KEMBAR78
Lect 6 computer forensics | PPTX
Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬
Outlines to be discussed…
• Objective
• Potential Evidence
• Guidelines
• Seizure
• Examination
• Data Extraction
• Documentation
• Tools
• Q & A
Objective
• To extract data without changing the phone’s current state, able to
record and explain the investigation processes and preserve the
original evidence.
Introduction
Mobile phone forensics is the science of recovering digital
evidence from a mobile phone under forensically sound
conditions using accepted methods.
4
Why Mobile Phone Forensics?
• Contain massive volume of information
• Communication (Calls, SMS)
• Calendar
• Logs
• Picture/ Video
Smartphone sales statistics 1Q2016/1Q2017
Smartphone sales statistics by OS
1Q2016/1Q2017
Nokia 5110
Today
Phonebook
Speed dials
Calls history
SMS messages
Monophonic
melodies
General phone
information
Phonebook
Calendar
Tasks
Notes
Caller
groups
Speed dials
Event log
Profiles
Gallery files Java
applications
and games
Multiple contact
fields of the
same type
Personal settings
for contacts
Messages
Message
folders
General
phone
information
Geo event
positioning
(LifeBlog)
GPS
Web
browser IM client
10 years ago
Modern phone
Mobile Phones Evolution
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com
Potential Evidence
• Data of evidential value can be found in 3 principal
areas of a mobile phone:
• Phone’s Memory
• SIM card
• External storage
(MMC, SD, Memory Stick)
Phone’s Memory
• International Mobile Equipment Identity (IMEI)
• Phonebook
• Call logs (Received, Dialed, Missed)
• SMS and MMS
• Stored Files (Picture, Video, Audio)
• Stored Executable Programs
• Email, Memo,Calendars
• GPS
SIM vs USIM
SIM - Subscriber Identity Module
is a removable smart card
used to communicate on GSM networks
Allows users to change phones by removing the SIM card and inserting it
into another mobile phone
USIM – Universal subscriber identity module
Used to communicate on UMTS/3G networks
A 3G (UMTS) handset equipped with a USIM card can be used to make
video calls within the area covered by a 3G network
USIM has much bigger phonebook than SIM
High speed internet connections
16
SIM
• SMS
• Integrated Circuit Card Identifier (ICCID)
• International Mobile Station Identity (IMSI)
• Mobile Subscriber ISDN
• Location Area Code (LAC)
• Phonebook
• Last Dialed Numbers
• Authenticating the user of the Cell phone to the network
The SIM provides storage for personal information, such as phone
book entries and text messages, as well as service-related
information.
• ICCID is the serial number of the SIM card
• Up to 18 to 20 digit numbers (10 bytes) that uniquely
identifies each SIM card.
• 896019050877016896
• Can be used with IMEI to acquire log information from
service provider
• It helps to identify the country and network
operator’s name
• If ICCID not exist on SIM, then
use ForensicSIM tool to obtain ICCID.
ICCID (Integrated Circuit Card Identification)
International Mobile Station Identity (IMSI)
• International Mobile Subscriber Identity (IMSI) is typically a 15-
digit number (56 bits)
• Its consisting of three parts including the Mobile Country Code,
Mobile Network Code, and Mobile Station Identification Number
which are stored electronically within the SIM.
• The IMSI can be obtained through the analysis of the SIM.
19
Mobile Subscriber ISDN
• The Mobile Station International Subscriber Directory
Number (MSISDN) is the phone's 15-digit, globally unique
number.
• The MSISDN follows the International Telecommunication
Union (ITU) Recommendation E.164 telephone numbering
plan, composed of a 1-3 digit country code, followed by a
country-specific number.
20
Location Area Code (LAC)
• The served area of a cellular radio network is usually
divided into location areas. Location areas are
comprised of one or several radio cells.
• Each location area is given an unique number within
the network
• This code is used as a unique reference for the
location of a mobile subscriber.
• This code is necessary to address the subscriber in the
case of an incoming call.
21
How SMS works?
External Storage
• Files
• Backup data
• Deleted Files
• Applications
Guidelines
•There are 4 basic steps in mobile phone forensics
investigations:
Seizure
Examination
Data Extraction
• Ensure evidence is not tampered
• Check conditions
• Find phone specs
• Find tools that support
phone
• Extract data in the
phone, SIM and
xternal card
Documentation
Copyright © 2010 CyberSecurity
Malaysia
25
1. Note if it is switched on or off.
2. If ‘ON’, pay attention to icons on the phone
 Missed call
 Battery status
 SMS
3. Do not dismantle the phone - Do not take the back off the
phone, or remove the battery
4. Record the time of phone
5. Compare with other time (your watch/ notebook)
Guidelines: Seizure
4. Ask for PIN/ Password if any
5. Search for Phone chargers
6. Before transporting, put the phone in a signal container
bag
 Faraday cage
 Aluminum foil (four layers)
 Arson cans
Seizure (cont…)
“Which one should I acquire first if:
• Phone is running?
• Phone is dead?”
Scenario 1
EXAMINATION
• Connect phone with appropriate cables or method (Infra-red or Bluetooth)
• Acquire with appropriate software
• If the phone is a GSM phone note IMEI number on screen (by typing *#06#)
• Remove handset from the container bag and turn the phone on. Photograph any startup
screens or messages.
• Power off handset, and remove casing
• Photograph battery, and label behind it once battery removed (usually shows
• IMEI)
• If the phone is a GSM remove SIM and photograph both sides.
• Acquire SIM with forensic software
• Perform of memory cards if present.
• Reassemble handset.
• Reseal and return evidence to property locker
29
• SIM cards should be processed separately from the cellular phone
they are installed in to preserve the integrity of the data contained on
the SIM card.
• Deleted data may not be extracted
• Why? SIM/external storage is controlled by OS if the phone is switched
ON
SIM/ External Storage
• Record/ photograph IMEI
• IMEI is the unique identity of a
mobile phone
• Printed under battery or press “*#06#”
• 15 digit number
• 353396006345750
• First Eight digits, known as the Type Allocation Code (TAC), give the
model and origin
• Can be used to find phone’s specification and user
guidelines
• http://www.numberingplans.com
• http://www.mobileforensicscentral.com
IMEI
Scenario 2
• “I’ve never seen this thing before. I have no idea what phone it is or what it can
do. I need to find out fast!”
• www.gsmarena.com
• http://www.mobileforensicscentral.com
gsmarena.com
mobileforensicscentral.com
• “I’ve retrieved an IMEI (handset serial #)
• and an ICCID (SIM serial #). I want to
• check them out”
• Good for:
• Identifying obscure mobile phones
• Getting PUK from Telco
Scenario 3
http://www.numberingplans.com
numberingplans.com
• Data is read via SIM card reader and an appropriate
software
SIM
• Deleted data is visible when the correct tool is used
SIM
• Deleted data is not extracted if the SIM is read while it is
inside the phone
SIM
• Careful with hidden places to store media (e.g.: Nokia 3250)
External Storage
• Data is extracted from phone in one of three ways:
• Manual Analysis – physical analysis of the phone involving manual manipulation of the keypad
and photographic documentation of data displayed on the screen.
• Logical Analysis - Connect data cable/infrared/bluetooth to the handset and extract data using
suitable software.
• Physical Analysis (Hex Dump) - Dump the memory from phone and analyze the resulting
memory dump.
Phone Memory
Logical vs. Physical
Physical analysis
All information can be
extracted
Hard to perform
Very hard to analyze
Expensive software,
special hardware
needed
Logical analysis
Very few information
can be extracted
Easy to perform
Easy to analyze
Affordable software, no
special hardware
needed
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com
Logical Extraction
Connection Type:
• Copy out live data (e.g., directories and files) that reside on
a logical store
• Currently, most software are developed to extract data
through logical acquisition
• Not possible to recover deleted information from phone’s
memory
Logical Extraction
Tools
 .XRY
 Cellebrite
 Pandora’s Box
 Device Seizure
 Oxygen Phone Manager II for Nokia
(Forensic)
 Oxygen Phone Manager II for Symbian
(Forensic)
 MOBILedit! Forensic
 Hex Workshop (Hex Analysis)
 SIMCon (SIM)
 EnCase (Neutrino module)
Oxygen Phone Manager
MOBILedit! Forensic
Logical Extraction
.XRY
Logical Extraction
• Bit-by-bit copy of an entire physical store (e.g. flash memory
chip)
• Via
• Taking out memory chip
• JTAG interface
• Allows any data remnants (e.g. unused memory space) to
be examined
Physical Extraction
JTAG Interface
JTAG Cable
Acquisition Process
Connection Setting
Physical Extraction
• Result can be seen by using Hex Editor
Physical Extraction
Documentation
The examiner’s notes and documentation should include information such as:
• The date and time the examination was started
• The physical condition of the phone
• Pictures of the phone and individual components (e.g., SIM card and memory
expansion card) and the label with identifying information
• The status of the phone when received (off or on)
• Make, model, and identifying information
• Tools were used during the examination
• What data was documented during the examination
51
Conclusion
• New development on mobile phone forensic must be
developed as the mobile phone technologies are growing.
• The consistent and well documented examination processes
are crucial in ensuring that the evidence extracted from each
phone is well documented and the results are defensible in
court.
52
REFERENCES
• CHFI (slide notes)
• CyberSecurity Malaysia (slide notes)
• Gartner.com
Thank You
For Your Patience

Lect 6 computer forensics

  • 1.
    Intro to ComputerForensics Mr. Islahuddin Jalal MS (Cyber Security) – UKM Malaysia Research Title – 3C-CSIRT Model for Afghanistan BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬
  • 2.
    Outlines to bediscussed… • Objective • Potential Evidence • Guidelines • Seizure • Examination • Data Extraction • Documentation • Tools • Q & A
  • 3.
    Objective • To extractdata without changing the phone’s current state, able to record and explain the investigation processes and preserve the original evidence.
  • 4.
    Introduction Mobile phone forensicsis the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods. 4
  • 5.
    Why Mobile PhoneForensics? • Contain massive volume of information • Communication (Calls, SMS) • Calendar • Logs • Picture/ Video
  • 6.
  • 7.
    Smartphone sales statisticsby OS 1Q2016/1Q2017
  • 8.
    Nokia 5110 Today Phonebook Speed dials Callshistory SMS messages Monophonic melodies General phone information Phonebook Calendar Tasks Notes Caller groups Speed dials Event log Profiles Gallery files Java applications and games Multiple contact fields of the same type Personal settings for contacts Messages Message folders General phone information Geo event positioning (LifeBlog) GPS Web browser IM client 10 years ago Modern phone Mobile Phones Evolution Source: (C) Oxygen Software, 2000-2009 http://www.oxygen-forensic.com
  • 14.
    Potential Evidence • Dataof evidential value can be found in 3 principal areas of a mobile phone: • Phone’s Memory • SIM card • External storage (MMC, SD, Memory Stick)
  • 15.
    Phone’s Memory • InternationalMobile Equipment Identity (IMEI) • Phonebook • Call logs (Received, Dialed, Missed) • SMS and MMS • Stored Files (Picture, Video, Audio) • Stored Executable Programs • Email, Memo,Calendars • GPS
  • 16.
    SIM vs USIM SIM- Subscriber Identity Module is a removable smart card used to communicate on GSM networks Allows users to change phones by removing the SIM card and inserting it into another mobile phone USIM – Universal subscriber identity module Used to communicate on UMTS/3G networks A 3G (UMTS) handset equipped with a USIM card can be used to make video calls within the area covered by a 3G network USIM has much bigger phonebook than SIM High speed internet connections 16
  • 17.
    SIM • SMS • IntegratedCircuit Card Identifier (ICCID) • International Mobile Station Identity (IMSI) • Mobile Subscriber ISDN • Location Area Code (LAC) • Phonebook • Last Dialed Numbers • Authenticating the user of the Cell phone to the network The SIM provides storage for personal information, such as phone book entries and text messages, as well as service-related information.
  • 18.
    • ICCID isthe serial number of the SIM card • Up to 18 to 20 digit numbers (10 bytes) that uniquely identifies each SIM card. • 896019050877016896 • Can be used with IMEI to acquire log information from service provider • It helps to identify the country and network operator’s name • If ICCID not exist on SIM, then use ForensicSIM tool to obtain ICCID. ICCID (Integrated Circuit Card Identification)
  • 19.
    International Mobile StationIdentity (IMSI) • International Mobile Subscriber Identity (IMSI) is typically a 15- digit number (56 bits) • Its consisting of three parts including the Mobile Country Code, Mobile Network Code, and Mobile Station Identification Number which are stored electronically within the SIM. • The IMSI can be obtained through the analysis of the SIM. 19
  • 20.
