Cellebrite PA Hex D...
 
Notifications
Clear all

Cellebrite PA Hex Dump searching question

4 Posts
3 Users
0 Likes
747 Views
(@dc1743)
Posts: 48
Eminent Member
Topic starter
 

I have already posted the below in the relevant linkedin group but am trying to widen the audience.

I am looking at a binary dump from a Nokia 3120C. I can see telephone numbers stored as unicode Little Endian within the dump. When I use the Find facility in Physical Analyzer 3.6 searching for Strings and selecting Unicode it does not find the numbers I have already seen in the dump (The Values decoder decodes the numbers I have seen as Little Endain unicode).

Please does anyone know whether the unicode search is big endian only or is there a configuration setting somewhere to find strings stored Little Endian?

Regards,

 
Posted : 08/01/2013 10:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What did the folks at Cellebrite say when you called and asked them?

 
Posted : 08/01/2013 10:32 pm
(@alexc)
Posts: 301
Reputable Member
 

Please does anyone know whether the unicode search is big endian only or is there a configuration setting somewhere to find strings stored Little Endian?

Out of interest, have you tried searching for the middle numbers (shave off the first and last characters) as, for ASCII range characters, that part of the raw data will look the same.

 
Posted : 08/01/2013 10:55 pm
(@dc1743)
Posts: 48
Eminent Member
Topic starter
 

Thanks for the replies.

Having revisited this issue this morning to follow up Alex's suggestion the search now works!

As it turns out the numbers I had seen (which could be represented as ASCII) are stored big endian and the search tool highlights the numbers (\x00\x30\x00\x37 etc etc). Tired eyes and brain yesterday afternoon saw that the number was followed by \x00 and hence thought the number was stored little endian unicode.

To answer the original question posed I have tested a "binary dump" comprising of some text encoded little endian unicode. PA Find function appears only to find BE encoded unicode.

What I still don't understand is why the search works today and didn't yesterday. I think I did the same thing but user error is suspected!

Regards,

 
Posted : 09/01/2013 4:51 pm
Share: