Nokia N95 deleted S...
 
Notifications
Clear all

Nokia N95 deleted SMS recovery

33 Posts
8 Users
0 Likes
2,582 Views
(@robertcyber)
Posts: 15
Active Member
Topic starter
 

Can anyone assist please?
I have a Nokia N95 and only find logical/file system extractions available with XRY and with Cellebrite UFED.

I am thinking to purshue a physical dump (or can I gain deleted SMS from files which I now have from the file system?) using a flasher box.

Any assistance would be appreciated.

I am wanting to build a comprehensive kit for doing mobile forensics work, so am open to suggestions of good gear for Australia (GSM primarily)

Thanks

Robert

 
Posted : 22/08/2012 10:40 am
 RonS
(@rons)
Posts: 358
Reputable Member
 

UFED will be adding physical extraction support for this model in the near future.
If you have a valid physical extraction with flash spare area (using flasher box?) you can use UFED PA to decode that extraction.

Ron

 
Posted : 22/08/2012 2:58 pm
(@robertcyber)
Posts: 15
Active Member
Topic starter
 

Thanks Ron,
How do you know UFED will have this soon?

I do not have a physical dump yet, -am starting to investigate types of flasher boxes.

To confirm though Physical Analyser will decode a dump from the N95?

Thanks again,
Robert

 
Posted : 23/08/2012 4:10 am
(@robertcyber)
Posts: 15
Active Member
Topic starter
 

Ron,
I have been researching flasher box's available.

Can you confirm that a good flasher box opption would be the 'Shu Box' (collection of several boxes) for the Nokia models?

Thanks again,
Robert

 
Posted : 23/08/2012 4:28 am
 RonS
(@rons)
Posts: 358
Reputable Member
 

RobertCyber,

I know because I am from Cellebrite and we are working now on a new family of BB5 models that the N95 is one of them and hopefully we will find a way to physically extract them.

The ATF flasher box has some capabilities for Nokia BB5 flash memory read. Its main disadvantage is the fact that it does not read all the flash memory and in specific the spare area's that are needed for decoding. You can still use it for carving.

Second, it has a limited number of devices supported with flash memory read (UFED already supports more models).

UFED Physical already support decoding from N95 chip-off so if your extraction is complete (with spare area), UFED PA will decode it including the Symbian databases that as far as I know there is no other solution that supports these Symbian database decoding. Next UFED release will also include decoding support for the below list (including file system reconstruction)

Here is the current Nokia BB5 supported model list with Physical extraction bypassing locked devices (55 supported models)

C2-01 Hally , C2-01.5 Warm Silver, X2-00
X2-01, C3-00, C3-01 Ronald
X3-00, X3-02 Touch and Type, C7-00.1
C5-00, C5-00.2, C5-03 Kitty
E5-00, C6-00.1, C6-01
C6-01.3, E6-00, N8-00
E51-1, E52-1, E55-1
N79-1, E72, E72-2
N79-3, N85-1, N97-1
300 Asha, 2710c-2 Navigation Edition, 3710a-1c
3711a-1, 5230-1c, 5233
5250, 5320d-1, 5530 Expressmusic
5630d-1, 5700, 5730s-1
5800d-1b Expressmusic, 6120c-1, 6124c-1
6260s-1 Slide, 6303ci, 6350-1d
6650d-1bH, 6700c-1 Classic, 6700s
6710s, 6720c Classic, 6720c-1b
6750 Mural, 6790s-1c, 7020a-2
7230-1C

Here is a training video of a Nokia BB5 Physical extraction done with the UFED
http//www.youtube.com/watch?v=oluFeXM66jk&feature=plcp

More video's on the YouTube UFED channel
http//www.youtube.com/user/CellebriteUFED

Ron

 
Posted : 23/08/2012 9:57 am
triran
(@triran)
Posts: 99
Trusted Member
 

I user the ATF box dumps with UFED physical analyser - it can be done, just takes a while to sort.

 
Posted : 23/08/2012 12:40 pm
(@robertcyber)
Posts: 15
Active Member
Topic starter
 

That's great info Ron, thanks so much.

Do you know roughly when the new release will be? November? -next year?

Also, can you say when physical will be included for iPad2 and iPad3's?

Robert

 
Posted : 23/08/2012 12:58 pm
(@alexc)
Posts: 301
Reputable Member
 

The other thing to check is whether the handset was storing messages on a memory card (if one was present) or on the internal memory if this was an N95-8Gig.

It's been a while since I've looked into this, but checking out an old scalpel configuration the following signature looked like it worked

msg y 1024 \x68\x3C\x00\x10\x68\x3C\x00\x10
Worth checking as we've recovered lots of messages this way in the past.

 
Posted : 23/08/2012 1:49 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Robert,

Hopefully it will be ready by November, but it can take longer and as always it is possible that we will not find a way. (like for iPad2 and iPhone4S)

Those methods are based on exploits that we need to find and there is no recipe For that.

Ron

 
Posted : 24/08/2012 12:51 am
(@robertcyber)
Posts: 15
Active Member
Topic starter
 

Thanks Ron,
The N95 is a 8Gb version.
So, is it likely that the deleted SMS can be found even on the Cellebrite logical extraction?

Thanks,
Roebrt

 
Posted : 24/08/2012 5:36 am
Page 1 / 4
Share: