Did you also try 7bit in reverse mode ( there is a checkbox for that)?
I also sent you a PM
Ron
Hi Larry
These are always interesting cases to think about because searching a forum might produce results that may answer the problem, but on other occasions someone can come along and give a different suggestion of another angle to consider.
I could offer loads of trial and error suggestions, but from what I understand so far your comments suggest to me that you may wish to look back to the start when you obtained the acquired image and consider whether the byte size obtained is a byte size recorded by the tool Cellebrite Touch. Then ask the question whether Cellebrite Touch actually acquired 'any' data at all and whether the tool simply filled a file with zeros to accommodate the file byte size (e.g. 'sparse file' approach ).
I used Cellebrite Touch to make a physical, logical and file system image.
I can well understand your footsteps to (quite rightly) see whether an alternative tool might reveal data where the first tool that acquired a file seems not to have the capability to reveal data.
Since I know the content of the SMS I tried key word searches in both PA and FTK and I can find no trace of any of the deleted SMS messages.
However if the file is zero'd in the first place then the results you obtained with FTK should only corroborate the zeros filled in that same file.
Would you care to run through the Cellebrite Touch setup procedure you followed or would you feel more comfortable going to Cellebrite and see if they offer a suggestion?
FYI I also used BitPim that pulled a dump off the phone. BitPim also reveals a _SMS_ SEGMENTEDMSG_DATA file that has substance to it (4mb). I used both PA and FTK to search that file and neither could obtain any results for my search terms…
I also tried a few free online PDU conversion tools with no luck.
I am beginning to wonder if this phone was restored back to factory in order to delete the SMS. THen it may have wiped all the db files..
Still trying… Larry
FYI I also used BitPim that pulled a dump off the phone. BitPim also reveals a _SMS_ SEGMENTEDMSG_DATA file that has substance to it (4mb). I used both PA and FTK to search that file and neither could obtain any results for my search terms…
I also tried a few free online PDU conversion tools with no luck.
So do I read this to mean you are also seeing zeros acquired in the BitPIM data file?
Sorry, just joined.
Larry, If the model in question is a SPH-M540 (Sprint), the sms are stored under /TFS4/NVM/SMS/SMS_*.
This phone stored text string in plain ASCII characters.
If this phone uses a similar method as the Rant_Telus, the sms are stored in the /MMMSMG4 folder and use two files to restructure the record. Only a partial text string are shown in Unicode while the entire string uses 7-bit.
These two locations should help you identify the data format you are looking for.
Hi Datahound..
thanks for the reply.
I found some of the stuff under the NVM/SMS directory already.
I dont show the /MMMSMG4 folder on this phone..
Good, so use ascii to search for know texts against the full physical image for deleted content. These format uses a 24byte timestamp for incoming messages. Therefore, it is easy to search if needed. Outgoing uses 4bytes epoch.
Outgoing should look like this(changes some tel numbers around)
00000000 09 00 00 36 0a 02 40 20 01 00 00 00 00 a8 00 00 …6..@ ……..
00000010 02 04 02 10 00 00 00 02 00 00 00 00 00 00 00 00 …………….
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000040 00 00 00 ff ff ff ff 57 69 6c 6c 20 64 65 6c 65 …….Will dele
00000050 74 65 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 te this message
00000060 66 6f 72 20 70 68 79 73 69 63 61 6c 20 74 65 73 for physical tes
00000070 74 2e 20 46 6f 72 65 6e 73 69 63 73 2e 00 01 01 t. Forensics….
00000080 0a 31 31 31 37 33 39 33 36 39 94 8e 9f 3a 00 .1115739369….
00000090 00 01 0f 00 00 00 00 00 00 00 00 00 0a 00 00 00 …………….
000000A0 00 00 00 00 00 00 38 30 38 39 38 37 36 35 34 33 ……8089876543
000000B0 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 …………….
Good, so use ascii to search for know texts against the full physical image for deleted content. These format uses a 24byte timestamp for incoming messages. Therefore, it is easy to search if needed. Outgoing uses 4bytes epoch.
Outgoing should look like this(changes some tel numbers around)
00000000 09 00 00 36 0a 02 40 20 01 00 00 00 00 a8 00 00 …6..@ ……..
00000010 02 04 02 10 00 00 00 02 00 00 00 00 00 00 00 00 …………….
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00000040 00 00 00 ff ff ff ff 57 69 6c 6c 20 64 65 6c 65 …….Will dele
00000050 74 65 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 te this message
00000060 66 6f 72 20 70 68 79 73 69 63 61 6c 20 74 65 73 for physical tes
00000070 74 2e 20 46 6f 72 65 6e 73 69 63 73 2e 00 01 01 t. Forensics….
00000080 0a 31 31 31 37 33 39 33 36 39 94 8e 9f 3a 00 .1115739369….
00000090 00 01 0f 00 00 00 00 00 00 00 00 00 0a 00 00 00 …………….
000000A0 00 00 00 00 00 00 38 30 38 39 38 37 36 35 34 33 ……8089876543
000000B0 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 …………….
THat was the very first thing that I did.
I recovered some deleted text but none of the 863 text messages that the owner of the phone states he sent.. using supplied keywords.
One thing that was bothering me was that maybe some deleted sms was in encrypted or compressed format since I have certain deleted SMS directories that have a size of 218bytes and contain all zeros, then next to it I would have a deleted SMS directory 130 bytes in size and it would contain readable ASCII characters.
i do not believe this phone uses encryption or compression. i can find see deleted content in plain text. The file system parsing may have found filenames but no data associated with it so zero bytes are common.
Doesn't look good if searches come up empty. I typically use your favorite 4 letter word to see if any deleted artifacts come up as a test.
good luck.
Like I said before, I did find deleted text just none containing the search terms he provided.
His phone records reveal over 800 text messages to and from his phone and I found maybe 50 not related to the case.
One of my questions was not about a zero byte file.
it was how could a file with a size of say 200 bytes be filled with 0's and the next file in line be 120 bytes and contain readable text.
It seems to me that a zeroed out file would be zero bytes unless there was actually a payload that wasn't readable.
In other words the below file is 311 bytes with no readable text
But this file is smaller at 287 bytes with a lot of readable text.
[image "https://www.forensicfocus.com/
" not found]
There could be a problem with the file system parsing on the physical image. Try comparing the file dump you ran with the physical. From the physical image, it appears all sms were deleted. The file dump should contain only one file sms_0000 if so.
Also, the second screenshot you showed is not a sms string but just some texts that is located were the old sms was stored in(assuming correct parsing). Notice there are no tel number strings or time stamps on the file. Moreover, the text strings cannot have 0x00 between each text striungs, spaces use 0x20.