Examining raw hex d...
 
Notifications
Clear all

Examining raw hex data with UFED PA

4 Posts
3 Users
0 Likes
819 Views
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
Topic starter
 

I need some advice form a UFED Physical Analyzer user who has experience with feature phones.

We are buying a UFED Touch, but I don't have it yet, nor have I seen it in action.

I know one of the first phones I need to examine is an LG enV Touch VX11000. I'm looking for the contents of as many as 4000 deleted SMS messages. Not all of them need to be found, just enough to determine the nature of the texts. For this phone, physical extraction is supported, but extracting deleted SMS messages is not supported. I understand this means I will have to search through the hex data of the raw dump to find these deleted SMS messages.

What I am wonding is how difficult this will be. I've read through the relevant sections of the UFED PA manual, but without a dump of a similar phone to look at (not to mention UFED PA) I do not know if this is a difficult task–or an impossible task.

I will have the phone numbers, names, dates and times of the messages, and a pretty good idea of some search terms that may generate hits. I will need to be able to gather some examples of text messages that will show that the texts were between paramours. It is my understanding from the phone records that the only text messages ever sent or received by this phone were to and from one number.

Any advice is greatly appreciated.

I plan to attend some UFED training, but not before I need to examine this phone.

EDIT Spelling. Paramour as in illicit lover, not Paramore the band.

 
Posted : 14/02/2013 9:09 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

I sent you a private message with my email
I can provide you a reference physical extraction of such a device so you can play with it.
Locating the text message body in hex is very simple by using the 7bit or 7bit reversed PDU search.

Ron

 
Posted : 15/02/2013 1:01 pm
triran
(@triran)
Posts: 99
Trusted Member
 

I sent you a private message with my email
I can provide you a reference physical extraction of such a device so you can play with it.
Locating the text message body in hex is very simple by using the 7bit or 7bit reversed PDU search.

Ron

I can support this as I use CelleBrite PA for manual carving quite a lot. Very easy to find and bookmark for reporting on.

 
Posted : 15/02/2013 6:46 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Here is a sample extraction

I will delete this extraction in few days. If anyone can move it to a different location and post the link, others can use it in the future.

http//www.ume-update.com/temp/Physical_LG_CDMA_LG_VX-11000.rar

SMS are stored in this folder "/SMS" in the second partition.
The SMS text preview is in plaintext and later in the SMS file it is in 7bit PDU (not reversed)

This is a test phone so only 2 SMS files, but still can be used for reference.

Anyone that don't have UFED PA, can use the above sample extraction with a PA trial that they you can get it in this link
http//www.cellebrite.com/free-trial-30-day.html

There are many additional sample extractions that come with the trial license.

Best regards,
Ron

 
Posted : 15/02/2013 10:08 pm
Share: