Nokia N95 deleted S...
 
Notifications
Clear all

Nokia N95 deleted SMS recovery

Page 1 / 3
RobertCyber
(@robertcyber)
New Member

Can anyone assist please?
I have a Nokia N95 and only find logical/file system extractions available with XRY and with Cellebrite UFED.

I am thinking to purshue a physical dump (or can I gain deleted SMS from files which I now have from the file system?) using a flasher box.

Any assistance would be appreciated.

I am wanting to build a comprehensive kit for doing mobile forensics work, so am open to suggestions of good gear for Australia (GSM primarily)

Thanks

Robert

Quote
Topic starter Posted : 22/08/2012 11:40 am
RonS
 RonS
(@rons)
Active Member

UFED will be adding physical extraction support for this model in the near future.
If you have a valid physical extraction with flash spare area (using flasher box?) you can use UFED PA to decode that extraction.

Ron

ReplyQuote
Posted : 22/08/2012 3:58 pm
RobertCyber
(@robertcyber)
New Member

Thanks Ron,
How do you know UFED will have this soon?

I do not have a physical dump yet, -am starting to investigate types of flasher boxes.

To confirm though Physical Analyser will decode a dump from the N95?

Thanks again,
Robert

ReplyQuote
Topic starter Posted : 23/08/2012 5:10 am
RobertCyber
(@robertcyber)
New Member

Ron,
I have been researching flasher box's available.

Can you confirm that a good flasher box opption would be the 'Shu Box' (collection of several boxes) for the Nokia models?

Thanks again,
Robert

ReplyQuote
Topic starter Posted : 23/08/2012 5:28 am
RonS
 RonS
(@rons)
Active Member

RobertCyber,

I know because I am from Cellebrite and we are working now on a new family of BB5 models that the N95 is one of them and hopefully we will find a way to physically extract them.

The ATF flasher box has some capabilities for Nokia BB5 flash memory read. Its main disadvantage is the fact that it does not read all the flash memory and in specific the spare area's that are needed for decoding. You can still use it for carving.

Second, it has a limited number of devices supported with flash memory read (UFED already supports more models).

UFED Physical already support decoding from N95 chip-off so if your extraction is complete (with spare area), UFED PA will decode it including the Symbian databases that as far as I know there is no other solution that supports these Symbian database decoding. Next UFED release will also include decoding support for the below list (including file system reconstruction)

Here is the current Nokia BB5 supported model list with Physical extraction bypassing locked devices (55 supported models)

C2-01 Hally , C2-01.5 Warm Silver, X2-00
X2-01, C3-00, C3-01 Ronald
X3-00, X3-02 Touch and Type, C7-00.1
C5-00, C5-00.2, C5-03 Kitty
E5-00, C6-00.1, C6-01
C6-01.3, E6-00, N8-00
E51-1, E52-1, E55-1
N79-1, E72, E72-2
N79-3, N85-1, N97-1
300 Asha, 2710c-2 Navigation Edition, 3710a-1c
3711a-1, 5230-1c, 5233
5250, 5320d-1, 5530 Expressmusic
5630d-1, 5700, 5730s-1
5800d-1b Expressmusic, 6120c-1, 6124c-1
6260s-1 Slide, 6303ci, 6350-1d
6650d-1bH, 6700c-1 Classic, 6700s
6710s, 6720c Classic, 6720c-1b
6750 Mural, 6790s-1c, 7020a-2
7230-1C

Here is a training video of a Nokia BB5 Physical extraction done with the UFED
http//www.youtube.com/watch?v=oluFeXM66jk&feature=plcp

More video's on the YouTube UFED channel
http//www.youtube.com/user/CellebriteUFED

Ron

ReplyQuote
Posted : 23/08/2012 10:57 am
triran
(@triran)
Member

I user the ATF box dumps with UFED physical analyser - it can be done, just takes a while to sort.

ReplyQuote
Posted : 23/08/2012 1:40 pm
RobertCyber
(@robertcyber)
New Member

That's great info Ron, thanks so much.

