Hi
I am making attempts to revover deleted SMS messages from a Nokia 7650-Series 60; DCT4 generation; model from 2002/3, one of the first Nokia models to run Symbian OS. Processor type & architecture- NHL-2(NA) 32-bit RISC CPU.
I am using Cellebrite UFED Physical Analyser (PA), MSAB XRY/XACT, Oxygen Suite, MobileEdit & luck. I haven't connected this exhibit to anything disastrous, like a flasher box or even started to go down the road of chip-off.
I'm aware of the thread on Absolute addresses & links to a a Absolute Address Database- http//
I can connect a Nokia 7650 service cable, from a flasher box kit, to the back of the phone in its service ports. This cable then connects to the supplied UFED Cellebrite HWK/Nokia cable & to the UFED.
With the UFED PA, I can acqurie a .pm dump (Permanent Memory), where I can see keys & sub-keys with data for this Series 60, Nokia 7650 model. Can anyone point me to what the keys are for Series 60 pm dump? I only have guidelines for a Series 30 & 40.
ie- [5] = IMEI; [52]= SMS sent on Series 30.
When using Cellebrite Physical Memory option for Nokia, a few models can be selected. As the 7650 isn't listed & therefore not supported, I manage to get variant absolute memory dumps, ranging between 700 Kb to 4Mb. When viewed in Physical Analyser or a hex editor, no data exists in these dumps, so I'm stuck to locate the absolute memory range.
I found on a website that discusses Nokia DCT4 flash address erasing, memory address ranges are as follows
[NHL-2NA]
START=00000000
END=00FFFFFF
START2=02000000
END2=023FFFFF
STARTe=00FF0000
ENDe=00FFFFFF
On the UFED, I can do a manual punch-in of these ranges, Read PM Absolute- with for example- Nokia 8310, Nokia 8800, Nokia 2600 & Nokia 3300, but these all become zero write-outs- May be to do with using an incorrect handset model for the one the UFED needs to acquire an absolute PM for.
I want to eventually data carve the 16 byte header signature for crucial deleted SMS messages.
Also, one other interesting thing is that Mobile Edit could see a extra data partition where application files are installed that Oxygen Forensic Suite didn't pick up on. ie-
Oxygen-
C\Nokia & C\system (4 MB capacity)
D\cbs, D\sysmtem\, D\wap (443 KB capacity
Mobile Edit-
above 2, including Z\ (15 Mb capacity)
thanks in advance
Hi Robbo,
Have you found anything further on the Nokia 7650? I am working on one now (historic homicide).
I've got oxygen forensic to read the filesystem, but can't seem to export the files in a zip or similar. I've got PMs from using UFED physical and the SHU-box with Sarassoft.
The goals is to find deleted SMS.
I will probably take the memory chip off and analyse the data from that. However, I want to confirm SMS headers with my reference phone before I take any chip off.
Thanks,
Marco
I found out how to get all the files
In Oxygen, make sure you download all files (At window ‘data type selection’ select ‘full reading’ and check ‘files from internal memory’).
Then save as archive.
But also export files. When asked to ‘export files’, select ‘yes’.
Apologies for not being as responsive….but when you selected ‘full reading’ and check ‘files from internal memory' in Oxygen forensics, were you able to locate or retrieve any deleted SMS messages? Was this extraction still through bluetooth connectivity,not through the service cable port? In other words did you manage to data carve the 16 byte SMS file header for any potential deleted messages? If not then chip-off is going to be a last resort, as in my case where this is being done.
Hi Robbo,
With just the file system dump, the only source for deleted SMS is the 'Index' file (c\System\Mail). It seems to contain SMS that have already been deleted. The 16 byte header that you found in the individual SMS files doesn't work here.
Now working on taking chips off (there are two on this phone) and searching for my reference data.
Marco
Hi Marco, Did you have success with your deleted SMS recovery?
I have a N95 and am attempting the same and wonder since Cellebrite does not list the model for physical extraction, whether to purchase some flasher box and reattempt a physical dump.
Any comments would be appreciated (or from anyone else),
Robert
Hi Robert,
Have you looked into JTAG or chip off for an N95? Our experience so far is that if you can get JTAG working, it costs much less time and hassle to get the data from the phone. The other benefit is of course that the phone does not need to be destroyed as it would be with chip off.
We're using a RIFF box. You will need a schematic of the phone but you will be able to find that on the Net.
Once you've got the binary dump from the memory (or memories) you'll need to find your text messages. We use a reference phone that we load with known data. After we downloaded the binary dump, we search for that known data. That will help us identify the data. With that knowledge we search the exhibit data.
Hope this helps.
Marco