forensic software f...
 
Notifications
Clear all

forensic software for old Nokia - S40

4 Posts
4 Users
0 Likes
1,054 Views
(@silvestro23)
Posts: 2
New Member
Topic starter
 

Dear All,

I would like to know if there are some tools/techniques that are able to recover deleted sms from an old Nokia 2610 with Symbian S40 v 04.90.

Thanks a lot

regards

Silvestro

 
Posted : 20/11/2014 3:27 pm
Shourjo
(@shourjo)
Posts: 14
Active Member
 

Hey there,
You can use Oxygen forensics suite , chances are that it might be able to recover the deleted messages and it supports S40 series

 
Posted : 25/11/2014 11:33 am
(@mark_adp)
Posts: 63
Trusted Member
 

Actually the Nokia 2610 isn't Symbian. The phone has a very basic memory structure utilising a small FAT16 file system if I remember correctly.

You could try using the ATF Flasher box with a service cable to recover a physical dumb.

Once you have a physical dumb, recovering old SMS from this type of phone isn't too hard.

Each sector is prefixed by 8 bytes of "spare area" which contains the logical sector number for that sector. UFED Physical Analyser (if you have it) can, I believe re-order your sectors for you to give you a mountable FAT file system.

Once you have a mountable file system, first look for your extant SMS messages. They will appear as individual files.

Once you have identified some extant SMS messages, look for a file header at the beginning of each SMS message. Once you have identified some consistent bytes (file header) copy the header hex and search for these bytes across the entire binary read. You should be able to find all current and deleted this way.

X-Ways is a great tool for manually decoding these files as it contains an on the fly 7-bit PDU unpacker (a sort of compression used in GSM).

One problem you will have is deleted sent SMS dates and times. The sent SMS date and times are read from the FAT file system. Annoyingly when a file is deleted on a Nokia S40 handset, the starting cluster address is deleted from the FAT directory entry, why I do not know!!

What you could possibly do, although it's difficult to always rely on this, is to look for older versions of the same FAT directory entry, before it was deleted (Flash keeps old copies of data sometimes!). Compare the starting cluster address and file size values and you can make and inference that the date and time within this older version of the FAT directly entry is associated to your deleted sent SMS. This can be done only with the caveat that it may actually be associated to a different deleted file.

I hope that makes sense. If you need to clarify anything, please make a note.

UFED Physical Analyser should do lot's of this stuff automatically, but you should know how it works!!

Mark

 
Posted : 25/11/2014 5:31 pm
(@paraben)
Posts: 47
Eminent Member
 

That model should be supported for physical acquisitions using Device Seizure. You can request a free 30 day key here https://www.paraben.com/challenge.php

 
Posted : 26/11/2014 2:24 am
Share: