I have a Samsung Rant SPH-M540 (ATT) that I am examining.
THere were hundreds of SMS on this phone that were deleted.
I used Cellebrite Touch to make a physical, logical and file system image.
Since I know the content of the SMS I tried key word searches in both PA and FTK and I can find no trace of any of the deleted SMS messages.
Any suggestions?
Larry
Hey Larry,
I am not familiar with that specific phone, but my guess based on what you describe is that the messages are PDU encoded and not searchable using a simple keyword search.
You may want to encode your keyword(s) and then search for those.
http//
Lance
Thanks Lance.. awesome sight I will give it a try..
although when using the PA I did utilize the 7-bit search string option with no luck.
THanks again.
Still trying to figure this out.
Using BitPim I located the sms folder and exported that out. The nv_cd_msg_data file shows to be 101575 (bytes I believe) in size. When you open the sms/nv_cd_msg_data file it shows all zeros.
I also exported the entire file into FTK to try to carve any data using live searches as well as loaded the sms/nv_cd_msg_data file into Cellebrites PA to search using the ASCII and 7 bit search capability.
I can retrieve no data.
Is it possible for a zeroed out file to appear to have 101517 bites? (sorry for the ignorance, I am not a programmer)
I tried to convert some of the keywords to PDU encoding as Lance suggested but that didnt work out to well either.
oh.. I don't know if it matters but the PDU encoding seemed to be a GSM standard and this is a CDMA cell phone
the victim knows that he deleted the SMS but hasn't used the phone since, and there were hundreds of SMS messages on the phone.
The nv_cd_msg_data file shows to be 101575 (bytes I believe) in size. When you open the sms/nv_cd_msg_data file it shows all zeros.
Is it possible for a zeroed out file to appear to have 101517 bites? (sorry for the ignorance, I am not a programmer)
Two different byte sizes. What are you putting that down to?
oh.. I don't know if it matters but the PDU encoding seemed to be a GSM standard and this is a CDMA cell phone
Might do. Have you checked compatibility? Puzzling though, as you indicate the user read the text before deleting.
oh sorry.. a typo the size 101575 bytes. is it possible for a zeroed out file to have such bulk?
or is there data there just being displayed as zeros?
oh sorry.. a typo the size 101575 bytes. is it possible for a zeroed out file to have such bulk?
or is there data there just being displayed as zeros?
Hi Larry
No worries and thanks for coming back to clarify the byte size issue above.
These are always interesting cases to think about because searching a forum might produce results that may answer the problem, but on other occasions someone can come along and give a different suggestion of another angle to consider.
I am suggesting the path below only because Cellebrite have not, as yet, responded to your post but they may not have seen it and may not know of the problem.
I could offer loads of trial and error suggestions, but from what I understand so far your comments suggest to me that you may wish to look back to the start when you obtained the acquired image and consider whether the byte size obtained is a byte size recorded by the tool Cellebrite Touch. Then ask the question whether Cellebrite Touch actually acquired 'any' data at all and whether the tool simply filled a file with zeros to accommodate the file byte size (e.g. 'sparse file' approach ).
I used Cellebrite Touch to make a physical, logical and file system image.
I can well understand your footsteps to (quite rightly) see whether an alternative tool might reveal data where the first tool that acquired a file seems not to have the capability to reveal data.
Since I know the content of the SMS I tried key word searches in both PA and FTK and I can find no trace of any of the deleted SMS messages.
However if the file is zero'd in the first place then the results you obtained with FTK should only corroborate the zeros filled in that same file.
Would you care to run through the Cellebrite Touch setup procedure you followed or would you feel more comfortable going to Cellebrite and see if they offer a suggestion?
Hi Larry,
Cellebrite UFED supports in addition to logical, both file system and physical extraction.
Since you are after deleted SMS, you will find them in a physical extraction.
Best regards,
Ron Serber
Hi Ron,
the 1st thing I did was the physical. Still found nothing.
Searched using the PA in ASCII and 7-bit mode. Actually I tries all the search options.