Cell Phone Spying

Just had a telephone conversation with an Officer regarding a spouse using this service to harrass his ex…

http://www.callrecordercard.com/call-recorder-solutions/hiw.html

From the website:

How It Works

Call Recorder Cards contain instructions for creating a setting where the calls are rerouted through a telecommunications-recording switch. When the system is active, each call is channeled through a recording switch before it is picked up by the receiving party. The Card does not in any way connect to the phone, nor does it replace existing phone service.

This advance in telecommunication technology services allows you to record all of your phone calls on your cell phone, home phone and business phones. Now, record both sides of your cellular or fixed phone line conversations without any hardware, devices or hassle. This new phone recording system is currently the only means to record and archive phone calls without the use of any additional hardware devices. Keep an archival record of the most important calls you get, from conference calls to sales orders.

We have formulated three main ‘Scenarios’ where the Card can be used easily and effectively; detailed instructions for all scenarios are provided with each card.

Radio Frequency (Faraday) Shielding

Here is a small article I wrote discussing what radio frequency isolation is and how it is applied in mobile foreniscs.

RF Signal Shielding

I hope its of some use to the community.

Mike

More BitPim Magic

My  good friend Det. Brian Roach of the Kansas City Police Department recently posted this tip on decoding SMS messages on a Motorola V3m

” Its there, the date & time is viewable in hex.  Check the SMS folder, the applicable files should be named in a format such as “inbox000.dat, inbox001.dat”, etc….4076 bytes in size.Date/time string starts at 15th byte….15^th byte is year, 16^th is month, 17^th is day….18^th byte is hour, 19^th byte is minutes and 20^th byte is seconds.An example would be 05 10 18 12 24 49…October 18^th 2005, 12:24:49.”

Thanks Brian for the great tip!

Seizure and Examination Guide

Here is a mobile device seizure and examination guide I wrote.

Seizure Guide 

I hope its of some use to the community.

Mike

Black Berry IPD Files

IPD Files Demystified

Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.

This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.

The IPD What is it?

The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion

Backup-(current date,time and year)-.ipd

The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.

IPD STRUCTURE

Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.

Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).

Finally the names of the Databases follow after a 1 byte separator (x/00).

DATABASE NAME STRUCTURE

The databases within the file are constructed as follows

• Database name length 2 bytes the length includes terminating null
• Database name As long as the name length above

This is illustrated in the following graphic

After the database name length and name the database follows the following structure

• Database ID Two bytes zero based position in the list of DB name blocks
• Record Length 4 bytes
• Database version 1 byte
• DatabaseRecordHandler 2 bytes
• Record Unique ID 4 bytes
• Field length #1 2 bytes
• Field type #1 1 byte
• Field data #1 As long as field length
• Field length #m 2 bytes
• Field type #m 1 byte
• Field data #m As long as the field length

The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.

This is illustrated in the below graphic

This short white paper attempted to show the structure of the Black Berry backup file commonly known as the IPD file. The IPD file can be loaded into a Black Berry simulator or third party software such as the Amber Black Berry Converter to extract evidence. Examiners are encouraged to do their own research and validation into the file.

CITATIONS

1. http://www.BlackBerry.com/developers/journal/jan_2006/ipd_file_format.shtml

SIM Card Protocols

Just how does a cell phone or card reader communicate to a SIM? Its does by passing it commands via Transport Protocol Data Units (TPDU) and Application Protocols Data Units (APDU).

 Here is a white paper that dicusses these units and how they provide communication with smart cards (and by inheritance SIMS).

SIM Card Protocols 

I hope this is of some use to the community.

Mike 

Motorola Resources

Problems getting your V3 or V3c examined? Here are some resources you can use to troubleshoot and look at the phone.

http://mark.cdmaforums.com/1-USBDriver.htm
http://www.themotoguide.com/
http://www.motomodders.net/