Does anyone have any experience with the ATF (Advanced Turbo Flasher) boxes for conducting physical dumps (PM absolutes) of Nokia BB5 handsets?
This flasher box has recently been recommended to me as being capable of conducting physical dumps of BB5 handsets and I wished to confirm this was correct.
Cheers,
Rob.
As far as I know these flasher box solutions perform partial data extraction that can only be used for carving since some of the data (flash spare area) is missing.
Can you list which are the most important Nokia BB5 models that you want to see supported in the mobile forensic tools?
Which Nokia BB5 models do you see more often?
Thanks,
Ron
rnelson
Further to Ron's comments, I do agree with him on two points.
1) Understanding the 'limitations' of the tool you may wish to use is important.
2) However, if it is possible to know spare areas are missing that is because the memory retention area has been pre-defined and mapped. Putting aside the impact of wear-leveling and the footprint it leaves behind, flash memory management endeavours to assign certain types of data to certain allocation memory spaces.
To read the flash memory the flash memory manufacturers have post-issuance memory programmes, emulators and tests jigs (for pin-array etc) to read the chip, so to speak. These are used for quality checking. Getting these items can acquire what you seek, but following data acquistion translation can take time.
So if Ron is saying he can perform fully mapped extraction and harvesting and offers translation (but on the latter integer I am not sure he did say that) this might save you time and the learning curve that goes with this subject matter.
Separately, (and these are observations you may already know) another matter you may wish to consider is whether handsets (like hard drives) are being forced wiped, blocked decipher, overwritten etc to prevent access to data, maybe due to
- factory reset
- lost key/s encryption
- overwrite memory.
There are many sites (e.g. http//
Infact, even alteration of the language pack can be a real pain. Scroll down the left hand column at this website to the link 'How to throw the firmware language'
http//
For BB5 look here
http//
Hi Ron and trewmte,
Thanks for the comments. Having used a number of other flasher boxes for forensic examinations, I am aware of the limitations and the overhead of data carving, yet such processes can nevertheless prove beneficial in the recovery of data that is not otherwise available through more traditional means. Whilst the commercial phone forensic tools are generally the first (and easier) option unfortunately they still lag behind the sheer volume of phones that can be dumped using the flasher boxes.
My interest was specifically in the ATF box for physical dumping Nokia BB5 phones, as to my knowledge no other flasher box is currently providing this support.
Happy to chat about this , offline
I really like this subject. Could you tell me more … I would love to explore.
As far as I know these flasher box solutions perform partial data extraction that can only be used for carving since some of the data (flash spare area) is missing.
Can you list which are the most important Nokia BB5 models that you want to see supported in the mobile forensic tools?
Which Nokia BB5 models do you see more often?
Thanks,
Ron
All mobile phones use Flash memory to store data. As the blocks within flash memory have a limited number of erase/write cycles before they become unusable, the flash manufacturers build wear-leveling algos to evenly spread the erases/write cycles across each disk.
For these wear-leveling algos to work, they must write blocks/sectors in a non-contiguous order on the disk. For a forensic engineer, this means that when performing a physical read (the kind performed by ATF), the file system used by the handsets OS (usually FAT16) will not be mountable as all the data blocks/sectors will be incorrectly ordered.
The flash manufacturers develop Flash Management Software to run on there chips. This flash management software writes tables/maps to the disk to enable non-contiguous blocks/sectors to be mapped back into a correct logical order.
When Ron talks about spare-area, he is talking about these tables/maps used for re-ordering. In Nokia devices, the bytes are usually found either 1. At the top of each block and at the end of each page, or 2. At the start of each sector. These spare area bytes usually contain logical block/sector numbers and erase counts that are used to reverse the effects of wear-leveling and re-order the data back into it's correct logical order, enabling you to mount a partition and examine the device as you would a normal USB device image.
As Ron correctly stated, if these spare area bytes are missing, the re-ordering is simply not possible.
I believe ATF box reads out the spare area for some Nokia devices and not others. I believe devices utilizing Samsungs eXtended Sector Remapper software (XSR1/2/3) are not being read correctly, however memories not utilizing XSR I believe are being dumped with spare area bytes intact (as I understand).
Hope this helps.
Mark
The main difference is between devices that use a NAND flash (all Symbian phones) and the regular BB5 models that use NOR flash.
For devices with a NAND flash, the boxes will not get the spare area.
Cellebrite UFED will soon add Nokia BB5 Physical extraction support that will include the entire flash (both NAND and NOR) including spare area.
Ron
Yea, most non-Symbian Nokia device can be read with spare, although some devices don't follow that rule. I believe the Nokia 6700c for example is using XSR3 and is a non-Symbian based handset.
Mark