SMS Status Byte

While answering a post on a list I belong to, it occured to me that forensic practitioners may not know how a piece of SIM software determines whether an SMS message has been sent or recieved or how it “undeletes” SMS.

The key to this is in the SMS status byte. This byte is the first byte to the message and determines the status of the message as outlined in GSM 03.40 and GSM 03.38 . Here is a graphic cut from those documents (click on the smaller image for full size one)

And here is another graphic showing the breakdown of the status byte

Breaking this down into a narrative here the status byte determines the following (shown in binary)

• 0000000-Unused
• 00000001-Mobile equipment terminated, read
• 00000011-Mobile equipment terminated, not read
• 00000101-Mobile equipment originated, sent
• 00000111- Mobile equipment originated, not sent

This then is how the software determines if the SMS was sent from the phone (originated) or received (terminated). Interestingly, the the status byte is /x00 or unused and there is previous data at that slot-you can recover a deleted SMS. This is similar to how the FAT/MFT works in relation to “deleting” files.

I hope this is of some help to the Community.

Mike

Upgrade For Data Pilot SecureView?

As you may or may not know Susteen has changed the pricing schedule for Secureview. It will no longer be 649 USD but rather $3000 for a new copy or $2500 if you have a previous version. What do you get for this almost 500% increase? Read Below…

•  Call History will now be acquired
•  Two-year update license (Versus the prior plan of one year)
•  HASP dongle based, so like Encase/FTK, etc. install on multiple systems, use one with dongle
• Nineteen phone cables with the option included if you should encounter a phone that you don’t have the cable, Susteen will mail you the cable.  Of that group of cables, there are five or six.
• MD5 hash of extracted groups…not files.  Groupings such as Graphics Files, Call History, SMS, etc. are MD5 hashed  as a group only
• A report export feature with the option of HTML or textual
  base exports
• Support for approximately 400 phones
• New GUI interface with the wizard application from the
  previous version included
• Information entry GUI relevant to the examiners name, case
  report number, notes, etc.

Shouts out to Det. Brian Roach of KCPD for this information!

Faraday Box

Here’s a link to a Faraday Box that is FIVE HUNDRED dollars cheaper than the Stronghold box put out by Paraben ( from the simularity of appearence I suspect they rebranded).

Faraday Box

Where to Buy Hex Dump Equipment

I’ve been often asked where I buy my “flasher” boxes and cables-here are two good sites to look at

• http://www.gsmserver.com
• http://www.one-stop-factory.com 

If you want to find inexpensive data cables go here

• http://www.cellphoneshop.com

All the above sites are outstanding, inexpensive and ship fast.

For those of you in the UK I recommend

• http://www.fonefunshop.co.uk

I have found things here I cant find else where…and besides my good mates at http://www.phone-forensics.com regard this shop highly.

Sim Card File System

Here is a small white paper I wrote on the SIM Card File System.

SIM File System

I hope this is helpful for the Community.

Mike

NEXTEL/IDEN Examinations

For practitioners in the US few types of phones are more frustrating than an iDEN phone. Below are some FREE tools you can use for examining these phones. They get as much, if not more (Direct Connect numbers anyone?) than the other software out there claiming “support”.

Here you go

• Companion Pro-this software gets cool things like direct connect numbers and even works when you have a fritzy handset
• Phone Book Manager and Media Downloader for the phonebook and downloading pics respectively. Phonebook Manager can be tricky at times to remember how to get the phonebook.

Of course, don’t forget to take a read of the SIM by itself. Keep in mind though, that only one software kit does Nextel 600 contacts correctly and that is SIMIS.

One other thing to bear in mind (and this is from a Moto engineer) that the iDEN call records only hold 20 records before they begin at the top and overwrite themselves-apparently this is a file system “feature”.

I hope this is helpful for the community.

Mike

Some Mobile Phone Acronyms Defined

Some definitions for those pesky mobile phone acronyms

MSL

The MSL is known as the Master Subsidy Lock code. It is the main code used to program your phone, and access and change the settings of your phone.

SPC

This is the subsidy lock that the providers put on the phone so you have to stay with them to use your phone (you can unlock this).

NAM

The NAM is the electronic memory in the cellular phone that stores the telephone number and an electronic serial number. Phones with dual- or multi-NAM features offer users the option of registering the phone with a local number in more than one market. (from mobiledia,com)

PRL

(Preferred Roaming List)
The PRL is a list of information that resides in the memory of a digital phone. It lists the frequency bands the phone can use in various parts of the country. (The smaller bands within Cellular or PCS.) (from phonescoop)

ESN

(Electronic Serial Number) The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier’s mobile switching office can check the call’s validity. The ESN cannot easily be altered in the field. The ESN differs from the mobile identification number, which is the wireless carrier’s identifier for a phone in the network. MINs and ESNs can be electronically checked to help prevent fraud. (from mobiledia.com)

BitPim and SPC

While answering some follow-up questions on BitPim and the user security lock I came across these links regarding using BitPim to grab the SPC ot unlock the filesystem.

BitPim and SPC (this one is specific about BitPim and SPC and is the next)
BitPim and SPC II

Howard Forums SPC

Hope this is helpful for the community

Mike

How SMS Works

Here’s a summary of my understanding of how SMS works….

SMS works on a store-and-forward basis. Instead of being sent directly to the recipient, SMS messages travel through several important nodes before reaching the recipient.

1. The SMS message is submitted to your wireless service provider’s SMS Center.
2. After the message is processed internally, the SMS Center sends a request to the Home Location Register (HLR) and receives the routing information for the recipient.
3. The SMS Center sends the message to the Mobile Switching Center (MSC).
4. The MSC collects the recipient’s information from the Visitor Location Register (VLR) and, sometimes, proceeds with an authentication operation.
5. The MSC forwards the message to a Mobile Server
6. The MSC returns the outcome of the Forward Short operation to the SMS Center.
7. The SMS Center reports delivery status of the short message back to the sender.

Remember for serving a search warrant on undelivered SMS, they are stored at the originator’s SMSC. Here is a graphic

In relation to the great debate about interception of communications, here is an US interpretation:

• In order for the SMS to fall under wiretap (Title III in US, RIPA for UK) the SMS would need to be recieved in real time.
• Since the SMS is in fact stored at the provider level it is not in real time
• Therefore, considering the second point, the SMS is a stored electronic communication and subject to the Electronic Comunications Privacy Act (ECPA) and can be obtained via probable cause and a search warrantHope this is helpful to the Community.

  Mike

BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

This should work for other CDMA phones.

I hope this is useful to the community.

Mike