Hexadecimal Extraction Theory –Mobile Forensics II

Yueh-Feng Tony Chiang Source from : Thackray Forensics LTD.

Pros and Cons of the Shoe BoxesPros Break Passwords on mobiles (Make sure update

Flasher boxes with the latest software) Unlock mobile Truly deleted data can be retrieved. Damaged devices can be forensically examined Data from device where the SIM card is missing,

damaged, or PIN protected can be recovered.

Cons Require different box to do different phone. Possibility of damaging the mobile & Sim card

data. Lack of service and support (due to time zone

difference) Changes to the data may occur Technically challenging and complicated to use Don’t create an audit trail or processing log.

For more information:http://www.dfinews.com/article/flasher-boxes-back-basics-mobile-phone-forensics?page=0,0

(Infinity box: Chinese copy phones ) (HWKuFs Micro Tornado

UFS3+HWK: Nokia )

(NS PRO Samsung)

For more information or to purchase Shoe Boxes refer to the URL: http://www.fonefunshop.co.uk/Unlocking/unlocking.htm

Phone Forensics Tools

Software: SarasSoft NAND Downloader XRYCarving Analysis Tools Pandora’s box HEXexaminer FTK Imager

Hardware: CeLLeBrite Pro XACT UFS SHU N-BOX Twister Smart-Clip Different mobile connector

Cables DKU-2 DKU-5 FBUS

A large variety of hardware and software are available at URL: http://www.fonefunshop.co.uk/Unlocking/unlocking.htm

XRY VS Shoe box

XRY

Positive It won’t kill the phone. Negative Unable to obtain true deleted area.

(Retrieved Logical data only)

Shoe box

Positive Able to obtain true deleted area and

Retrieved Physical data as well as Logical data.

Negative It might damage and kill the phone Different softwares, application and

interface for different phone.

Information required to perform a hex dump

Suspect Device Capabilities of Device Make, Model, Type? (Software updates) GenerationEvidence Required Evidence Type Text, Image, Communications Active Data Historic Data

Tips: Cell phone laptop and forensics laptop should be separate (Update of Cell phone drivers may effect the functions in forensics softwares tools)

Locating information before commencing the hex dump

If there is power to the phone:1. To find out the make and model type Software data Codes. Example for Nokia

1100 device type: *#0000#+ others depending on model and software data codes. Nokia- Different firmware upgrades graphics –

http://hunajatehdas.net/nokia/firmware/en/

Using Shoe box (UFSx series) – (DCTxBBS) and SararsSoft tools to extract physical data from mobile

Advantages

If no sim card still will get into the phone data.

File system dump – look at memory chip. (Start from 0 to 999 of the physical data)

Extracted data can work with FTK, Encase, and X-ways

Free tools

Hexexaminer extracted data can be convert to Encode 7-bit PDU SMS, 8-bit, Uni-code,

PDU coding, and ASCI. E.g.. I’m gona kill you (It can be convert to Hex) Kdiff3 File analyser or can used to compares two files. It can be used to merges 2

or 3 files or directories as well. TAG View (need Internet) Export file from cell phone and connect to internet to determine Longitude

and latitude of exact location of the picture was taken.PSPad Programming tools works like notepadFTK Imager Use to create MD5 hash of extract mobile data.

Scenario 1Extract data from Damaged Nokia phone

Steps1. Pick the right mobile phone cable2. Pick shoe the right shoe box 3. Decision which software to use (SarasSoft) 4. DCT-BB5, SecBx , 5. Press connect (show activation display)6. UFSx, BB5, WD2, DCT4, DCTL, DCT3 7. If don't know just click DCT4 will show all the DCT4 support with drop down list on product. (RH-94

(1112)8. Put into Local mode – MD5 – If it is red or green don't touch. 9. Go into Info mean on the top menu bar. ( don't expand the screen it will crash the software)10. Info- will tell you firmware, IMEI, Provider is lock to Optus provider, 11. Reset User Lock – can't do anything of the phone – It will rest to standard password 1234 for Nokia. 12. Click Rd PM, Click ok when you see 013. input 999 then click ok (JAF box will actually tell you the password- different interface )14. Save as will show up , IMEI number.pm file will be created save it at a folder and re-name the same file

to the folder. (don't open it with notepad) Audit trail will be created it. ( don't use control A to select all.) Control Z – Right click

