Mobile forensics TI...
 
Notifications
Clear all

Mobile forensics TIPS [Knowledge Sharing]

12 Posts
5 Users
0 Likes
645 Views
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

Dear all,

I was wondering if everyone could participate in this topic, where all the important (logs,databases etc..) of most mobile devices will be mentioned. For example identifying the important databases and logs that a forensic investigator should look at while investiagting.

For instance, On Nokia Series 40 ( logs are only stored for 30 days, therefor it is recommended you perform your analysis instantly after a crime occurs.

A Database that is important in a Nokia while investigating is the (Ms_del.dat) database that include chunks of the deleted messages and so on, how do you read that database?

Databases idea that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)

RIM ???

Please share your knowledge, TIPS while performing mobile forensics.

Is there a way an investigator can know if a mobile has recently been formatted?
Logs that indicated the first date of usage, and last date of usage?

 
Posted : 25/12/2012 12:07 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

There are plenty of topics covering all of the above. I think it would be unfair to expect everyone to make a central repository of such information when it is all available on the forum if you search for specific criteria.

I highly recommend you have a dig through some old posts and take notes, then as specific jobs come up, post a question and if we know the answer we will help in turn

 
Posted : 27/12/2012 8:55 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Have you looked at Forensics Wiki? Maybe you can contribute/update their pages…

 
Posted : 28/12/2012 12:18 am
(@coligulus)
Posts: 165
Estimable Member
 

It may make sense to double check each of your findings already also. I mention that as you have said that Series 40 Nokia's only keep logs for 30 days. The 6230 is a Series 40 handset and it keeps it logs until the end of time, there is no expiration time. A lot of newer Series 40's behave the same, in fact I don't think I've ever seen a series 40 where data expires.

Symbian devices on the other hand only keep logs for a maximum of 30 days. But you can of course subvert that process if you know what you are doing.

I am intrigued by the suggestion of deleted messages in MS_Del.dat too and wonder if you have any further information. I know a number of people who have researched that file and found that it contains status (delivery) reports only including sent and delivered dates/times with numbers etc..

Thanks

 
Posted : 31/12/2012 2:37 pm
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

Databases idea that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)

Make sure when you are looking at these db files that you looking at all of the files located in the folder they originate from. I'd point you in the direction of this blog and specifically this article;

http//digitalinvestigation.wordpress.com/2012/05/04/the-forensic-implications-of-sqlites-write-ahead-log/

Worth a read.

 
Posted : 14/01/2013 7:31 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

Great Stuff,

So How is it possible to read a ms_del.dat file?
And a whatever.bak (blackberry backup files)..?

 
Posted : 15/01/2013 9:43 am
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

You may find ms_del.dat contains DELivery reports not deleted data.

We have a python script that parses them (I didn't write it so can't take credit/don't know what it's looking at), though there is a difference that I can't remember off the top of my head between earlier series 40s and the later series 40 3rd editions.

 
Posted : 16/01/2013 8:57 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
Topic starter
 

Whats the name of the python script that can parse Ms_del.dat?

is there any sort of event log file in the nokia and android devices? and where can you find it?

 
Posted : 19/01/2013 9:36 am
(@coligulus)
Posts: 165
Estimable Member
 

Whats the name of the python script that can parse Ms_del.dat?

You would need to write one, the script which TomP refers to is not in the public domain. Do some reverse engineering on the file and I'm sure you can pull together your own script for the job.

 
Posted : 21/01/2013 1:32 pm
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

Whats the name of the python script that can parse Ms_del.dat?

is there any sort of event log file in the nokia and android devices? and where can you find it?

Samsung Android devices have a log of SMS/MMS messages with the call entries that a lot of tools don't seem to extract, they are stored in the logs.db file with the calls. HTC devices store their calls in the contacts2.db file. I haven't analysed a HTC for a little while so can't say this hasn't changed but the event log did appear to be something only found on the Samsung devices. I cant comment on other makes as I haven't had them to analyse off the top of my head.

Nokia Symbian devices have an event log and off the top of my head this extracted with XRY, Cellebrite and Oxygen. For series 40 Nokias, the Message Recipients Log (MRL) can be extracted by Oxygen. Remember, the MRL means the message was sent from the handset but may not guarantee that the intended recipient received it.

 
Posted : 21/01/2013 3:46 pm
Page 1 / 2
Share: