Friday, October 26, 2007


During a recent cell phone exam, I encountered an interesting dilemma. When the phone was powered on it required a SIM PIN. Making things worse there was no indication who the carrier was, and the owner of the phone was unwilling to provide the code or any information. The investigator needed information from the phone as quickly as possible.

OK- so the SIM card was locked, not the phone. Some phones, including the one in question, stored a considerable amount of the information within the phone’s memory not just the SIM Card. So I decided to put another SIM Card into the phone and I powered up and had access to the handset’s data.

However, there is a catch. When you acquire the data from the phone you need to use a blank SIM (No stored data). (Note: You should be able to find a good SIM Card from your test handsets-MORE). In this case, I used a SIM from a Nextel that was a replacement (new) phone with the SIM not having been encoded. With the unlocked SIM, there’s nothing to stop you from acquiring the data within the phone.

The above screenshots shows how I used a phone which was originally a T-Mobile phone, and an empty Nextel SIM card. Notice that Nextel comes up on the main screen as function of the SIM. However, the phonebook and call histories were contained within the phone’s memory.

I also noticed the phone’s identity with it’s carrier is determined by the SIM. You might get lucky and find a phone entry for voice mail, which is often the number of the phone itself. One other possibility is an entry in the phonebook which is labeled “My Number.” Regardless, this is a simple way of bypassing the SIM lock to get at the information you need.

Submitted by Richard McKee

PTFinderFE Output

PTFinderFE Facts

Who Created PTFinder ?
Andreas Schuster

Who Created the OS Detection Script ?
Harlan Carvey

What does PTFinder Do ?
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. Some functional checks are also applied. (According to Andreas Schuster)
Andreas Schuster

What Memory Dumps are Supported ?
DD dumps for example dd bs=4096 if=\\.\Device\Physicalmemory of=dumpfile
By pausing a VMWARE Session and using the VMSS File
In-Vivo using Sysinternal's LiveKD and a debugger
Post-Mortem as described in Microsoft Knowledge Base Article no.244139

What Operating Systems Memory Dumps are Supported ?
Windows 2000, Windows XP SP1, Windows XP SP2 and Windows 2003

Why do I need other Programs to make PTFinder to Work ?
PTFinder is written in Perl Script– so you need a Perl complier.
PTFinder creates a DOT file which can be used to create a graphic of the output.
See the DETAILED INSTRUCTIONS for more information.

Where can I get a Good Test Dump File?

Why did you Created PTFinderFE?
Well...I was placing the dump file into the PTFinder.PL Path which could have been eliminated by typing in the directory location of the dump file for every dump file I wanted examine( c:\case 05-022\Live Acq\234566-1). A DOT File was created which you have to copy into the Grapvhiz Executable folder, type in the command line and then copy all your outputs to my forensic directory. On top of all that if you used the "Program Files" Directory the command lines needed quotes(""). Since I use PTFinder a lot I had to make it more user friendly for me.

What is PTFinderFE?
A Microsoft Visual Basic Program that creates a batch file to do your leg work between PTFinder, Graphviz and your working forensic folder.

Why is PTFinder so Important?
Live Acquisition is the current trend in computer forensics. A lot of forensic investigators are doing live acquisitions but had nothing to effectively examine the output. Thanks to Andreas Schuster we have one more tool in the toolbox.
Back to Top

Tuesday, October 23, 2007

Cell Phone Terms and Dictionary


Acquisition – A process by which digital evidence is duplicated, copied, or imaged. (NIST)

Analysis – The examination of acquired data for its significance and probative value to the case. (NIST)

Authentication Mechanism – Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. (NIST)

Bluetooth – A wireless protocol that allows two Bluetooth enabled devices to communicate with each other within a short distance (e.g., 30 ft.). (NIST)

B.L.U.F. – Bottom Line Up Front (Q)

Chain of Custody – A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer. (NIST)

Code Division Multiple Access (CDMA) – A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA). (NIST)

Compressed File – A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP and WinZip with an extension of .zip. (NIST)

Cradle – A docking station, which creates an interface between a user’s PC and PDA, and enables communication and battery recharging. (NIST)

Cyclical Redundancy Check – A method to ensure data has not been altered after being sent through a communication channel. (NIST)

Deleted File – A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data. (NIST)

Digital Evidence – Electronic information stored or transmitted in binary form. (NIST)

Duplicate Digital Evidence – A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media (e.g., flash memory, RAM, ROM). (NIST)

Enhanced Data for GSM Evolution (EDGE) – An upgrade to GPRS to provide higher data rates by joining multiple time slots. (NIST)

Enhanced Messaging Service (EMS) – An improved message system for GSM mobile phones allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages. (NIST)

Electromagnetic Interference – An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment. (NIST)

Electronic Serial Number (ESN) – A unique 32-bit number programmed into CDMA phones when they are manufactured. (NIST)

Electronic Evidence – Information and data of investigative value that is stored on or transmitted by an electronic device. (NIST)

Encryption – Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data. (NIST)

Examination – A technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data. (NIST)

Federal Communications Commission Identification Number (FCC ID Number)

File Name Anomaly – A mismatch between the internal file header and it external extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension). (NIST)

File System – A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory. (NIST)

Flash ROM – non-volatile memory that is writable. (NIST)

Forensic Copy – An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm. (NIST)

Forensic Specialist – Locates, identifies, collects, analyzes and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered. (NIST)

Forbidden PLMNs – A list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the phone cannot automatically contact, usually because service was declined by a foreign provider. (NIST)

Global Positioning System – A system for determining position by comparing radio signals from several satellites. (NIST)

Global System for Mobile Communications (GSM) – A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP). (NIST)

General Packet Radio Service (GPRS) – A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds. 71 Guidelines on Cell Phone Forensics (NIST)

Hardware Driver – Applications responsible for establishing communication between hardware and software programs. (NIST)

Hashing – The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. (NIST)

HyperText Transfer Protocol (HTTP) – A standard method for communication between clients and Web servers. (NIST)

IDEN - Intergrated Digital Enhanced Network

Integrated Digital Enhanced Network (iDEN) – A proprietary mobile communications technology developed by Motorola that combine the capabilities of a digital cellular telephone with two-way radio. (NIST)

Integrated Circuit Card ID (ICCID) – The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM. (NIST)

Image – An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered. (NIST)

Instant Messaging (IM) – A facility for exchanging messages in real-time with other people over the Internet and tracking the progress of the conversation. (NIST)

International Mobile Equipment Identity (IMEI) – A unique identification number programmed into GSM and UMTS mobile phones. (NIST)

International Mobile Subscriber Identity (IMSI) – A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM. (NIST)

Internet Message Access Protocol (IMAP) – A method of communication used to read electronic messages stored in a remote server. (NIST)

Location Information (LOCI) – The Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the SIM when the phone is active and saved whenever the phone is turned off. (NIST)

Mobile Subscriber Integrated Services Digital Network (MSISDN) – The international telephone number assigned to a cellular subscriber. (NIST)

Multimedia Messaging Service (MMS) – An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips. (NIST)

Password Protected – The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered. Guidelines on Cell Phone Forensics (NIST)

Personal Digital Assistant (PDA) – A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, and for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar. (NIST)

Personal Information Management (PIM) Applications – A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list. (NIST)

Personal Information Management (PIM) Data – The set of data types such as contacts, calendar entries, phonebook entries, notes, memos, and reminders maintained on a device, which may be synchronized with a personal computer. (NIST)

Personal Identification Number - is a secret shared between a user and a system that can be used to authenticate the user to the system. PINs are often 4-digit numbers in the range 0000-9999 (WIKI)

Personal Unlocking Code (PUC) If the wrong PIN is typed in more than three times, either the SIM Card orthe device or both become permanently locked. They can be reverted to their original unlocked state, however, by entering a PUC, but if the wrong PUC is entered ten times in a row, the device will become permanently blocked and unrecoverable, requiring a new SIM card. (WIKI)

