Ron,
So if the ATF flasher box does not get a complete-enough dump for UFED PA, what box does?
When will UFED be able to dump the N95? 8Gb?
Can you comment on the ability of any of the following boxes, regarding Nokia devices? (I need to make a move here and buy something in). -or should I get an ATF…
Twister
UFS3
SHU box
JAF box
HWK
SaraSoft
Great to have your help,
Robert
No flasher box extracts all the data (it is not just for PA, the spare area is just not there and you can only carve for data).
N95 physical support by UFED is a research in progress (not all research project complete with success).
Regarding which box to buy
If this is for Nokia flash reading and you have a UFED not sure it will help you since as I mentioned UFED already support models for physical extraction that are not supported by flasher boxes (with spare area extraction, so the data can also be decoded)
I find ATF to be more advanced than other boxes in regards to Nokia phones.
Ron
So it seems then that flasher boxes will become a thing of the past (or if you cannot have access to a tool like UFED).
and, I presume that there would eb 'some' models of phone that aUFED cannot get, where perhaps one of the flasher boxes can.
I wonder why it is that flasher boxes cannot access the spare area…? Is it because you need access to the phones firmware or OS in order to gain this unallocated area?
Do you have any papers/recommendations for up to date books, which deal with these issues?
Robert
Thanks Ron,
The N95 is a 8Gb version.
So, is it likely that the deleted SMS can be found even on the Cellebrite logical extraction?Thanks,
Roebrt
If you've got an image of the Internal storage I would definitely give that scalpel signature a quick go to see if you get anything back.
There will always be models that the many different flasher boxes might support and UFED not. My comment was specific to Nokia BB5 physical extraction.
One more important note is that flasher boxes originally were designed to unlock the phone SIM lock in addition to changing IMEI. Even their flash read functionality (together with flash write) were designed to allow patching the phone firmware. They don't read the spare area because it was not needed to patch the firmware and because it is not easy to implement.
Ron
The other thing to check is whether the handset was storing messages on a memory card (if one was present) or on the internal memory if this was an N95-8Gig.
It's been a while since I've looked into this, but checking out an old scalpel configuration the following signature looked like it worked
msg y 1024 \x68\x3C\x00\x10\x68\x3C\x00\x10
Worth checking as we've recovered lots of messages this way in the past.
Thanks AlexC,
I iwll obtain some flasher boxes and try to get a dump, and then use your string.
Robert
I have taken delivery of among other devices a SHU box from FoneFunShop in the UK.
The software provided by them for Setool and HWK both pull trojan messages with Symantec Endpoint.
Can anyone vouch for FoneFunShop? -before i go further trusting thier software or, should I look for an untained copy of these tools fromsomewhere.
Perhaps there is a good explaination as to why Symantec shows trojans (at least 3 when we either run the installation for Setool or HWK) other than there actually being untoward malware embedded.
Thanks again,
Robert
That is common for flasher box software as they require free inbound-outbound internet access. Some flasher boxes cause firewall problems as they need specific ports to be opened especially when updating software. It is highly advised to use a dedicated PC for flasher boxes.
Ron,
I have been researching flasher box's available.Can you confirm that a good flasher box opption would be the 'Shu Box' (collection of several boxes) for the Nokia models?
Thanks again,
Robert
Sorry for gravediggning this thread, but can anyone share more details on this flasher box? cables you use, software you use for dumping firmwares?
i'm really interested )
The other thing to check is whether the handset was storing messages on a memory card (if one was present) or on the internal memory if this was an N95-8Gig.
It's been a while since I've looked into this, but checking out an old scalpel configuration the following signature looked like it worked
msg y 1024 \x68\x3C\x00\x10\x68\x3C\x00\x10
Worth checking as we've recovered lots of messages this way in the past.
I post again because i can't seem to edit my previous reply.. sorry about that.
but i was wondering, did you carve that signature over a memory card or a flash dump?
also, can you point me in the right direction on where to search for such informations on a logical extraction?
i have a filesystem logical extraction but i really don't know which files store what )