15. -Clear window - Control A16. -Copy to clipboard – Control C17. -Delete selected Item – Control D18. Right click, new text document, open text and control V (Close it down and save it )19. Change this file name to the IMEI file name. (close window down)20. Disconnected software and phone. (No MD5 )

Using FTK imager to create MD5 hash for extracted mobile data file

Steps1. Open FTK Imager, create disk image2. Select Source, contents of folder, click next3. Browser to folder into the folder, click finish4. Make sure that verify images after, pre, create

dictionary are selected. 5. Case name: , Evidence IEMI , Uni description IEMI

BACKUP, Examiner , IEMI back copy, Click next6. Image IMEI BACKUP copy , and Image file click finish 7. created then it will have a MD5 Hash. 8. Open FTK image to browse data9. open the IEMI file10. scroll down until you find [5] – Can do carving just

copy it out and convert it using other tools.

Date and Time Calculations Date and time entry & Patten (1)

Definition 4 Octet value that corresponds to an absolute time/date (AZT)Note : The term “octet” is interchangeable with “byte” - number of second to certain given point.

Nokia Series 30 Timestamp Common to all Series 30 handsets (caveat: according to current search and examinations) Nokia Series 30 Date and Time are held in a fixed length rang between: In a handset associated even in a 4 Octet in the last bit of AB76FC95 This convert to Absolute Zero time before Future zero time. Hex FFFFFFF second convert to decimal AZT mid way FZT Calculating If the phone is not set. If not stamp (you will see 7FFFFFFF (Not set)) 7FFFFFFFF = Date and time are not set 00000000 01 Jan 2050

Series 40 Timestamp Year/Month/Day/Hour/Min/Sec 07D70402160000 as recorded 2007 April 02

Date and Time Calculations Date and time entry & Patten (2)

GSM date and time stamps Recorded in decimal reverse nibble and can include character substitution 7002 = 2007

Motorola 40 04 24 02 year month day hour mins 1970 + 40 = 2010/04/24 2hour

Samsung Flip byte pairs: Date and time Coding Split binary 5, 5, 6, 11, 4

Date and Time Calculations Date and time entry & Patten (3)

Blackberry Dates and Time Stamps value in hexadecimal as recorded 8CBA2D2801 Reverse Byte Order 01282DBA8C

Value multiplier by table Value Multiplier result 0 68719476736 01 4294967296 4294967296

Multiply total by 0.256 = 1272077520Result =1272077520 Unix timestamp. (seconds from 00:00:00, 01 Jan 1970)

HEX examiner examplesHex to ASCI

1=0BA79A3291476 0E40000F91C00000000 01 53636F7474 FF557D407F211B3438557D

Source = 53636F7474 = Scott

Telephone number = A78A366AA21 = 07 803 66021

Contact 58 0=02 16000701 4B0065007600200057006500640020004E00650077000D000B020 00000000000 0B A 7737716822 0 07 = Name or text entry OB= Telephone number 13 = Date and time 16=22 hex field B= number field Hexexaminer If can’t break it down just cut and pasted the whole hex

“4B0065007600200057006500640020004E00650077000” and convert it in Hexexaminer.

Nokia S 30 Previous IMSI's Decoded.movNokia S 30 Security PIN Decoded.mov

Exercise 2– Breaking the Hex code using Hex examiner

[58]0=02160007014B006500760020005700

6500640020004E00650077000D000B020 00000000000 0B A 7737716822 0

1=0206000701470061007A000D000B020 00000000000 0B A7724796A950

2=02100007014C0065006500200048006F006D0065000D000B02000000000000 0BA 192422A979 0

3=0108000B01000000000000 01C04=0206000701

4C002E004C0009000B020 00000000000 04 A 53A

5=02100007014C0069007A0020004D00610072006B00 D000B020 00000000000 0B A 77162A6A380

6=020A0007014E0061006700650072000D000B020 00000000000 0B A77A71671310

7=020E00070141006E00640079002000570066000D000B020000000000000BA77545A62380

Answer of breaking down Hex code [58]

