I am attempting to do an exam on an HTC One PN0710 (AT&T.) A UFED Touch was used for the physical extraction and Physical Analyzer is being used for the exam. Both are up to date.
PA is not automatically recovering any data, all I am being presented with is raw data. I have never seen this happen before, although I have only been doing this about a year now so not surprising. Any idea's why PA is not automatically parsing the data for me? Anything I can try?
I've experienced this with a few different phones using PA. I usually just use my computer forensic software (we use ILookIX) and it allows me to access everything in the physical dump. We don't get the pretty reports, but we can get to everything to examine it.
Good Luck!
Dave Allen
Waveland Police Department
Thanks Dave, I appreciate the response!
Dave,
A workaround would be to copy the .ufd file to a temp file
edit this file (its a text file) and change the device= from PN0710 to PN0700
Then from UFED PA open this new .ufd file.
The decoding chain for the PN0710 is missing and this workaround will force it to use the PN0700 decoding chain
Best regards,
Ron Serber
Hi,
* Ron, why not select directly the chain used by PA Open the dump with "Open (Advanced)" command and select the PN0700 decoding chain? However thanks for the tip.
Regards
this will of course work, but it is for more advanced users (required more explanations) )
Best regards,
Ron
Dave,
A workaround would be to copy the .ufd file to a temp file
edit this file (its a text file) and change the device= from PN0710 to PN0700Then from UFED PA open this new .ufd file.
The decoding chain for the PN0710 is missing and this workaround will force it to use the PN0700 decoding chain
Best regards,
Ron Serber
It appears that I don't have the PN07000 chain either??? The option presented to me are PN07120 & PN072
It appears that I don't have the PN07000 chain either??? The option presented to me are PN07120 & PN072
nsbuck - there isn't a decoding chain for PN07000.
There is a chain for PN07120 - give that a go with your physical dump! (Open Advanced method).
I have had many successful results using PN07120. )
Went back to my case and tried this, it worked!
Went back to my case and tried this, it worked!
Great, i thought it would! )