BitPim Gem

Hey all you CDMA fans…got a little forensic gem for you that you may not have known about. I discovered this the other day whilst examining a locked Audiovox 8910.

BitPim does not explicitly provide support for this phone however, by choosing “Other CDMA” and selecting the modem port recognized by BitPim I was able to take a read (Caveat-only partial since a manual follow-up showed that BitPim did miss some areas)of the filesystem….

Did I mention that the phone has a security code!!!????

Yes, thats right, it went around the security code!!!!

I found the Security Code (plus the default) in the NVM filesystem area. It was located in the NVM_002 file starting at 119 and ending at offset 122 (1289). Concidentally this is the same file where the Banner is located (in this case starting at offset 57 and going for fifteen bytes and ending at offset 71 “WHERE”S DA MONEY”).

I confirmed the Security Code with the one given to the OIC and a manual unlock. I also confirmed the banner with a manual look.

This should work for other CDMA phones.

I hope this is useful to the community.

Mike

Advertisements

5 comments

  1. Bob Mcfarland

    I have obtained the file system from an Audiovox CDM-8910 using Bitpim.

    I am looking for deleted images of a sexual assault but have found nothing thusfar.

    Are remnants of the deleted images recoverable?

    Where do I look?

    I have used Encase V5 and FTK to search the .zip file with negative results. I have also carved image files with negative results.

    Thanks.

  2. numenorian

    Bob-

    Yes and no to deleted images….depends on the phone. have you found images at all on the phone?

    There will be a place in the file system for camera images (it maybe called “cam” or it could be a child of the “brew” folder)

    EnCase seems to do a better job of carving images from these file systems.

    One place you SHOULD look is the mms folder. Using EnCase look for the JPEG header within these files (JFIF). Then sweep the bytes and using EnCase bookmark as a picture…you should see the picture.

    You can also manually carve using a tool such as WinHex.

    When I get in the office tommorrow I’ll post the location of where I found pictures on my 8910….the evidence files are there…:-)

  3. Shawn

    Hey, I am working a sexual assault case right now and this little tip worked WONDERS. I was stuck to QPST’ing a phone or bitpim’ing it and copying contents for evidence. Well with this I was able to get that could and do a very court friendly Cellebrite dump afterwards. Your a life saver! Thanks!

      • Shawn

        Right on 🙂 Also may I note that my code was not found at offset 119. It began at offset 70. The file name was also called nvm_0002 as opposed to nvm_002. This is from an LG AX5000. Just incase the technical dirt interested you. I viewed the hex using WinHex.

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s