±Your Account
Membership:
New Today: 4
New Yesterday: 9
Overall: 24209
Visitors: 43±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
I can support this as I use CelleBrite PA for manual carving quite a lot. Very easy to find and bookmark for reporting on.
Examining raw hex data with UFED PA
Examining raw hex data with UFED PA
Posted: Thu Feb 14, 2013 11:09 am
I need some advice form a UFED Physical Analyzer user who has experience with feature phones.
We are buying a UFED Touch, but I don't have it yet, nor have I seen it in action.
I know one of the first phones I need to examine is an LG enV Touch VX11000. I'm looking for the contents of as many as 4000 deleted SMS messages. Not all of them need to be found, just enough to determine the nature of the texts. For this phone, physical extraction is supported, but extracting deleted SMS messages is not supported. I understand this means I will have to search through the hex data of the raw dump to find these deleted SMS messages.
What I am wonding is how difficult this will be. I've read through the relevant sections of the UFED PA manual, but without a dump of a similar phone to look at (not to mention UFED PA) I do not know if this is a difficult task--or an impossible task.
I will have the phone numbers, names, dates and times of the messages, and a pretty good idea of some search terms that may generate hits. I will need to be able to gather some examples of text messages that will show that the texts were between paramours. It is my understanding from the phone records that the only text messages ever sent or received by this phone were to and from one number.
Any advice is greatly appreciated.
I plan to attend some UFED training, but not before I need to examine this phone.
EDIT: Spelling. Paramour as in illicit lover, not Paramore the band.
We are buying a UFED Touch, but I don't have it yet, nor have I seen it in action.
I know one of the first phones I need to examine is an LG enV Touch VX11000. I'm looking for the contents of as many as 4000 deleted SMS messages. Not all of them need to be found, just enough to determine the nature of the texts. For this phone, physical extraction is supported, but extracting deleted SMS messages is not supported. I understand this means I will have to search through the hex data of the raw dump to find these deleted SMS messages.
What I am wonding is how difficult this will be. I've read through the relevant sections of the UFED PA manual, but without a dump of a similar phone to look at (not to mention UFED PA) I do not know if this is a difficult task--or an impossible task.
I will have the phone numbers, names, dates and times of the messages, and a pretty good idea of some search terms that may generate hits. I will need to be able to gather some examples of text messages that will show that the texts were between paramours. It is my understanding from the phone records that the only text messages ever sent or received by this phone were to and from one number.
Any advice is greatly appreciated.
I plan to attend some UFED training, but not before I need to examine this phone.
EDIT: Spelling. Paramour as in illicit lover, not Paramore the band.
-
Bulldawg - Senior Member
Re: Examining raw hex data with UFED PA
Posted: Fri Feb 15, 2013 3:01 am
I sent you a private message with my email
I can provide you a reference physical extraction of such a device so you can play with it.
Locating the text message body in hex is very simple by using the 7bit or 7bit reversed PDU search.
Ron
I can provide you a reference physical extraction of such a device so you can play with it.
Locating the text message body in hex is very simple by using the 7bit or 7bit reversed PDU search.
Ron
-
RonS - Senior Member
Re: Examining raw hex data with UFED PA
Posted: Fri Feb 15, 2013 8:46 am
- RonSI sent you a private message with my email
I can provide you a reference physical extraction of such a device so you can play with it.
Locating the text message body in hex is very simple by using the 7bit or 7bit reversed PDU search.
Ron
I can support this as I use CelleBrite PA for manual carving quite a lot. Very easy to find and bookmark for reporting on.
-
triran - Senior Member
Re: Examining raw hex data with UFED PA
Posted: Fri Feb 15, 2013 12:08 pm
Here is a sample extraction:
I will delete this extraction in few days. If anyone can move it to a different location and post the link, others can use it in the future.
www.ume-update.com/tem...-11000.rar
SMS are stored in this folder "/SMS" in the second partition.
The SMS text preview is in plaintext and later in the SMS file it is in 7bit PDU (not reversed)
This is a test phone so only 2 SMS files, but still can be used for reference.
Anyone that don't have UFED PA, can use the above sample extraction with a PA trial that they you can get it in this link:
www.cellebrite.com/fre...0-day.html
There are many additional sample extractions that come with the trial license.
Best regards,
Ron
I will delete this extraction in few days. If anyone can move it to a different location and post the link, others can use it in the future.
www.ume-update.com/tem...-11000.rar
SMS are stored in this folder "/SMS" in the second partition.
The SMS text preview is in plaintext and later in the SMS file it is in 7bit PDU (not reversed)
This is a test phone so only 2 SMS files, but still can be used for reference.
Anyone that don't have UFED PA, can use the above sample extraction with a PA trial that they you can get it in this link:
www.cellebrite.com/fre...0-day.html
There are many additional sample extractions that come with the trial license.
Best regards,
Ron
-
RonS - Senior Member