Advice needed on Flasher Boxes!
Im looking into software with the ability to circumvent handset locks.
No particular handset in mind, just general software.
Im aware of the Polar Box, Superclip Centurion, Shu-box etc, what is the software of choice, and are any considered forensically sound?
Do you mean SIM-locks or the security code of the handset?
I have been using the JAF box for a while now. Here is what I can tell you about it
1. It supports all Nokia and Siemens phones.
2. It can unlock SIM-locks. Depending on the type of phone you may need to buy credits from JAF to unlock
3. It is possible to recover security codes for Nokia DCT4 models and BB5 models N-series phones. I have tested this.
4. Is it forensically sound? Not 100 % sure, but it appears to be a read-only action if you read the security code. The SIM-lock unlock does alter data.
2. It can unlock SIM-locks.
Yeah right… wink
Thank you forensic-bob,
We were just looking to acquire the handset locks, and now have purchased the Universal Box.
This supports a wide range of handsets, Nokia (DCT-3 DCT-4 and BB5), Ericsson (UMTS, EPOC, A1, and S1), LG, and Siemens.
It’s very straight forward to use and does the job efficiently… at times.
2. It can unlock SIM-locks.
Yeah right… wink
Hm, I think I was not clear here. With SIM-lock I mean the SIM limitation on the cell phone, not the PIN or CHV code of the SIM.
I've recently started mobile phone forensics, having always previously focussed on PCs. I understand that the various breeds of flasher boxes are used by forensic analysts but I' not altogether clear for what purposes they are used.
I'm gathering from reading threads like this that they can be used to recover security locks and the like. In what other circumstances to you use them? For example, can they be used to extract a physical dump from a handset unsupported by XRY and the like?
Thanks in anticipation.
In what other circumstances to you use them? For example, can they be used to extract a physical dump from a handset unsupported by XRY and the like?
Simple answer is yes… sometimes. The flasher box's are not always 100% reliable in that they are not designed for forensic work but, they can help recover data that is not readily available from the likes of XRY, XACT, UFED etc.
Also remember that just because a handset is listed as supported by a flasher box doesn't mean that a physical memory dump is possible. It may just mean that it supports unlocking the handset from a network or that you can upgrade the software. Important points to note if your working with a tight budget.
Does anyone else find other 'forensic' uses for flasher boxes?
Bypassing handset lock codes.
they can be used to get last (and previously) used SIM details so you dont have to lose the call records when using HACs
Slightly off topic included in this thread, but the observations raised are intended to be helpful.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
However under the same section in the User Guide it states
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
As a query about forensic reliability and accuracy
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
As a query about evidential weight and value
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?
When I was in the job, information such as this was always submitted to the enquiry officer as intelligence (ie. not hard-fast reliable evidence) and had careful wording attached to any report, which would allow the officer to submit appropriate forms to the service providers for evidential output.
I don't know if things have changed since, however.
I think those are fair points you raise . My comments arise from seeing evidence submitted in the form of a witness statement containing alleged deleted data from an exhibit handset and submitted with no qualification about uncertainty or questioning accuracy of the data.
IMSI that relates to mobile calls over two years ago when no call records exist is one worrying aspects but evidence is being generated just because a record of the IMSI may still be retained by the operator and deleted call logs recovered from unallocated shareable memory in the flash.
If those concerns were set aside and a guide produced identifying those data that can be established, then this gives a basis to the procedure being credible evidentially.
This is why I am endeavouring to make helpful observations.
The point this morning is that there is a history to certain data being found in non-user accessible memory - that to me seems a positive point. The fact that the IMSI can be established at first instance with respect to its structure and format and then established by issue of it by a particular operator are further positive points.
Historically, dealing with deleted or permenant data in memory that is not accessible by the user is not new either. Below is an image from my training courses for the police in 2001. To avoid using data from a genuine exhibit, simulated material was used but based upon data found in images. The trainees were asked to analyse the simulated material and identify any flaws. How to look at formatting, reverse nibble for security reasons, bit, nibble, byte and so. Even to the extent of making deliberate mistakes in translating the data.
Back then people were more comfortably dealing with saved user accessible data on SIMs and handsets, aim for a water-tight examination procedure and having someone tell them how the machinery worked and provide interpretation of data and the evidence. We have moved on today and the challenges of today require re-establishing all those boundaries that have largely been left without any reinforcement and are or have fallen over.
Image/hex dump is being used as part of the examination process and therefore it is not unreasonable to expect to see a guide on it that has been tested by the examination community as a whole.
Yes it is possible to extract the handset lock, previous sim cards used in the device (model permitting) and historic data, which, can be, and is used as fully validated evidence in court.
I am trying to find the location of the security code to see whether its encrypted in the physical memory tables of a Nokia 5800d. Anyone have any experience with PM?