I have discovered that it is possible when manually examining some SonyEricssons (such as "K" range etc) that after a user has deleted the Last Number Dialled (LND) from the call register that it is possible to recover the last ten numbers dialled on the handset using the 'menu keys'.
Here is the routine**
- Select Menu
- Select Messages
- Select Write New
- Select Text Message this displays the screen to commence entering text but no need to enter any text leave screen blank
- Select Continue
- Select Addr. book look-up (can also state Contacts look-up) the screen now displays phonebook contacts
- Select More
- Select "Unsaved numbers" displays dialled numbers for LND that had been deleted
There are some noteworthy points to consider
a) the recovered numbers cannot have already been saved into either the Phonebook of the handset or *SIM;
b) there are no dates and times when numbers were dialled;
c) the unsaved recovered numbers appear in a random order.
*Checks were also made to ensure the recovered deleted numbers were not stored in 7F10 6F44 (EFLND) in SIM.
In recovering this information I found when conducting tests using handset readers *none* detected what may amount to important evidence. Most importantly, if produced in evidence (by one party against another) that failure to detect such evidence may suggest a systemic failure of practises/practices and/or procedures regarding the examination of this make and its various models.
I do not think that the above analogy could be suggested as fair as an overall statement of affairs because
d) the latest "w" range of SonyEricsson does not appear to have this functionality as far as I can tell, but further research is needed;
e) The English user manual for the K600i and K800i makes no mention of such a function, which I am describing as 'recovery of data that may have evidential value arising from an undocumented functionality of a particular handset'. Thus, this matter needs to be considered on a case by case (model by model) approach.
Ultimately this finding underpins the principle that examiners cannot solely rely and transfer their responsibility onto so called 'forensic devices' to produce reliable findings, that human intervention is paramount when dealing with mobile telephone examination and evidence. My observations therefore do not rule out using forensic devices or software device readers that are used to recover data that are commonly served in evidence. The objective of raising this matter is one of awareness and that the skillsets required for manual examination must be retained.
**Note I have been informed that the above routine doesn't work on the SonyEricsson K850.
Trewmte you said "Select "Unsaved numbers" displays dialled numbers for LND that had been deleted". How can you be sure that these numbers have been deleted. Are you using a clone SIM in the phone if so which type, type produced by using SIM ID Cloner from Microsystemations or the type produced by FST. Are you sure that these so called deleted numbers you are picking up are not from the SIM.
In certain Nokia phones a log of calls made, received and missed and texts sent and received is stored seperate to the actual call register and text folder. this log only stores the numbers and the type of communication and this logs keeps growing unless it is deleteed by the user. So if this log has 15 entries out of which 10 were dialed missed and received calls and 5 were text messages, the log will not change even after the call register or text messages have been deleted.
So I was just wondering could the "Deleted LDN" be getting picked up from this Log? Just a thought. As I do not have a Sony Ericsson Phone to test this with, I thought you could test this for me.
Thanks
Kind Regards
Mobilephoneforensic
Trewmte you said "Select "Unsaved numbers" displays dialled numbers for LND that had been deleted". How can you be sure that these numbers have been deleted. Are you using a clone SIM in the phone if so which type, type produced by using SIM ID Cloner from Microsystemations or the type produced by FST. Are you sure that these so called deleted numbers you are picking up are not from the SIM.
In certain Nokia phones a log of calls made, received and missed and texts sent and received is stored seperate to the actual call register and text folder. this log only stores the numbers and the type of communication and this logs keeps growing unless it is deleteed by the user. So if this log has 15 entries out of which 10 were dialed missed and received calls and 5 were text messages, the log will not change even after the call register or text messages have been deleted.
So I was just wondering could the "Deleted LDN" be getting picked up from this Log? Just a thought. As I do not have a Sony Ericsson Phone to test this with, I thought you could test this for me.
Thanks
Kind Regards
Mobilephoneforensic
There are several parts to your question so I will answer them as they appear in order in your comments.
The issue of cloning a card using SIM ID Cloner or FST was not required for the tests I carried out. The issue revolves around "Unsaved" (ie not saved in either handset phonebook or SIM phone (EFADN). You will note I mentioned SIM EFLND. The purpose of looking there related to a principle in GSM relating to the order of "precedence" (ETS 300 505 and ETSI TS 100 906), thus technically I was obliged to look at EFLND to ensure after the handset LND call register numbers had been deleted that they were not being propagated from that EF but populating other applications.
Furthermore, I did run tests with different SIMs and the feature "Unsaved numbers" was no longer in the menu. This suggested to me that the matter was account user (IMSI) specific, which tended to rule out someone elses SIM being in the handset and generating the "Unsaved numbers".
I take the point about Nokia, and thanks for your explanation, but I am of the mind that the SonyEricsson issue relates to a centralised datastore where numbers are shared between various GSM/3G user applications. Deleting the LND call register does not of itself need a Clone ID SIM containing replica IMSI etc to be used as that would still generate the same proposition as having the genuine SIM inserted. Besides, Clone ID SIM etc were made to deal with the issue preventing registration of the account to the network, not accessing data associated with the account user (IMSI). I wont go into the argument about losing call registers by using cloned test SIMs.
Nor do I believe this to have occurred from a bug in the software (so to speak) as this issue extends to other models having different platforms (for example W890i ), albeit accessing "Unsaved numbers" in other models that have deleted LND call registers are achieved via different routines.
The similarity between what you are saying in the last para of your comments and what I am saying may be explicity (outwardly) the same, but maybe implicitly (inwardly) technically different.
I do not suggest I possess all the answers, merely to raise the evidential issues about this matter and out of fairness to let other examiners know (if they didn't already). The point being if picked up at court, it would seem unreasonable to me, at any rate, to try and catch an examiner out when this matter is not even recorded in the use manuals. On the other hand, from discussions with other experts, it was noted expert reports in evidence appear silent on this matter where a SonyEricsson model was at issue - meaning how the "Unsaved numbers" data was acquired by manual examination and the impact of that relating to the data evidential weight
Finally, since making my earlier posting I have been shown that there were two websites that reported this matter back in late 2006. I hadn't seen these sites before, but nevertheless they report the routine in relation to the K800 and W810i, but not the K600i. Nor did those discussions relate to evidential impact, merely they were reviews about the devices. This tended to make matters worse, not better, as I had not seen this particular issue raised by way of the usual forensic forums.
Kind regards