±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 9
Overall: 27208
Visitors: 88

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Mobile forensics TIPS [Knowledge Sharing]

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Tue Dec 25, 2012 2:07 am

Dear all,

I was wondering if everyone could participate in this topic, where all the important (logs,databases etc..) of most mobile devices will be mentioned. For example identifying the important databases and logs that a forensic investigator should look at while investiagting.

For instance, On Nokia Series 40 ( logs are only stored for 30 days, therefor it is recommended you perform your analysis instantly after a crime occurs.

A Database that is important in a Nokia while investigating is the (Ms_del.dat) database that include chunks of the deleted messages and so on, how do you read that database?

Databases Idea that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)

RIM ???

Please share your knowledge, TIPS while performing mobile forensics.

Is there a way an investigator can know if a mobile has recently been formatted?
Logs that indicated the first date of usage, and last date of usage?  

CopyRight
Senior Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Thu Dec 27, 2012 10:55 am

There are plenty of topics covering all of the above. I think it would be unfair to expect everyone to make a central repository of such information when it is all available on the forum if you search for specific criteria.

I highly recommend you have a dig through some old posts and take notes, then as specific jobs come up, post a question and if we know the answer we will help in turn  

mobileforensicswales
Senior Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Thu Dec 27, 2012 2:18 pm

Have you looked at Forensics Wiki? Maybe you can contribute/update their pages...  

jhup
Senior Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Mon Dec 31, 2012 4:37 am

It may make sense to double check each of your findings already also. I mention that as you have said that Series 40 Nokia's only keep logs for 30 days. The 6230 is a Series 40 handset and it keeps it logs until the end of time, there is no expiration time. A lot of newer Series 40's behave the same, in fact I don't think I've ever seen a series 40 where data expires.

Symbian devices on the other hand only keep logs for a maximum of 30 days. But you can of course subvert that process if you know what you are doing.

I am intrigued by the suggestion of deleted messages in MS_Del.dat too and wonder if you have any further information. I know a number of people who have researched that file and found that it contains status (delivery) reports only including sent and delivered dates/times with numbers etc..

Thanks
_________________
Colin Mortimer
AirWatch 

Coligulus
Senior Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Mon Jan 14, 2013 9:31 am

- CopyRight


Databases Idea that are important in Android, sms_db and mmssms_db , those two files include good information of the messages deletes, and so does logs.db .

For iPHone, sms.db (includes some deleted messages)



Make sure when you are looking at these db files that you looking at all of the files located in the folder they originate from. I'd point you in the direction of this blog and specifically this article;

digitalinvestigation.w...ahead-log/

Worth a read.  

TomP
Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Mon Jan 14, 2013 11:43 pm

Great Stuff,

So How is it possible to read a ms_del.dat file?
And a whatever.bak (blackberry backup files)..?  

CopyRight
Senior Member
 
 
  

Re: Mobile forensics TIPS [Knowledge Sharing]

Post Posted: Wed Jan 16, 2013 10:57 am

You may find ms_del.dat contains DELivery reports not deleted data.

We have a python script that parses them (I didn't write it so can't take credit/don't know what it's looking at), though there is a difference that I can't remember off the top of my head between earlier series 40s and the later series 40 3rd editions.  

TomP
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next