Forums
Main Category
General (Technical,...
Nokia Lumia 800 [WP...
 
Notifications
Clear all

Nokia Lumia 800 [WP7]

 
Page 2 / 4
General (Technical, Procedural, Software, Hardware etc.)
Last Post by PaulSanderson 10 years ago
33 Posts
11 Users
0 Reactions
5,877 Views
RSS
 polar
(@polar)
Eminent Member
Joined: 15 years ago
Posts: 48
19/02/2013 4:49 pm  

Looking at a range of tools for Mobile WIN7 tools to see whether they are suitable for examiners. Here is one I have been reviewing last week

http//www.resco.net/developer/support/samples.aspx
http//www.resco.net/mobileformstoolkit/overview.aspx#wm
http//www.resco.net/mobileformstoolkit/download.aspx

What do you hope to do with those controls?


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
03/02/2015 12:13 am  

Hello,
sorry for the gravedigging of this thread but i thought it was better then starting a new one.

I'll have to deal with this handset soon,
does anyone know if any progress hase been made for analyzing a lumia 800?

i'm looking at the UFED compatibility list as of now, for ufed ultimate it says it supports "filesystem extraction".

but everything else is missing, like it's unable to decode anything in the physical analyzer.

any JTAG method supported or anything?

the evidence i'll have to extract are most likely whatsapp related, so i absolutely need to extract whatsapp history from the mobile.

i wonder if UFED or oxygen is capable of such a task.

I eventually have a flasher box that can be connected to the test points, but honestly i don't trust it too much and would keep it as a last resort just in case they ask me "ok do it no matter what"


   
ReplyQuote
 polar
(@polar)
Eminent Member
Joined: 15 years ago
Posts: 48
07/02/2015 11:20 pm  

We've done a few of those now. If you are able to obtain a physical extraction, you'll be able to analyse WhatsApp easily as it uses SQLite.


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
08/02/2015 1:05 am  

Polar,
thank you for your reply )

the problem is exactly that.. getting a physical dump.

i cant do a chip off but i have an ATF Box.

The phone has the DLOAD bootloader, so i'm trying to figure out which are the viable ways.

i can try to use the test point on the phone to read the flash, but i don't know if ATF can do that.. there is a function (custom read write) which allows me to specify the memory range to read to a file, so i think that if i know the exact flash chip size i can manage to dump its whole content.

second approach flash a qualcom unlocked bootloader and access the partitions using dd.
This one is easier to perform in terms of technical skills required and tools you need to do that, BUT considering i'm WRITING something on the device i have to make sure that replacing the bootloader doesn't screw up with the actual data.

do you have any experience with this equipment?

In the meanwhile i'm waiting for solderless cables for this specific model, which might compensate my lack in soldering skill

EDIT I managed to extract the partitions from the internal flash of the device.. one is approximately 15GB, which i think is the OS partitions, others are boot and stuff..

the question now is.. do you know of any tool that can interpret the filesystems?
it doesn't look like any familiar well-known filesystem.
i've tried opening the dd image using ftk imager but it cant recognize it so i cant browse files or directories in an attempt to extract data.


   
ReplyQuote
 Sandfurz
(@sandfurz)
Active Member
Joined: 12 years ago
Posts: 7
24/02/2015 2:21 pm  

Windows Phone 7 has a normal exFAT filesystem. The problem is, that the partitioning is written to the flash, so there is no matching partition table for it. XWays found loads of partitions when I searched for lost partitions.

It was partition 12 for the last devices I had to work on, which was the interesting one.

So if you can't use a tool like XWays, you should search for partitions, their beginning and range and try to mount them.

The next challenge is to interpret the files. I did not find scripts or tools which help with interpreting the files so you have to do it manually or write your own scripts. WhatsApp is easy to analyse, because it uses sqlite.

Internet Evidence Finder finds some artifacts, but mostly web related ones.

Here I have a link to some informations for investigating a WP7 dump
infosec WP7 forensics

I hope I could help, even if your request is a few days old.

Maybe someone found some tools for investigating a WP7 dump?!


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
04/03/2015 3:46 pm  

Hi,
sorry but i was busy during the past few days and didn't visit the forum.