Post Office Protocol (POP) – A standard protocol used to receive electronic mail from a server. (NIST)

Short Message Service (SMS) – a cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset. (NIST)

Simple Mail Transfer Protocol (SMTP) – The primary protocol used to transfer electronic mail messages on the Internet. (NIST)

SMS (Short Message Service) Chat – A facility for exchanging messages in real-time using SMS text messaging that allows previously exchanged messages to be viewed. (NIST)

Subscriber Identity Module (SIM) – A smart card chip specialized for use in GSM equipment. (NIST)

Synchronization Protocols – Protocols that allow users to view, modify, and transfer/update data between a cell phone and personal computer. (NIST)

Universal Mobile Telecommunications System (UMTS) – A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM. (NIST)

Universal Serial Bus (USB) – A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices.

USIM (UMTS Subscriber Identity Module) – A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks. (NIST)

Volatile Memory – Memory that loses its content when power is turned off or lost. (NIST)

Wireless Application Protocol (WAP) – A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices. (NIST)

Wireless Fidelity (WiFi) – A term describing a wireless local area network that observes the IEEE 802.11 protocol. (NIST)

Write-Blocker – A device that allows investigators to examine media while preventing data writes from occurring on the subject media. (NIST)

Write Protection – Hardware or software methods of preventing data from being written to a disk or other medium. (NIST)

Extensible HyperText Markup Language (XHTML) – A unifying standard that brings the benefits of XML to those of HTML. (NIST)

Extensible Markup Language (XML) – A flexible text format designed to describe data for electronic publishing. (NIST)

Monday, October 1, 2007

“Carving” out pictures from a Handset (FTK)

UPDATE 01/03/2007

If you have Encase you want to follow this link - Carving” out pictures from a Handset (Encase) for the following two reasons.

1. FTK (Versions 1.61a and 1.62.1) do not seem to be adding sub-case items correctly
2. Encase, after you set up and run the correct search parameters, will automatically bookmark the “carved images”.

End of Update---------------------------------------------------------

The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using it’s internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical memory of the handset.

I know what you are thinking: Open up a Case in FTK and automatically CARVE for images in the phone files. In my experience this answer is half right. I have not had much luck with FTK’S internal carving feature with logical phone files (This is not a rip on FTK it is just my experience. FTK is one of my favorite programs).

First you have to obtain a dump of the handset’s content.

If you used BITPIM ( then you are ready to start ENCASE

If you used PARABEN DEVICE SEIZURE then use Paraben's Report Feature. And choose to create a HTML Report and include all items from the case. Paraben's report will save the files needed for the HTML Report in a folder called .Html Files. Take all the files in Html Files folder and add them to a ZIP file. For consistency we will also call this new ZIP Folder Goto ENCASE

Start a New Case in FTK

Go to the graphics Tab and take a hex view of your images. Choose the images that look like they were taken by a camera. Get the header of your images. In our example the header is FF D8 FF E0.

Open the Search Tab>Live Search and do a hex search using FF D8 FF E0. In results you should see the image file you could see using the handset (a nice test to make sure your search syntax was correct).

Look at your other search hits. Do you see some possible targets? I'm the following example I have an image header in MMS>62 File:


Put your cursor over the image’s original file name and copy it to the clipboard. In our example it would be “Photo_#58.jpg”

Now put your cursor before the first character of your header and Right-click and Hold>Scroll to the bottom of the file and release. This could take some time if the image files are large. Once your header, and rest of the file is highlighted, Right-click on any of highlighted part and a menu should come up allowing you to "Save selection ..."“Add Sub Item”. Choose “Add a Sub Item” and paste the name you copied to the clipboard in the name (If you didn’t skip that step!). Look at your new sub-items in graphics view saved images. You’ve just “carved” an image from you handset files.

See also- Carving” out pictures from a Handset (Encase)