Do you know roughly when the new release will be? November? -next year?

Also, can you say when physical will be included for iPad2 and iPad3's?

Robert

ReplyQuote
Topic starter Posted : 23/08/2012 1:58 pm
AlexC
(@alexc)
Active Member

The other thing to check is whether the handset was storing messages on a memory card (if one was present) or on the internal memory if this was an N95-8Gig.

It's been a while since I've looked into this, but checking out an old scalpel configuration the following signature looked like it worked

msg y 1024 \x68\x3C\x00\x10\x68\x3C\x00\x10
Worth checking as we've recovered lots of messages this way in the past.

ReplyQuote
Posted : 23/08/2012 2:49 pm
RonS
 RonS
(@rons)
Active Member

Robert,

Hopefully it will be ready by November, but it can take longer and as always it is possible that we will not find a way. (like for iPad2 and iPhone4S)

Those methods are based on exploits that we need to find and there is no recipe For that.

Ron

ReplyQuote
Posted : 24/08/2012 1:51 am
RobertCyber
(@robertcyber)
New Member

Thanks Ron,
The N95 is a 8Gb version.
So, is it likely that the deleted SMS can be found even on the Cellebrite logical extraction?

Thanks,
Roebrt

ReplyQuote
Topic starter Posted : 24/08/2012 6:36 am
RobertCyber
(@robertcyber)
New Member

Ron,
So if the ATF flasher box does not get a complete-enough dump for UFED PA, what box does?

When will UFED be able to dump the N95? 8Gb?

Can you comment on the ability of any of the following boxes, regarding Nokia devices? (I need to make a move here and buy something in). -or should I get an ATF…
Twister
UFS3
SHU box
JAF box
HWK
SaraSoft

Great to have your help,
Robert

ReplyQuote
Topic starter Posted : 24/08/2012 6:42 am
RonS
 RonS
(@rons)
Active Member

No flasher box extracts all the data (it is not just for PA, the spare area is just not there and you can only carve for data).
N95 physical support by UFED is a research in progress (not all research project complete with success).

Regarding which box to buy
If this is for Nokia flash reading and you have a UFED not sure it will help you since as I mentioned UFED already support models for physical extraction that are not supported by flasher boxes (with spare area extraction, so the data can also be decoded)

I find ATF to be more advanced than other boxes in regards to Nokia phones.

Ron

ReplyQuote
Posted : 24/08/2012 11:55 am
RobertCyber
(@robertcyber)
New Member

So it seems then that flasher boxes will become a thing of the past (or if you cannot have access to a tool like UFED).

and, I presume that there would eb 'some' models of phone that aUFED cannot get, where perhaps one of the flasher boxes can.

I wonder why it is that flasher boxes cannot access the spare area…? Is it because you need access to the phones firmware or OS in order to gain this unallocated area?

Do you have any papers/recommendations for up to date books, which deal with these issues?

Robert

ReplyQuote
Topic starter Posted : 24/08/2012 12:04 pm
AlexC
(@alexc)
Active Member

Thanks Ron,
The N95 is a 8Gb version.
So, is it likely that the deleted SMS can be found even on the Cellebrite logical extraction?

Thanks,
Roebrt

If you've got an image of the Internal storage I would definitely give that scalpel signature a quick go to see if you get anything back.

ReplyQuote
Posted : 24/08/2012 3:35 pm
RonS
 RonS
(@rons)
Active Member

There will always be models that the many different flasher boxes might support and UFED not. My comment was specific to Nokia BB5 physical extraction.

One more important note is that flasher boxes originally were designed to unlock the phone SIM lock in addition to changing IMEI. Even their flash read functionality (together with flash write) were designed to allow patching the phone firmware. They don't read the spare area because it was not needed to patch the firmware and because it is not easy to implement.

Ron

ReplyQuote
Posted : 24/08/2012 5:22 pm
Page 1 / 3
Share:
Share to...