I've just noticed your reply.

my flash dump appears to have a partition table like this

as shown from fdisk

# fdisk -l lumia800.bin.001

Disk lumia800.bin.001 15.9 GB, 15938355200 bytes
1 heads, 63 sectors/track, 494120 cylinders, total 31129600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disk identifier 0x00000000

Device Boot Start End Blocks Id System
lumia800.bin.001p1 * 1 1000 500 4d QNX4.x
lumia800.bin.001p2 1001 4000 1500 46 Unknown
lumia800.bin.001p3 4001 304000 150000 c W95 FAT32 (LBA)
lumia800.bin.001p4 304001 31129599 15412799+ 5 Extended
lumia800.bin.001p5 304006 304133 64 ef EFI (FAT-12/16/32)
lumia800.bin.001p6 304134 310277 3072 58 Unknown
lumia800.bin.001p7 393216 399359 3072 4a Unknown
lumia800.bin.001p8 399360 405503 3072 4b Unknown
lumia800.bin.001p9 524288 31248382 15362047+ 48 Unknown


as shown by the sleuthkit mmls


# mmls lumia800.bin.001
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 ----- 0000000000 0000000000 0000000001 Unallocated
02 0000 0000000001 0000001000 0000001000 QNX 4.x (0x4d)
03 0001 0000001001 0000004000 0000003000 EUMEL/Elan (0x46)
04 0002 0000004001 0000304000 0000300000 Win95 FAT32 (0x0c)
05 Meta 0000304001 0031129599 0030825599 DOS Extended (0x05)
06 Meta 0000304001 0000304001 0000000001 Extended Table (#1)
07 ----- 0000304001 0000304005 0000000005 Unallocated
08 Meta 0000304002 0000304002 0000000001 DOS Extended (0x05)
09 Meta 0000304002 0000304002 0000000001 Extended Table (#2)
10 Meta 0000304003 0000304003 0000000001 DOS Extended (0x05)
11 Meta 0000304003 0000304003 0000000001 Extended Table (#3)
12 Meta 0000304004 0000304004 0000000001 DOS Extended (0x05)
13 Meta 0000304004 0000304004 0000000001 Extended Table (#4)
14 Meta 0000304005 0000304005 0000000001 DOS Extended (0x05)
15 Meta 0000304005 0000304005 0000000001 Extended Table (#5)
16 0100 0000304006 0000304133 0000000128 EFI File System (0xef)
17 0200 0000304134 0000310277 0000006144 Unknown Type (0x58)
18 ----- 0000310278 0000393215 0000082938 Unallocated
19 0300 0000393216 0000399359 0000006144 Mark Aitchison's ALFS/THIN Lightweight Filesystem (0x4a)
20 0400 0000399360 0000405503 0000006144 Unknown Type (0x4b)
21 ----- 0000405504 0000524287 0000118784 Unallocated
22 0500 0000524288 0031248382 0030724095 EUMEL/Elan (0x48)


the only partition i could mount is the second partition (fat16) but that partition doesn't contain any user data, only phone specific data, certificates and such.

the partition that actually contains user data is partition 9 (in fdisk), but the filesystem doesn't seem to be exFAT.

I've managed to successfully carve out some sqlite databases that belongs to whatsapp, so in a way or another i managed to get the information i was looking for.

But i'm really interested in finding out if the logical structure can be in any way interpreted.

i've also tried running it through r-studio and scanning for parttions, but it couldn't find any exfat partition.

EDIT shame on me!
it's GPT
and the partition appears to be not correctly aligned, i've managed to find its offset using testdisk, now i've extracted it using dd, and need to find a way to read it, as appearently both Sleuthkit nor the FUSE exfat driver support the transactional version of exfat.

I think i'll give a look at it using x-ways.


   
ReplyQuote
 polar
(@polar)
Eminent Member
Joined: 15 years ago
Posts: 48
04/03/2015 8:25 pm  

I think i'll give a look at it using x-ways.

That should do it. )


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
04/03/2015 8:43 pm  

once i managed to detect and isolate the partition, even r-studio could parse its content properly.

too bad TSK can't handle it, i've cloned the git repository and compiled the development branch, but appearently there are a bunch of issues, probably depending from the fact that the filesystem is TExFAT and not a simple ExFAT

also the fuse exfat module fails to mount it.

if i happen to find a disposable device i'll dump it and submit the image for testing


   
ReplyQuote
 PB10
(@pb10)
Active Member
Joined: 12 years ago
Posts: 19
04/03/2015 9:25 pm  

Hi,

I am not sure how far you have got with this using Testdisk. I had a windows lumia 610, and using testdisk i was able to export the file system and gain access to the files. (Testdisk saw the partition of interest and you can then list the files and export them)

The problem was decoding the databases (such as store.vol). I am still working on (or trying to find) a solution to parse the text messages from a windows 7 handset.


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
04/03/2015 9:29 pm  

with testdisk i couldn't extract the files from the partition, it wouldn't recognize it, only identify it but i couldn't get the content.

The questions to me were really specific, they wanted me to extract whatsapp conversations, so it was pretty easy since the files are sqlite.

in fact just by carving i could extract lots of the conversations as i could extract the sqlite files.


   
ReplyQuote
Page 2 / 4
Forum Jump:
  Previous Topic
Next Topic  
Share: