«
»

BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

This should work for other CDMA phones.

I hope this is useful to the community.

Mike

This entry was posted on February 22, 2007 at 12:41 pm and is filed under CDMA . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

2 Responses to “BitPim Gem”

  1. Bob Mcfarland Says:
    March 7, 2007 at 11:34 pm

    I have obtained the file system from an Audiovox CDM-8910 using Bitpim.

    I am looking for deleted images of a sexual assault but have found nothing thusfar.

    Are remnants of the deleted images recoverable?

    Where do I look?

    I have used Encase V5 and FTK to search the .zip file with negative results. I have also carved image files with negative results.

    Thanks.

    Reply
  2. numenorian Says:
    March 8, 2007 at 12:02 am

    Bob-

    Yes and no to deleted images….depends on the phone. have you found images at all on the phone?

    There will be a place in the file system for camera images (it maybe called “cam” or it could be a child of the “brew” folder)

    EnCase seems to do a better job of carving images from these file systems.

    One place you SHOULD look is the mms folder. Using EnCase look for the JPEG header within these files (JFIF). Then sweep the bytes and using EnCase bookmark as a picture…you should see the picture.

    You can also manually carve using a tool such as WinHex.

    When I get in the office tommorrow I’ll post the location of where I found pictures on my 8910….the evidence files are there…:-)

    Reply

Leave a Reply