
– Exif JPEG Thumbnail (may use
a JFIF header and footer)
– Start of image data (Start of scan)
– Image data
– End of image data (End of scan)
Exif JPEG
Thumbnail

exiftool
Position artifacts
• Cached map queries
– Traffic/navigation or social networking applications
– GPS coordinates embedded in Exif

Digital Still Camera Forensics - SSDDFJ_V1_1_Cohen.pdf

Degrees/Minutes/Seconds
May need conversion
PmExplorer
• View Nokia PM tables/records (dumps), as SE GDFS?
Nokia
PM tables/records Phone flashers 1
Samsung
• Designed to update firmware (flash memory) OneNAND
Downloader
• Usually a flash memory backup can be made
Phone flashers 2
• Sony Ericsson XS++
• GDFS
(Global Data File System)
http://en.wikipedia.org/wiki/GDFS

SE W800 from lab with (FAT?) FS!

Download = flash image


Upload = save image
Flasher boxes
• Designed to update flash memory
– Twister
– HWK
– UFS3
– SHU box
– JAF box
Simple imaging and analyze of phones
• Some handsets can be attached in off mode and
automatically enter a special ”file transfer” mode
• Windows may detect the memory (no memory card should
be present) as a storage device with a FAT file system
• Use FTK imager or similar to make an image!
• Analyze with existing forensic tools
• Paper describing the method
– RECOVERING DELETED DATA FROM FAT PARTITIONS WITHIN
MOBILE PHONE HANDSETS USING TRADITIONAL IMAGING
TECHNIQUES

• Another useful method if it is hard to interpret data is to


use an emulator to analyze and interpret the data
– Extract image or database etc. from an examined phone
– Boot up the development emulator using this data
Simpler analysis of phone dumps
• If it is possible to create a filesystem of the phone image one
should export this dump to an forensic image and use a
familiar advanced tool as FTK
• This is especially true if it is a smartphone since it shares a lot
of technology with ordinary computers which will ease the
investigation a lot
• It can also be beneficial doing this with files in a folder
• Example: http://computer-
forensics.sans.org/blog/2010/09/22/digital-forensics-quick-
cellebrite-ufed-extract-phone-data-file-system-dump/
– Using a dump from a iPhone 3G IOS 4.02
• Viewing all familiar file types including SQLite files and plist
(property list) files etc. setting bookmarks and so on...
– iPhone .plist files are usually storing serialized objects as user
settings or application information in a binary XML format
– http://en.wikipedia.org/wiki/Property_list

You might also like