Some Mobile Phone Acronyms Defined

Some definitions for those pesky mobile phone acronyms

MSL

The MSL is known as the Master Subsidy Lock code. It is the main code used to program your phone, and access and change the settings of your phone.

SPC

This is the subsidy lock that the providers put on the phone so you have to stay with them to use your phone (you can unlock this).

NAM

The NAM is the electronic memory in the cellular phone that stores the telephone number and an electronic serial number. Phones with dual- or multi-NAM features offer users the option of registering the phone with a local number in more than one market. (from mobiledia,com)

PRL

(Preferred Roaming List)
The PRL is a list of information that resides in the memory of a digital phone. It lists the frequency bands the phone can use in various parts of the country. (The smaller bands within Cellular or PCS.) (from phonescoop)

ESN

(Electronic Serial Number) The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier’s mobile switching office can check the call’s validity. The ESN cannot easily be altered in the field. The ESN differs from the mobile identification number, which is the wireless carrier’s identifier for a phone in the network. MINs and ESNs can be electronically checked to help prevent fraud. (from mobiledia.com)

BitPim and SPC

While answering some follow-up questions on BitPim and the user security lock I came across these links regarding using BitPim to grab the SPC ot unlock the filesystem.

BitPim and SPC (this one is specific about BitPim and SPC and is the next)
BitPim and SPC II

Howard Forums SPC

Hope this is helpful for the community

Mike

How SMS Works

Here’s a summary of my understanding of how SMS works….

SMS works on a store-and-forward basis. Instead of being sent directly to the recipient, SMS messages travel through several important nodes before reaching the recipient.

1. The SMS message is submitted to your wireless service provider’s SMS Center.
2. After the message is processed internally, the SMS Center sends a request to the Home Location Register (HLR) and receives the routing information for the recipient.
3. The SMS Center sends the message to the Mobile Switching Center (MSC).
4. The MSC collects the recipient’s information from the Visitor Location Register (VLR) and, sometimes, proceeds with an authentication operation.
5. The MSC forwards the message to a Mobile Server
6. The MSC returns the outcome of the Forward Short operation to the SMS Center.
7. The SMS Center reports delivery status of the short message back to the sender.

Remember for serving a search warrant on undelivered SMS, they are stored at the originator’s SMSC. Here is a graphic

In relation to the great debate about interception of communications, here is an US interpretation:

• In order for the SMS to fall under wiretap (Title III in US, RIPA for UK) the SMS would need to be recieved in real time.
• Since the SMS is in fact stored at the provider level it is not in real time
• Therefore, considering the second point, the SMS is a stored electronic communication and subject to the Electronic Comunications Privacy Act (ECPA) and can be obtained via probable cause and a search warrantHope this is helpful to the Community.

  Mike

BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

This should work for other CDMA phones.

I hope this is useful to the community.

Mike

Black Berry Forensic Exams-How-To

Here’s a how-to for Black Berry forensic examinations. Just a fraction of the cost you’d have to pay for a 90 minute webinar at some training sites-FREE.

I hope its useful for you.

HARDWARE NEEDED

• BlackBerry (duh)
• USB Cable
• Cradle (if its that type)
• Forensic Computer (see the reference to the BlackBerry)

SOFTWARE NEEDED

• BlackBerry Desktop Software
• BlackBerry Simulator for your device model (more on this later)
• Amber Blackberry Converter-not free but only 19.95 USD for a license-plus you get a thirty day trial.

Ok now that we are armed with our needed equipment, lets proceed to do our forensic magic.

USING THE DESKTOP SOFTWARE AND SIMULATOR

First install the desktop software. After this is done, you need to make sure that the connection is set for USB. Look at Options->Connection Settings and from the combo box select USB. Ok now connect the suspect’s Blackberry to your system (did you protect it from the network and make sure it was charged…? )

!!CAVEAT!!: If the BlackBerry needs a PIN-get it or get the PUK. This will not work without it. If you fail to do this, and use up your attempts to enter PIN/PUK you will wipe the device.

Now with the device connected make a backup of the handheld. Double Click the Backup/restore Icon and then choose backup (this may differ depending on the version of desktop software you are using). Direct the backup (*.ipd File) to where you want to save it and name it. Then make sure you choose all databases. I recommend making a working copy and a archive copy. Now reseal and store your exhibit.

Ok time to get out the Simulator…but wait, you say, how do I know what Simulator I need to use…there are so many choices. Glad you asked. Prior to downloading the Simulator you neeed to check something on the BlackBerry-its OS version. This is located from the mail screen under Options-About. You are looking for the platform version number as shown below (specific to my BB).

Blackberry 7130e
WirelessHandheld (CDMA)
v4.1.0.268(Platform 2.2.0.9)

Once you have this go to the link above and find the Simulator for this group of BlackBerry Devices download and install the Simulator.

Now with that installed, fire up the Simulator for your device. The Desktop software should be fooled into thinking a BB device is connected tot he computer.

Again, choose the backup/restore icon and this time restore the backup file you created. Make sure to choose all the databases. Once this completes you are looking at the exact handheld you seized albeit virtually. Pretty cool huh? Just take screencaps/vids of the device and you have your evidence.

Two side notes the Similator behaves just like a regular BB, i.e. you can click the trackwheel and escape key. If you want to see call times make sure that you enable call logging by going to the phone icon, clicking the trackwheel, coosing options and “call logging”.

USING AMBER BLACKBERRY CONVERTER

This is even easier. Once you have fired up the converter, simply click the link that says to load the IPD and the converter will load the file and show you tabs for SMS, EMAIL, call records and contacts..notice the options for PDF, HTML and Excel export…How easy is THAT?? One thing it doesnt do is pull out pictures (though it grabs MMS) that are saved…bummer but only a small one.

OTHER TIPS/TRICKS

Take the *.IPD file and load it into EnCase or FTK and index. This can give you fast access to keywords. You can also carve for pictures (though not deleted).

If you have read to here, I hope you have found this useful. I plan to add a short discussion on the structure of the IPD file-WARNING HEX AHEAD!!!