I do not believe you "dumped ROM" of the device. It is most likely you gained access to the non-volatile, user accessible storage - or at least part of it, in a logical image (versus physical image) fashion.
The ROM would not contain user generated images.
If you did get a physical image (that is the image you generated also contains unused, and slack space) you only need step two.
(Note that when we talk image, we mean a byte-by-byte copy of the non-volatile storage of device, usually placed in a single file, of type "raw" or "dd", or similar. This is in contrast of a visual, picture "image".)
thx folks, for these ideas
Alex - I dumped ROM using itsutils, but it's in RAW format, it contains contact name in 4 places ! but I can't identify any number related to it.
AccessData FTK can't load this raw image properly. Mobiledit just acquires everything from a phone, but doest do a mem dump. At least I know there's a trace of data I'm looking for..
Read my post I just updated.
You did not make it clear that you already have a raw image. You wrote that you have a ROM dump which is highly unlikely.
Can you copy/paste some of the HEX and associated text with it where you think the records are?
Maybe a screen shot of your editor where you see the name, and the numbers?
thx folks, for these ideas
Alex - I dumped ROM using itsutils, but it's in RAW format, it contains contact name in 4 places ! but I can't identify any number related to it.
AccessData FTK can't load this raw image properly. Mobiledit just acquires everything from a phone, but doest do a mem dump. At least I know there's a trace of data I'm looking for..
..
jhup, there's just a bunch of ASCII trash next to contact name, so I don't think it's useful.
About these jpgs I found
I used some software, that extracts multimedia files from *.raw
jhup, there's just a bunch of ASCII trash next to contact name, so I don't think it's useful.
About these jpgs I found
I used some software, that extracts multimedia files from *.raw
When viewed as ASCII it might well be trash - but the number is quite possibly not stored in ASCII - if you could copy out the hex nearby (or a screenshot in a hex editor even) then we might be able to spot something.
I second AlexC's comment.
Remember that "ASCII trash" is actually hexadecimal numbers. Do not presume date & time data is readily readable in ASCII. Most likely it is not. There are about a dozen well known ways store date & time stamps, none are ASCII and readily readable.
Take a look at
Take a look at the demo version of RevEnge (the demo version work well enough for your purposes) - it will decode and display about 50 different formats of date and times (when you include their big endian and litte endian variants).
It will also decode a few "encoded" telephone numbers
You dont need to paste a given hex value in either, you can just move the cursor though the bytes to see all the possible decodings
http//
hey, nice tool, but It doesn't seem to be working for me (see screenshot)
While going though file - data interpreter on the right is always empty for some reason
On the screenshot you see the name of a person from missing phonebook record
"Justyna" Red cursor is at what appears to be decoded number
You need to right click on the RH pane and choose what you want to look at i.e. choose which (or all) of dates and times you want decoding .