Mobile Device Forensics

The bug I identified in this post has been fixed. Cheers to Susteen for getting on the issue once identified and fixing it. 

My good friend Troy Lawrence from Ft. Worth P.D. wrote this white paper on how to get around a passcode on an Iphone. In Troy’s own words

“We had an iPhone come in this week that was involved in a Homicide case.  Of course, the phone had a passcode on the hand set.  With the help of someone at the FBI, I was able to get passed the passcode.”

Thanks for sharing Troy!

Iphone Passcode Work Around

Susteen has stated that they found the error causing the misreporting of the times that I discovered when I downloaded an LG Fusic.  They have promised a fix out soon….woot! Now if it would just get the SMS and deleted stuff…;-) 

I discovered a serious error in Secure View while doing a forensic examination of an LG Fusic (LX 550) on a drug overdose case. It turns out that the call records as downloaded by SV, are showing a +3 hr (to EST) time offset. This caused detectives to focus their interviews on individuals that they believed were lying to them. This information was also sent to other agencies including the DEA. There was even a call on the phone that showed up in SV that wasn’t in the call records (this software doesn’t get deleted data).

Unfortunately, SV is the only software that downloads the Fusic (BitPim downloads raw data). We were unable to validate the data that SV had downloaded until the call records came in (yes we should have looked at the phone itself ).

After sitting down with the phone, the call records and the SV report, I discovered the above. SV did have the time right just three hours more than it should have been.

Also, I discovered a couple of interesting anomalies in the call records as downloaded by SV. These are in addition to the 3 hour difference.

• Dialed Calls-The time showed in the dialed calls shows the end time of the call and the duration. The call records show start, end and duration
• Received calls show the beginning time of the call. The call records show start, end and duration.
• Missed calls show the end time of the call and only one missed (from the same number). The call records show start, end and multiple entries if there.

The carrier on this phone is SPRINT. I hope this is just an anomaly limited to the Fusic. However, I think it prudent that all downloads using SV be validated to make sure errors are not occurring.

I have been in contact with Susteen and have made them aware of this problem.

I’ve been playing around with a Motorola V3c on a case (CDMA RAZR variant)…and have had moderate success with a number of different pieces of software. In general I can get the contacts and call records (not date/time though just index) from the following pieces of software.

• DP Secure View
• MobilEdit
• BitPim

Curiously, I cannot get Device Seizure to even recognize this phone exists. I of course have to connect over its modem which has been seen on a virtual COM port (16 in my case)…DS just refuses to see the phone.

 I may try to hook up to it via the Hyperterminal but it sure would be nice not to have to do this the hard way…

 Anyway while looking at the filesystem in BitPim, I managed to find the location of the SMS messages (not parsed). They are located in

nvm/seem/syn_messages

I know there is an index which helps mark these up but I havent tried to suss that out yet. What’s cool is that I’ve found some previous messages in there as well…and I’m not talking about a Quick Notes/SMS dump ala Device Seizure either…..

More to come on this one..

 M

I’m back after an absence. Its been crazy…moved offices, got a new job description (same stuff extra hat to wear )…you know life..

If I havenet mentioned this site before it certainly was an oversight on my part. This site is a absolutely fabulous resource for an examiner of CDMA Motorola Phones. I’ve used it many times.  My Thanks to Mark for all his efforts! Enjoy.

http://mark.cdmaforums.com/index.php

This site may help you when looking for test points, JTAG connectors or other ways of getting into a Nokia phone to get it to give up its information

http://www.uselessinfo.pwp.blueyonder.co.uk/nokia-dismantle.htm

Kudos to DS Pat Morrissey of An Garda Siochana for discovering and sharing this site!

I found these doing some research.  They work will some variance on one of my test 6015i phones. Your mileage may vary.

 entry point *3001#12345#

*Note: These are PRI dependent. Some carriers may have them disabled or use *# instead of ## or using different code that spells differently for the same function (e.g. ##DATA# or ##BEARER# on some phones). }

Dial-A-Codes
##837# or *#837#(”VER”) … Displays version screen (also accessible by [Menu]-[6]-[2]).
##66767# or *#66767# (”MOSMS”) … Displays a selection screen to allow toggling of MO-SMS (Message Over : Simple Message Service) mode.
##743# or *#743# (”SID”) … Displays the current SID.
##24# or *#24# (”CH”)… Displays the current Channel.
##786# (”RUN”) … Displays the Diagnostics menu which contains the Life Timer, Reconditioned Status, PRL, your number, and an Options menu which allows you to turn on the Service Screen (Net Monitor) or Restore Defaults (which resets the phone to factory settings). To restore defaults, you must enter the SPC/MSL code at the prompt.
##889# (”TTY”) … Displays a selection screen to allow toggling of TTY mode. (This code is referenced in the official Sprint manual.)
##7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-95B, or IS-2000 modes.
*#7738# (”PREV”) … Displays CDMA mode menu, which allows you to select IS-95A, IS-2000, or Analog modes.
##8626337# (”VOCODER”)or *#3872# (”EVRC”) … Displays the EVRC settings menu, which allows you to select the EVRC mode as On, Off, or Home Only.
##2539# (”AKEY”) … Allows you to change the service-specific Authorization Key via the keypad. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#639# (”NEW”) … Allows you to change the MDN (phone number) registered in the phone. When the phone asks for Service programming code, enter the SPC/MSL for your phone.
*#775# (”PRL”) … Allows to toggle the use of PRL.

##nnnnnn# … Where nnnnnn is a six-digit number (no more, no less), input will return to the main screen unless the number happens to be your SPC/MSL, in which case you will be taken to the Phone Programming menu which allows you to change the MDN (phone number) registered to the phone. (I don’t know if some other combinations in this domain do something or not, but they all appear to reset the display after entry unless you use the SPC/MSL, which is usually a hash derived from your ESN and is typically service-specific.)

Other Codes
Hold # at the main screen for 3 seconds … Displays the Life Timer in HH:MM format.

I’ve had a couple calls in the last few weeks where Officers in the field had been investigating a case where a call was received and the number shown in the Caller ID was for a cellphone. Contacting the owner of the cellphone showed that they had no knowledge of the phone call and indeed the call records from the provider showed no calls.

Immediately people start saying the phone was cloned. Now, while cloning a phone is possible it involves physical access to the phoen to re-program the EEPROM and network sniffing. I like to apply the principle of Occam’s Razor to situations-”All things being equal, the simplest solution tends to be the best one.”

This was indeed the case on a call I recently received. I believe the below link is how the suspect called what he thought was an underage female using someone else’s number.

http://www.spooftel.com/

We’ll be following up on the suspect’s computer to see if the web history shows details.

There are other sites that do the same thing out there. I’d thought I’d share this with everyone.

Mike

Hello Everyone-

I wanted to share a little whitepaper I wrote on the subject of SMS

Understanding SMS 

I hope its of use to practitioners in the community.

Mike