Universal Box, memory dump extraction.
I am a student.
I just would like to have some practice working with Universal Flasher Box to extract raw dump from some Nokias mobile phone and work around it in order to gain some experience.
I have the UB along with its cables. The UB supports many Nokias, Sony Ericson and some Blackberry models.
I connected my UB and installed all the software and did update it. I tried to extract the memory dump from a Nokia N73 by connecting it to the UB. I selected Nokia, then Maintenance and from there PM maintenance. From the icon Read From Phone I extracted a file and saved it to my laptop. The file's name came up as RM-133_3597300……63. Is this the raw dump file?
Am I doing the right thing and following the right steps? If not, what's the right way to do it in a forensically sound manner?
After extraction the raw dump, how to read it? any suggested freeware?
Will the memory dump contain SMS and even deleted ones? Phone book, pictures and emails if the phone supports internet?
Thanks in advance
Just a point for the Nokia "PM maintenance". I havent used the Universal Flasher box, but I am assuming this will only get you the PM Records from the device. PM Records are not a "raw memory dump" but you can get some deleted data back from them. Sorry if you were aware of this fact, but I thought it worth pointing out incase you didnt know this.
There are some discussions across various forums about decoding the information from PM records, one of which is here http//forum.gsmhosting.com/vbb/f83/nokia-permanent-memory-1080640/.
The file can probably be opened in notepad. The boxes I have used in the past tend to output the PM data as text data and put the record,field before each part of data,
ie [308,5] 32323232320000000000
where 308 = record, 5 = field, 32323232320000000000 is the data for that field.
I cant think of any free software at the moment, but there definitely are some out there.
As for if this is forensically sound, reading the pm records is ok, but you would need to be sure the box you are using doens't change anything without telling you. These boxes are generally created for flashing phones, and being forensically safe is not something they are worried about D
Thank you cyrus.
You said " PM Records are not a "raw memory dump" but you can get some deleted data back from them"
Any alternative flasher box, you can suggest to use for raw dump extraction based on your experience.
"but you would need to be sure the box you are using doens't change anything without telling you" How do I make sure to know if the box is making changes on the device I am examining, as i don't know what the device is holding as data?
Any other suggestions guys on how to extract Raw Dump from a Mobile Phone? I am aware of the use of XRY and UFED which i can have acces to.
I am looking for other tools you can advise me to use so i can extract deleted SMS, pictures, phone number or any relevant data. This can be either from a dead mobile phone(Phone cannot be powered on) or a working mobile phone.
I am really in need for advice and guidance from you experts. Thank you all in advance.
Cyrus, thanks again for your reply
Sorry just to correct my self.
I do not have access to XRY and UFED.
Thank you all
Advanced turbo flasher (ATF) can dump the raw memory from a lot of Nokias, although it isnt a complete dump (you wont get the flash translation layer).
This means you will not be able to reconstruct the file system, only carve the data you are after. But all the data you want should be there (sms, phonebook, pictures) and deleted data as well.
There are no tools at the moment that can do this for you though, so you will have to do it manually I'm afraid.
Oh and to go back to how forensically safe a flasher box is, its generally a bit of a grey area. I would say you should be fine. A lot of people in the forensic world use them. But just be sure you aren't wiping any user data, or updating anything on the phone unnecessarily. I have used ATF and it seems fine.
If you want to be really sure whats going on when you do anything like this, you can use a USB sniffer (or port sniffer if you are using the flasher cables). These log all the traffic sent / received between the pc and the selected port. There are some free ones out there, I remember using http//benoit.papillault.free.fr/usbsnoop/ but I don't think it works on vista / windows 7.
How do I make sure to know if the box is making changes on the device I am examining, as i don't know what the device is holding as data?
Just to make an important point on this comment as well; You should never use something like a flasher box on an exhibit if you haven't tested it first! If you get a new flasher box you should always use it on several test devices before an exhibit; so you know how to use it correctly, and just in case it could change / damage the exhibit.
When you are confident the tool is safe and you know how to use it, then you can start with exhibits wink
Thank you very much for your replies Cyrus.
I will be very thankful if anyone has experience with Universal Flasher Box in extracting Raw Memory from a Mobile Phones, can guide me on how to extract it.
Will appreciate your inputs.
Thank you all