On 7 Jul 2003, Martin Meier wrote: > > > Hello, > > I'm writting a preliminary stude with the topic: forensic analysis about > PDAs and mobils.I try once again to pose the question. > > Here's my question: is there the possibility to retrieve deleted data > (for example a deleted telephone number from the phone book)on a mobile > phone (Nokia 7110)? > > If it is not possible and you can tell me this for sure, I would be happy > with it because I only need a good reason for or against this question. > > Are there any tools which can retrieve the information I mentionded above? > > If yes, please tell me the name of this tool(s). > > I hope sombody can answer this question. > tx Martin Meier Ok, I'll take a stab at it, but likely this will not be a satisfactory answer. Most of this will be guesses, as I am not an industry insider nor do I have the training. If you learn more or interested in further research, please get in touch. Any way, here goes... Modern GSM based phones (Well, where "phone" == "Nokia phone") allow you to store data, such as phone number in two locations - on the SIM chip, and on the phone itself. Older phones only supported storage of phone numbers on the SIM card. There exist SIM readers (search e-bay, you'll find a bunch) that will allow you to read and write data on the SIM card, but I don't have one on hands at the moment, so I don't know what parts of the SIM the reader can actually access. SIM cards tend to be are of different levels of sophistication (with European ones more sophisticated then ones we have in North America) however the modern ones would consist of something like: Component: Infineon SLE66CX32OS Processor : 16 or 8 bit CPU with I/O and security Logic EEPROM memory: 32 Kbytes ROM: 32 Kbytes RAM: 1280 bytes (Specs from http://www.setec.fi/techdocs/eSIM_022002.pdf) This tends to meet the requirements from the folks like Open Card <http://www.opencard.org/> and Java Card <http://java.sun.com/products/javacard/>. http://www.gemplus.com/products/gemxplore_xpresso_range/ is a SIM card product of a different SIM card manufacturer (Megafon in Russia uses these, I beleive). Some data will likely be recoverable from the card, as phone numbers are generally not considered to be secure/secret, however the contents of the secure part of the card (Nokia applications such as 'Vallet' utilize these, I believe) would likely be encrypted. I haven't followed up and researched what Visa Open Platform specification actually specifies. Currently I don't know if the data gets fully zeroed out or just marked as deleted. However I suspect that recovery is possible. Now onwards to the phones. Nokias tend to be ARMv7 based (http://dara.notbsd.org/nokia/ has some photographs of the older low end phones' insides,there you can see that the CPU inside is an ASIC) and at least the older ones use flash memory to store the NokiaOS (the Intel chip). Note that I have not a faintest clue about the recent Symbian based Nokia phones or about more modern Nokias. Generally Nokia phones support two undocumented interfaces M2BUS (commonly known as MBUS) and FBUS. One tends to be used to program the phone, read off phone book entries, re-set the provider locks, etc, while the other one is used to re-flash the OS. More information at Nuukia world: http://www.panuworld.net/nuukiaworld/hardware/cables/index.htm MBUS and FBUS are both undocumented protocols, and Nokia is not talking. There might be ways to copy the slack space from the phone book on the phone, but I do not yet know of them. I have the technology to read (and write) the image off most older Intel flash chips, so one thing that has been on my plate for a while now is to sacrifise a phone by first reading the data off it through Fbus/Mbus interface, and then de-solder the chip and use the flash reader to read the image off, and compare the two. Obviously second read would be much more comprehensive then the first one, however phones that can store the phone numbers on board are relatively new and relatively expensive, and the experiment is rather destructive, so so far I've been holding off. So I'd suspect that you would have to sacrifise the phone in order to learn what got deleted. Once again, alot of the above is pure speculation, so corrections and more information is really welcome. Signed: //Stany -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +-+ 10570 + My words are my own. LARTs are provided free of charge + 10533 +-+ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 09:36:06 PDT