    Mobile Subscriber ISDN •The Mobile Station International Subscriber Directory Number (MSISDN) is the phone's 15-digit, globally unique number. • The MSISDN follows the International Telecommunication Union (ITU) Recommendation E.164 telephone numbering plan, composed of a 1-3 digit country code, followed by a country-specific number. 20
  • 21.
    Location Area Code(LAC) • The served area of a cellular radio network is usually divided into location areas. Location areas are comprised of one or several radio cells. • Each location area is given an unique number within the network • This code is used as a unique reference for the location of a mobile subscriber. • This code is necessary to address the subscriber in the case of an incoming call. 21
  • 22.
  • 23.
    External Storage • Files •Backup data • Deleted Files • Applications
  • 24.
    Guidelines •There are 4basic steps in mobile phone forensics investigations: Seizure Examination Data Extraction • Ensure evidence is not tampered • Check conditions • Find phone specs • Find tools that support phone • Extract data in the phone, SIM and xternal card Documentation
  • 25.
    Copyright © 2010CyberSecurity Malaysia 25
  • 26.
    1. Note ifit is switched on or off. 2. If ‘ON’, pay attention to icons on the phone  Missed call  Battery status  SMS 3. Do not dismantle the phone - Do not take the back off the phone, or remove the battery 4. Record the time of phone 5. Compare with other time (your watch/ notebook) Guidelines: Seizure
  • 27.
    4. Ask forPIN/ Password if any 5. Search for Phone chargers 6. Before transporting, put the phone in a signal container bag  Faraday cage  Aluminum foil (four layers)  Arson cans Seizure (cont…)
  • 28.
    “Which one shouldI acquire first if: • Phone is running? • Phone is dead?” Scenario 1
  • 29.
    EXAMINATION • Connect phonewith appropriate cables or method (Infra-red or Bluetooth) • Acquire with appropriate software • If the phone is a GSM phone note IMEI number on screen (by typing *#06#) • Remove handset from the container bag and turn the phone on. Photograph any startup screens or messages. • Power off handset, and remove casing • Photograph battery, and label behind it once battery removed (usually shows • IMEI) • If the phone is a GSM remove SIM and photograph both sides. • Acquire SIM with forensic software • Perform of memory cards if present. • Reassemble handset. • Reseal and return evidence to property locker 29
  • 30.
    • SIM cardsshould be processed separately from the cellular phone they are installed in to preserve the integrity of the data contained on the SIM card. • Deleted data may not be extracted • Why? SIM/external storage is controlled by OS if the phone is switched ON SIM/ External Storage
  • 31.
    • Record/ photographIMEI • IMEI is the unique identity of a mobile phone • Printed under battery or press “*#06#” • 15 digit number • 353396006345750 • First Eight digits, known as the Type Allocation Code (TAC), give the model and origin • Can be used to find phone’s specification and user guidelines • http://www.numberingplans.com • http://www.mobileforensicscentral.com IMEI
  • 32.
    Scenario 2 • “I’venever seen this thing before. I have no idea what phone it is or what it can do. I need to find out fast!” • www.gsmarena.com • http://www.mobileforensicscentral.com
  • 33.
  • 34.
  • 35.
    • “I’ve retrievedan IMEI (handset serial #) • and an ICCID (SIM serial #). I want to • check them out” • Good for: • Identifying obscure mobile phones • Getting PUK from Telco Scenario 3 http://www.numberingplans.com
  • 36.
  • 37.
    • Data isread via SIM card reader and an appropriate software SIM
  • 38.
    • Deleted datais visible when the correct tool is used SIM
  • 39.
    • Deleted datais not extracted if the SIM is read while it is inside the phone SIM
  • 40.
    • Careful withhidden places to store media (e.g.: Nokia 3250) External Storage
  • 41.
    • Data isextracted from phone in one of three ways: • Manual Analysis – physical analysis of the phone involving manual manipulation of the keypad and photographic documentation of data displayed on the screen. • Logical Analysis - Connect data cable/infrared/bluetooth to the handset and extract data using suitable software. • Physical Analysis (Hex Dump) - Dump the memory from phone and analyze the resulting memory dump. Phone Memory
  • 42.
