Can anyone explain why there is difference between Xact hex dump (.bin) and that obtained using a flasher box (.pm) is different
.bin xact does appear to have the keys and sub keys that the flasher extraction has. roll
Is one an absolute read and the other a PM Tables read?
If the raw data the same between the two - if you do hex searches for a key from one does it appear in the other?
Thanks for a quick reply - its is most certainy my understanding of what I'm doing So I have two extractions from the same phone one using XACT, and the other using a JAF flasher box , i set it up to read records to 999
when viewing the Xact dump with Encase I can clearly see some txt ie contact list
·····ªE*
#
······D·e·n·n·i·s·········ªE
, but this is not the case with the flasher file although in the flasher file I can see the keys and subkey
for example
[2] 0=00000000D69ED0F50041
Do I need to decode the keys in order to determine what they are - and how do I go about doing that
By "Xact dump" what do you mean? How did you get the bin file?
XACT will recover an absolute (physical) read from a handset (.bin) and from what you have said about reading up to 999 with the flasher box you have recovered a logical (.PM).
A PM file will generally only contain live data and as you have noticed is in a different "key" and "sub key" format to that of physical .bin file recovered by XACT that also may also contain deleted data.
The PM file can be read with
If you have CelleBrites Physical Examiner then you can extract and decode with this as well.