Outgoing calls not properly listed in UFED or XRY
I have the strangest behavior with a Nokia 2730C and I welcome any hint.
I have the XRY logical extraction, and the UFED filesystem and logical extractions. The three softwares agree on the same list (with date / time) for outgoing calls.
I also have the network operator listing for the phone line corresponding to the GSM.
To my surprise, some calls on the listing are not present on the phone extraction (either UFED or XRY).
It seems (it's a guess from myself) that the phone keeps only the last outgoing call to the same phone number. For instance, if I dial 1234 at 1600 and then 1234 again at 1630, the phone will keep only the last information (1630).
Unfortunately, I have counter-example for this behavior.
All of that is very annoying if even for basic stuff like call listings you cannot rely on tools.
So my question is did you already get this behavior, and do you have an explanation?
Since you do have UFED PA, open the file system extraction in UFED PA, then open the file system extraction itself and select call logs, so that UFED PA will highlight all the fields in the hex view itself.
This will allow you to see exactly where each element from each data type (in this case call logs) was taken from.
You can see an example with SMS messages that are highlighted in hex view in this video
See other UFED/UFED Touch and UFED PA training video's in the CellebriteUFED YouTube channel
From memory, I think this is a "feature" of the phone, and not the software used to extract. The phone keeps just the last call related to a particular number.
"It seems (it's a guess from myself) that the phone keeps only the last outgoing call to the same phone number. For instance, if I dial 1234 at 1600 and then 1234 again at 1630, the phone will keep only the last information (1630).
Unfortunately, I have counter-example for this behavior. "
whether the counter example is in the same direction(incoming/outgoing) itself ? nokia phone keeps the last info related for each direction.
Another guess whether the device supports deletion of selected entries from the call log ?