    Logical vs. Physical Physicalanalysis All information can be extracted Hard to perform Very hard to analyze Expensive software, special hardware needed Logical analysis Very few information can be extracted Easy to perform Easy to analyze Affordable software, no special hardware needed Source: (C) Oxygen Software, 2000-2009 http://www.oxygen-forensic.com
  • 43.
  • 44.
    • Copy outlive data (e.g., directories and files) that reside on a logical store • Currently, most software are developed to extract data through logical acquisition • Not possible to recover deleted information from phone’s memory Logical Extraction
  • 45.
    Tools  .XRY  Cellebrite Pandora’s Box  Device Seizure  Oxygen Phone Manager II for Nokia (Forensic)  Oxygen Phone Manager II for Symbian (Forensic)  MOBILedit! Forensic  Hex Workshop (Hex Analysis)  SIMCon (SIM)  EnCase (Neutrino module)
  • 46.
    Oxygen Phone Manager MOBILedit!Forensic Logical Extraction
  • 47.
  • 48.
    • Bit-by-bit copyof an entire physical store (e.g. flash memory chip) • Via • Taking out memory chip • JTAG interface • Allows any data remnants (e.g. unused memory space) to be examined Physical Extraction
  • 49.
    JTAG Interface JTAG Cable AcquisitionProcess Connection Setting Physical Extraction
  • 50.
    • Result canbe seen by using Hex Editor Physical Extraction
  • 51.
    Documentation The examiner’s notesand documentation should include information such as: • The date and time the examination was started • The physical condition of the phone • Pictures of the phone and individual components (e.g., SIM card and memory expansion card) and the label with identifying information • The status of the phone when received (off or on) • Make, model, and identifying information • Tools were used during the examination • What data was documented during the examination 51
  • 52.
    Conclusion • New developmenton mobile phone forensic must be developed as the mobile phone technologies are growing. • The consistent and well documented examination processes are crucial in ensuring that the evidence extracted from each phone is well documented and the results are defensible in court. 52
  • 53.
    REFERENCES • CHFI (slidenotes) • CyberSecurity Malaysia (slide notes) • Gartner.com
  • 54.

Editor's Notes

  • #3 These are the content I will be covering today, which is objective of the mobile phone forensic, the potential evidence, guidelines and last but not least tools/equipment that we use . Even, i put the Q&A session in the end of this slide, feel free to stop me if u need to ask question.
  • #4 The objective is u must ensure that u cannot tampered the evidence in what ever u r doing. U also hve to record everything as you can't get a exact copy of a cell phone.it is not like making a copy of a hard disk that will be explain by my colleague after this. Even though you are not technically modifying the phone in any way,
  • #6 There are 4 most important information contain in the phone that we need to consider which are communication (calls, SMS,MMS), calendar (important date or meeting) logs, and picture or video
  • #9 This slide is to show the evolution of mobile phones. The comparison is between nokia 5110 and iphone… 10 years ago we just use phone to communicate with other people.. It hve all the basic things (phonebook and sms) but now, the modern phone like iphone we can get use it no only to communicate for example..(gps, games, internet)
  • #15 Data of evidential value can be found in the phone itself, SIM card, an external storage such as mmc and sd card
  • #16 What actually can we get from the phone memory? IMEI- International Mobile Equipment Identity -This IMEI number is used by to identify valid devices and therefore it can be used to stop the stolen phone from accessing the network in that country. Others are call logs, sms n mms, stored files, executable files and calendar
  • #18 These are all the details that u can get from the SIM Iccid its lie u ic number for SIM card..every sim card has its own iicid number IMSI is used to identify the network the IMSI belongs to To each location area, a unique number called a "location area code" is assigned. The location area code is broadcast by each base station
  • #19 ICCID – up to 20 digit numbers E.g.: 896019050877016896 89 = ISO standard (SIM) 60 = Country Code (Malaysia) 19 = network code – celcom The rest is the serial number Network name: CELCOM Operator name: Celcom (Malaysia) Sdn Bhd Country or global network: Malaysia MCC-MNC: 502-13 We used to know the Telco, but now not anymore!
  • #24 These are all the things that u can get from the SD card Existing files, backup data if any, deleted files such as pictures and videos and application likes games
  • #25 Like i said earlier, the objective is to ensure that we not change any data or evidence in the exhibit... So this are the steps that we have to take..first..seizure
  • #27 This is what u should do when the phone is on...pay attention to icons on the phone such as mis call, the battery status and sms..record all of this on ur note with the time of that phone so it can be compared with ur watch..this is to avoid any problem related to timestamp..
