Extracting image/data from Nokia 5800

The device runs Nokia's 3rd edition of Symbian OS. This means that at this point in time there is no way (to my knowledge) of taking a forensic image of this device.

The ideal route would be to use a tool such as Oxygen or XRY to perform a logical extraction.

If the device gives you the option of selecting 'File Mode' or similar rather than PC suite then you could image this through FTK imager. But this would only be part of the file system and would not be a complete image by any means.

It is worth performing a logical extraction and imaging the mass storage if possible.

What would be the best way to do this in a forensic manner? Do I need to attach it via a USB write blocker, then put the phone into file mode and go from there?

What would be the best way to do this in a forensic manner? Do I need to attach it via a USB write blocker, then put the phone into file mode and go from there?

I would suggest this is probably a very good approach. D

What would be the best way to do this in a forensic manner? Do I need to attach it via a USB write blocker, then put the phone into file mode and go from there?

I would suggest this is probably a very good approach. D

Yea, I think so too! Well I will find out next week.

Thanks for the replies.

Just letting you know you may have problemss in using a USB write blocker for extracting media from a mobile phone as the software often has to send extraction requests up the wire to get the phone to send it. All the best

Steve

Just letting you know you may have problemss in using a USB write blocker for extracting media from a mobile phone as the software often has to send extraction requests up the wire to get the phone to send it. All the best

Steve

From what your saying then, is there no way of completely write protecting the phones memory when doing an extraction?

Would this be the norm across all mobile phones?

craig

Here are some links to access or download discussion content to understand some of the issues

Writing to handsets under examination (2008)
http//trewmte.blogspot.com/2008/03/writing-to-mobile-phones-under.html

Switch On Update Lose Data (2006)
http//www.4shared.com/document/VZEAx2dH/Switch_On_Update_Lose_Evidence.html

Observations about opening unread SMS text messages (2009)
http//www.forensicfocus.com/greg-smith-interview-290809

Deleted Data Mobile (2006)
http//www.4shared.com/document/AJkutrcq/Deleted_data_Mobiles_2010.html

You may also want to search at my webblog (http//trewmte.blogspot.com) but you will find it worthwhile searching here in Mobile Phone Forensics Forum (if you haven't already) where examiners have identified numerous problems.

craig

Here are some links to access or download discussion content to understand some of the issues

Writing to handsets under examination (2008)
http//trewmte.blogspot.com/2008/03/writing-to-mobile-phones-under.html

Switch On Update Lose Data (2006)
http//www.4shared.com/document/VZEAx2dH/Switch_On_Update_Lose_Evidence.html

Observations about opening unread SMS text messages (2009)
http//www.forensicfocus.com/greg-smith-interview-290809

Deleted Data Mobile (2006)
http//www.4shared.com/document/AJkutrcq/Deleted_data_Mobiles_2010.html

You may also want to search at my webblog (http//trewmte.blogspot.com) but you will find it worthwhile searching here in Mobile Phone Forensics Forum (if you haven't already) where examiners have identified numerous problems.

Thanks for the links trewmte, your links and blog have been very useful!

Cheers,

Craig

If the device supports a memory card the mass storage mode will most likely just allow access to the memory card stored in the device. With the Symbian devices that have an internal mass memory (N95 8GB for example) you can connect the device via a write blocker and image this section. Unfortunately the Symbian partition is very hard/impossible to get an image from. There are numerous methods around but as far a being forensically sound processes I think they have a little further to come.

If your performing a logical extraction, Oxygen/XRY are very good at extracting the data on the device.

Just be careful when extracting it, the 'Event Log' (where the call register is taken from) is a rolling event log and will delete data as the date/time settings of the handset increase.