Hi,
I have an old Nokia basic phone and I have imaged it using Cellebrite. The UFED generated the sha256 value as the extraction was successfully completed. I have re-imaged the phone 2 or 3 days later, and the hash was different this time. The phone was not touched between the 2 extractions, and it stayed powered off and without a SIM card in, so I cannot find an explanation to why the hashes would be different. Could someone please explain?
Cheers!
Basically, when running the mobile data extraction tools, the phone gets powered on/off - every time the phone is powered on, there are dates that are updated/some log files might be updated, etc. There really isn't a way to take a hash of a mobile phone before and after an acquisition and have it match as you can with a hard drive using a write blocker
Thank you for your reply! Much appreciated!
I could be mistaken (someone please correct me if I'm wrong), but I believe that SHA hash value that UFED gives is the hash of the data extracted (so of the .UFD file/its contents) rather than a hash of the device itself. So if one were then to pass along the .UFD/contents extraction results to someone else, that hash could be verified that the data contents of that extraction did not change, if that makes sense.
… if that makes sense.
Sure it makes sense ).
The generic point is that hashes were originally invented for transmission of data.
What hashes are used for (correctly in their original context use) is that (example) the file you upload and make available for download (the "original") has on your side a given hash, then someone that downloads it can calculate the hash on his side (on the "copy") and if it is the same then you are guaranteed that there were not transmission errors or a MITM (Man In The Middle) attack of any kind changing the data.
If the hash doesn't match, two assumptions are made
1) the "original" is still there, unmodified
2) an error in the data transmission happened
which leads to the obvious "solution" that is "restart the download".
In that scenario the "object" of the hashing is a "static" piece of data.
When it comes to mobile or even hard disk acquisition, see here
https://www.forensicfocus.com/Forums/viewtopic/p=6586663/#6586663
the issue is that the "object" is not necessarily "static", but rather more like a "living thing", so the method of hashing loses a lot of its value, particularly with modern devices (but noone seemingly is interested into using a more sophisticated approach) see also
https://www.forensicfocus.com/Forums/viewtopic/t=13749/
https://www.forensicfocus.com/Forums/viewtopic/t=13439/
http//www.forensicfocus.com/Forums/viewtopic/t=11739/
jaclaz
… so I cannot find an explanation to why the hashes would be different. Could someone please explain?
And any explanation from people not involved can only be indicative. We don't even know what OS the phone runs.
You are best placed to answer the question yourself.
Simply take the two images, and compare them, byte by byte.
That may give you a) a single byte that has changed, b) a chunk of contiguous bytes that changed, c) lots of random changes everywhere.
Depending on what you find, research the possible sources for the change. a) would be the simplest – it could something as simple as a time indication that has been updated, or a counter of number of times the phone has been powered on.
When you have done that, you know.
What's important is not so much who manufactured the phone (Nokia), but what software platform it uses (Symbian? Windows Phone? MeeGo? Android?) Open source environments are likely to be easier to research than closed source platforms.
This is why I consider cell phones as extraction and not part of established forensics.
Depending on Cellebrite's method of extraction, the phones data still has a chance to update and change as the device is powered on and the device's clock counts. System files are updating.
If the hashes remain the same for the intelligble files then your good.