0=02 16000701 4B0065007600200057006500640020004E00650077000D000B020 00000000000 0B A 7737716822 0

1=0206000701 470061007A000D000B020 00000000000 0B A 7724796A950

2=0210000701 4C0065006500200048006F006D0065000D000B02000000000000 0B A 192422A979 0

3=0108000B010 00000000000 01 C 0

Security keySecurity key for Nokia S30’s• notepad [32] control F and search for [5] and first part is IEMI • Pandor's box using Hex to ASCII and cut and pasted to it and press convert• put IEMI into to security Key – S30 Security key Decoder options menu • Notepad and pasted in the [32] into Pandor's options. Security key S40 [34] 3 1 3 2 3 3 3 4 3 5 (remove 3 in between then you will get 1 2 3 4 5 )Last insert sim going be in Key [101] sometime it is there sometime it is not.

Previous insert sim [34] six entry for previous insert sim cards using Pandora's boxcut and pasted the link into it and it will show up IMEI number Last insert sim[101] – last insert sim cards [101]key 5 =print in the back of sim card (All numbers) key 6 =no F = go to Hex ExaminerSelected Flip Nibbles cut and pasted key 6 into the source Output – drop the first number off 9 460015844073199 Sim id clone have problem with proving continuously

Call recordsS30's [14], [16],

[14]0B = number then count 11 01= separate FF= separateDate and time = at the end 0=0B A7845318685 0EC000EDDE400000000 01

546F6D

FF000EC4FC3638350000000000 AB76FC95

Using Hexexaminercut and pasted AB76FC95

S40's 0B =number07= text 13 = Date and time

[59]0=01 0D000B01 010000000000 0B A7875522135 02=060D000B01 0100000000000B A1535692A180 = 015356920180 08001302 07D6021011332F 01 08001303 07D6020F102219 0108001304 07D6020F100A08 0108001305 07D6020F100810 0108001306 07D6020F100502 01using Hexexaminer Copy the red marked to Decode Nokia series 40 date

SMSS40's Out going end of the massage Incoming Sent message

[140] 1= 2= received Message [140] 3= 4= use Pandora boxcut and pasted the part you want to see and use PUD drill down. Divided by 8 and multiply by 7 PUD coding http://www.3gpp.orghttp://www.dreamfabric.com/sms

Protocol Data Unit (PDU) Protocol Data Unit – compressed data

to sent telecommunicate Encoding PDU – Convert each letter

to Hex using 8 bits Drop the zero from the front . Reverse to Hex

16bit encoding PDU

This example demonstrates the message “快了, 12ab” to a Macau mobile phone number

66252472. The message in hexadecimal as recovered by a HEX dump is as follows:

0011000B915863565274F2000801105FEB4E86FF0C00310032002000610062

“001100”- “00” is the sms center number, “1100” is PDU constant

“0B” is the length of the phone number in hexadecimal. The target phone number is

6525472，plus the Macau area code 853，（excluding “+”）， the total length is 11，

0B in hex

“915863565274F2” - “91” refers to the “+”, “5863565274F2” is the result of shifting

the target phone number, you need to check if length of the phone number is even or

odd, if it is odd, we need to add F, as the length of the phone is 11 which is odd, we

need to add F. The target phone number become 85366525472F, and 5863565274F2

after shifting

“000801” - “00”is fixed，“08” represents it is in 16-bit encoding, “01” is the time stored

in sms center

“10” is the length of the encoded message in hexadecimal divided by 2

“5FEB4E86FF0C00310032002000610062” is the UCS2 value of “快了, 12ab”

0011000B915863565274F2000801105FEB4E86FF0C00310032002000610062

http://www.unicode.org/charts/unihan.html The older UCS-2 (2-byte Universal Character Set) standard is a similar character encoding that was superseded by UTF-16 in Unicode version 2.0, though it still remains in use.

Source : http://blog.chinaunix.net/u1/52386/showart_411861.html

1016= 1610 -> x2 -> 32digit

OB= 11, length of phone no , area code

91=”+”

5863565274F2=85366252472 (11)

08 -> 16 bit 5FEB4E86FF0C00310032002000610062

快了, 12ab