Yes I agree, a great and generous offer. Thank you xaberx for taking your time to look at it. Same with ForensicRanger he has been looking at it as well for me.
Thx again guys for taking the time to help out. I appreciate it.
anytime, I was going to deconstruct that structure anyway after ipd(blackberry) files. I will take a look at it when I get home and reply to your email with what I find. If you could in the meantime send me a guess what month/day/year the message took place even the year would help identify the exact time values in the hex to make things easier. no problems on the csv, i may give you html as well so you have it if needed.
ttyl,
Ryan Manley
Wise Forensics
FYI,
UFED supports SMS decoding for the LG VX9200
RonS
FYI,
UFED supports SMS decoding for the LG VX9200
RonS
Can UFED extract them through a device with a security code activated? Because it seems that may be one of the hurdles here.
According to the first post, twardgpd did manage to communicate with the phone with other tools, so I guess that the USB port is still enabled even with user code.
So, yes, it can communicate with the phone and extract data, even if its user code locked.
Basically, this is phone dependant, if the USB port is locked or not, when the user code is active.
RonS
Worst case, we can do a physical dump, that definitely, bypass the user code.
I already have the files mostly deconstructed, will post here when complete sofar the data contains 3 sets of timestamps in a non unix format. contains phone number and contact reference, but also contains 3 or more flags. I will post a example of the structure when finished.
Cheers
Ryan
I finished the app for twardgpd and sent to his email. Below are the notes for the file format and structure from what I was able to learn. If anyone else has a difficult file feel free to send it to me or if u want a copy of the app send me a email at ryan.manley@wiseforensics.com
Notes
-All files have a fixed Length
- 2 Dates are present(I thought 3 but the 3rd was way off when comparing to other files)
- Msg is fixed length likly the files are the preview msgs for the screen when viewing the list of msgs.
- Sender Name and Phone number both present.
Structure Notes
Bytes Description
12-15 Date1 in LE form, and is the seconds since 01/06/1980 (unix is 1970…odd)
24-27 Date2 in LE form, and is the seconds since 01/06/1980 (unix is 1970…odd)
46-110 Msgpreview Ascii Text fixed length shows it is a preview and not the whole msg.
4614-4646 Sender Name in Ascii (appears to be how its listed in addressbook)
4647-4656 Sender Phone Number
There are other fields however at this time I do not know what they contain could be a proprietary msg guid as it changes per msg.
I wrote an app to deconstruct the file for twardgpd and export all entries to csv or html.
ttyl hope the info above helps and if I am wrong or missing something let me know so I can help further.
Ryan S. Manley
Wise Forensics LLC
I want to thank everyone for the response you guys are great. Big thanks to Ryan Manley (xaberx) for the app he created, it worked great. I also want to thank forensicranger he also sent me an app that worked great as well.
This goes to show that this forum site works well together. Everyone that contributed just assisted in putting a local drug dealer away. Thx again guys I would have been stuck without you.
According to the first post, twardgpd did manage to communicate with the phone with other tools, so I guess that the USB port is still enabled even with user code.
So, yes, it can communicate with the phone and extract data, even if its user code locked.
Basically, this is phone dependant, if the USB port is locked or not, when the user code is active.
RonS
That's great. Thanks for the response RonS
I want to thank everyone for the response you guys are great. Big thanks to Ryan Manley (xaberx) for the app he created, it worked great. I also want to thank forensicranger he also sent me an app that worked great as well.
This goes to show that this forum site works well together. Everyone that contributed just assisted in putting a local drug dealer away. Thx again guys I would have been stuck without you.
Anytime 😉