  • #28 We need to ask for the password if any because if our tools cannot extract any phone that pasword protected...we have to put the phone in a signal container bag to avoid any incoming signal that can tampered the evidence..for example, aluminium foil that need at least four layers to block the signal..
  • #29 This is the commom question..when the phone is on u need to acquire the phone first...it will save you if suddenly the phone dead n u dont hve the password..
  • #31 Before do the analysis this is the most important thing that u should know.. U shoul not do the analysis while sim card still inside the phone because it will avoid u to get the deleted data
  • #32 First we must record/photograph the IMEI and to get the IMEI there are two ways 1st- its printed under the battery and the 2nd one is u can just press *#06# U also can refer to these websites to find phone’s specification and user guidelines 35 = reporting body 339600 = type approval code 634575 = serial number 0 = Luhn Code (checksum) IMEI can be compared (under battery and via OS) to determine that the mobile phone is a cloned phone
  • #33 If neverr seen the phone before n don’t hve any idea what phone it is u can always check at these two websites
  • #34 This is the example of iphone specs search using gsmarena.com
  • #35 The other example of phone specs search using mobileforensicscentral.com
  • #36 What should u do when u hve the imei and iccid?...u should check them in this website because it can identify obscure mobile phones and also getting PUK number from telco
  • #38 How to get data from sim card..u need sim card reader n suitable software..like this example, mobiledit..
  • #39 U can get the data even it is deleted.. The word del here represent the deleted data
  • #40 N u shoul know that the deleted data is not extracted while it is inside the phone because the sim is control by the phone OS which the OS will ask SIM to show only the active data..
  • #41 U have to carefully check the phone before u can declare that the phone dont hve any external
  • #42 Data cab be extracted from phone in two ways..
  • #44 By doing the logical extraction u can use these type of connection Cable and bluetooth…we will use the cable for old mobile phone model as it don’t hve bluetooth connection..bluetooth is the best way but it takes a long time to finish AT Command - Also known as Hayes commands, are a set of commands which were originally developed for controlling modems. The ‘AT’ refers to the process where two devices determine the correct speed at which to communicate with each other. FBUS Nokia - proprietary protocol which enables a PC to access the data stored in a Nokia mobile phone. FBUS also provides the ability to use the phone’s network functionality, for example, to send and receive SMS messages. OBEX (Object Exchange) - A transport protocol, originally developed for use over Infrared, which enables generic transport of data over a communication medium. IRMC (Infrared Mobile Communications) - A synchronization protocol, originally designed for use over Infrared, which enables information stored in a mobile device, such as calendar entries and contacts, to be synchronized with that stored in a PC application such as Microsoft Outlook. SyncML (Synchronization Markup Language) - A synchronization protocol which is replacing IRMC as the standard for phone – PC synchronization.
  • #45 For the conclusion, logical analysis just can give u basic such as sms n call logs.. So its not possible for us to recover deleted data using this type of analysis.. Logical storage - live data (data that user sees when phone is switched on/alive) - data loaded for display on phone is controlled by OS, so deleted data is not visible to user Logical storage - live data (data that user sees when phone is switched on/alive) - data loaded for display on phone is controlled by OS, so deleted data is not visible to user
  • #46 Here are the list of software/ tools that we can use for logical ananlysis and the top two are the software that we currently use in our lab.
  • #48 Snapshot taken while acquisition of a Nokia phone …using .XRY FBUS – from the picture, it is used for Analyzing Calls, Reading Contacts FBUS Nokia - proprietary protocol which enables a PC to access the data stored in a Nokia mobile phone. FBUS also provides the ability to use the phone’s network functionality, for example, to send and receive SMS messages.
  • #49 For physical analysis, its more complicated as we will copy bit by bit the entire physical store by using either taking out the chip or usng jtag interface.. For this presentation, i will only cover on JTAG interface
  • #50 First, we have to connect the phone to the PC using suitable JTAG cable, as u can see here..then u can proceed with the acquisition process
  • #51 The result is not readable by human..so we need hex editor to translate it for us, as u can see here there are some word that we believed was the deleted SMS. If u know what u are looking for, then it will be easier as u can just search the keyword using the search option instead to find it yourself