Archive for the SMS Category

Location of SMS Messages in a Motorola V3c

Posted in CDMA, Motorola, R and D, SMS on November 2, 2007 by numenorian

I’ve been playing around with a Motorola V3c on a case (CDMA RAZR variant)…and have had moderate success with a number of different pieces of software. In general I can get the contacts and call records (not date/time though just index) from the following pieces of software.

  • DP Secure View
  • MobilEdit
  • BitPim

Curiously, I cannot get Device Seizure to even recognize this phone exists. I of course have to connect over its modem which has been seen on a virtual COM port (16 in my case)…DS just refuses to see the phone.

 I may try to hook up to it via the Hyperterminal but it sure would be nice not to have to do this the hard way…

 Anyway while looking at the filesystem in BitPim, I managed to find the location of the SMS messages (not parsed). They are located in

nvm/seem/syn_messages

I know there is an index which helps mark these up but I havent tried to suss that out yet. What’s cool is that I’ve found some previous messages in there as well…and I’m not talking about a Quick Notes/SMS dump ala Device Seizure either…..

More to come on this one..

 M

1 Comment »

Understanding SMS-Practitioner’s Basics

Posted in SMS on June 29, 2007 by numenorian

Hello Everyone-

I wanted to share a little whitepaper I wrote on the subject of SMS

Understanding SMS 

I hope its of use to practitioners in the community.

Mike

1 Comment »

SMS Status Byte

Posted in SMS on February 28, 2007 by numenorian

While answering a post on a list I belong to, it occured to me that forensic practitioners may not know how a piece of SIM software determines whether an SMS message has been sent or recieved or how it “undeletes” SMS.

The key to this is in the SMS status byte. This byte is the first byte to the message and determines the status of the message as outlined in GSM 03.40 and GSM 03.38 . Here is a graphic cut from those documents (click on the smaller image for full size one)

SMS Structure GSM 3.40

And here is another graphic showing the breakdown of the status byte

SMS Structure GSM 3.40

Breaking this down into a narrative here the status byte determines the following (shown in binary)

  • 0000000-Unused
  • 00000001-Mobile equipment terminated, read
  • 00000011-Mobile equipment terminated, not read
  • 00000101-Mobile equipment originated, sent
  • 00000111- Mobile equipment originated, not sent

This then is how the software determines if the SMS was sent from the phone (originated) or received (terminated). Interestingly, the the status byte is /x00 or unused and there is previous data at that slot-you can recover a deleted SMS. This is similar to how the FAT/MFT works in relation to “deleting” files.

I hope this is of some help to the Community.

Mike

Leave A Comment »

How SMS Works

Posted in SMS on February 22, 2007 by numenorian

Here’s a summary of my understanding of how SMS works….

SMS works on a store-and-forward basis. Instead of being sent directly to the recipient, SMS messages travel through several important nodes before reaching the recipient.

  1. The SMS message is submitted to your wireless service provider’s SMS Center.
  2. After the message is processed internally, the SMS Center sends a request to the Home Location Register (HLR) and receives the routing information for the recipient.
  3. The SMS Center sends the message to the Mobile Switching Center (MSC).
  4. The MSC collects the recipient’s information from the Visitor Location Register (VLR) and, sometimes, proceeds with an authentication operation.
  5. The MSC forwards the message to a Mobile Server
  6. The MSC returns the outcome of the Forward Short operation to the SMS Center.
  7. The SMS Center reports delivery status of the short message back to the sender.

Remember for serving a search warrant on undelivered SMS, they are stored at the originator’s SMSC. Here is a graphic

SMS Summary

In relation to the great debate about interception of communications, here is an US interpretation:

  • In order for the SMS to fall under wiretap (Title III in US, RIPA for UK) the SMS would need to be recieved in real time.
  • Since the SMS is in fact stored at the provider level it is not in real time
  • Therefore, considering the second point, the SMS is a stored electronic communication and subject to the Electronic Comunications Privacy Act (ECPA) and can be obtained via probable cause and a search warrantHope this is helpful to the Community.

    Mike

Leave A Comment »