Notifications
Clear all

HTC One Examination

10 Posts
6 Users
0 Reactions
1,122 Views
(@uh60james)
New Member
Joined: 12 years ago
Posts: 3
Topic starter  

I am attempting to do an exam on an HTC One PN0710 (AT&T.) A UFED Touch was used for the physical extraction and Physical Analyzer is being used for the exam. Both are up to date.

PA is not automatically recovering any data, all I am being presented with is raw data. I have never seen this happen before, although I have only been doing this about a year now so not surprising. Any idea's why PA is not automatically parsing the data for me? Anything I can try?


   
Quote
(@daveallen)
Active Member
Joined: 18 years ago
Posts: 12
 

I've experienced this with a few different phones using PA. I usually just use my computer forensic software (we use ILookIX) and it allows me to access everything in the physical dump. We don't get the pretty reports, but we can get to everything to examine it.

Good Luck!

Dave Allen
Waveland Police Department


   
ReplyQuote
(@uh60james)
New Member
Joined: 12 years ago
Posts: 3
Topic starter  

Thanks Dave, I appreciate the response!


   
ReplyQuote
 RonS
(@rons)
Reputable Member
Joined: 17 years ago
Posts: 358
 

Dave,

A workaround would be to copy the .ufd file to a temp file
edit this file (its a text file) and change the device= from PN0710 to PN0700

Then from UFED PA open this new .ufd file.

The decoding chain for the PN0710 is missing and this workaround will force it to use the PN0700 decoding chain

Best regards,
Ron Serber


   
ReplyQuote
(@sam305754)
Eminent Member
Joined: 14 years ago
Posts: 44
 

Hi,

* Ron, why not select directly the chain used by PA Open the dump with "Open (Advanced)" command and select the PN0700 decoding chain? However thanks for the tip.

Regards


   
ReplyQuote
 RonS
(@rons)
Reputable Member
Joined: 17 years ago
Posts: 358
 

this will of course work, but it is for more advanced users (required more explanations) )

Best regards,
Ron


   
ReplyQuote
nsbuck
(@nsbuck)
Trusted Member
Joined: 17 years ago
Posts: 91
 

Dave,

A workaround would be to copy the .ufd file to a temp file
edit this file (its a text file) and change the device= from PN0710 to PN0700

Then from UFED PA open this new .ufd file.

The decoding chain for the PN0710 is missing and this workaround will force it to use the PN0700 decoding chain

Best regards,
Ron Serber

It appears that I don't have the PN07000 chain either??? The option presented to me are PN07120 & PN072


   
ReplyQuote
(@dcs1094)
Estimable Member
Joined: 12 years ago
Posts: 146
 

It appears that I don't have the PN07000 chain either??? The option presented to me are PN07120 & PN072

nsbuck - there isn't a decoding chain for PN07000.

There is a chain for PN07120 - give that a go with your physical dump! (Open Advanced method).

I have had many successful results using PN07120. )


   
ReplyQuote
(@uh60james)
New Member
Joined: 12 years ago
Posts: 3
Topic starter  

Went back to my case and tried this, it worked!


   
ReplyQuote
(@dcs1094)
Estimable Member
Joined: 12 years ago
Posts: 146
 

Went back to my case and tried this, it worked!

Great, i thought it would! )


   
ReplyQuote
Share: