EnScripts for cell phone hex dump files (.pm).

All,

I am currently working on developing some EnScripts to parse .pm dump files that are obtained from using a flasher box (SHU, JAF, etc.). I have several .pm files, but not very many from all the different series that contain useful data. I am currently working on Nokia.

If anyone has any .pm files they are willing to share, specifically with call log info (received, missed, outgoing) and/or contacts and/or SMS messages, I would greatly appreciate it and will certainly share the EnScripts I develop as a result.

I am currently looking for Nokia series 30, 40 and 60 .pm dump files.

If you are able to share (all submissiona will only used internally for the development of EnScripts), please send to lance(at)forensickb(dot)com.

My current impression of cell phone forensic tools

As part of my work, I recently put together a fairly comprehensive cell phone forensic course. As part of the development phase of this project, I had a chance to use most of all the common cell phone forensic tools and put them through the paces with over 50 different phones, most of which were international models.

In opinion, the forensic industry is nowhere near where we are today with cell phone forensics compared to computer forensics. Mostly because it is a fairly new sub-field of digital forensics and the tools just have not been around long and have not yet evolved to the state where the current computer forensic tools are at.

I also think it is due to the complete lack of standardization by phone manufacturers. With computer forensics, you have different makes and models of computers and it generally has little effect on the analysis phase because how they each operate is standardized and follow a set of design specifications. Whereas in cell phone forensics, each cell phone manufacturer could be using their own proprietary operating system and each phone may operate completely different from other models by the same manufacturer. This makes developing an all-inclusive tool that can support all the manufacturers and models of phones very difficult and is something like hitting a moving target traveling at 200mph. By the time you develop a tool to deal with a specific phone, 5 more new ones have been released that don't follow the same standard(s).

**** I have no association with any of these vendors****
The following is just my experience and impressions of the current state of these tools, future version releases could improve or worsen their performance.

The tools I used and evaluated are as follows:

Cellebrite
http://www.cellebrite.com/

Neutrino (Guidance Software)
http://www.guidancesoftware.com/

Mobile Phone Examiner (AccessData)
http://www.accessdata.com/

Secure View (DataPilot)
http://www.datapilot.com/productdetail/253/producthl/Notempty

XRY
http://www.msab.com/

XACT
http://www.msab.com/

Paraben
http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=343

Fernico ZRT
http://www.fernico.com/zrt.html

Project-a-phone
http://www.projectaphone.com/

To first summarize my experience and findings, I would rate my top three tools as:
Cellebrite
DataPilot
XRY

The reason for rating these tools as my top three tools is based on this criteria:
Functionality
Supported phones
Ease of use

Cellebrite
Currently, the only tool evaluated that can handle iPhones. This was not a deal-maker/breaker for me, but it is worth noting. This is a very simple to use hand held device that can be brought out into the field. I would love to see it have an internal battery to facilitate true in-the-field information gathering. This device handles many different phone models. It supports cable connections to phones as well as bluetooth. It cannot be any simpler to use, clear & easy menu driven screens guide the operator through the acquisition phase. Information can be sent immediately to an attached computer or saved to a USB flash drive, so it can be handed to an investigator for review.

DataPilot (Secure View)
Nice compact kit. Comes with an excellent cable kit that supports many different phones. This is a software solution that really only involves cables and a security key to enable to software. The software is simple to use. Generates nice clean reports.

XRY
XRY is a kit that comes in a fairly large box (suitcase). It comes with several cables, but not as many as Cellebrite or DataPilot. The XRY device itself is fairly small and self-explanatory with clearly labeled ports and connections. The device can be powered by a wall plug or by USB port, making field acquisitions very easy. The software interface is very simple to use and it supports a large number of phones.

For the rest of the devices I used and evaluated, the following are some of the findings and experiences that were relevant to my rating of these devices:

Neutrino
This device is an add-on to EnCase. It comes in a very large case. The biggest downside to this product is the lack of support for phones. The number of phones this device supports and can extract data from is very low. The ability to read non-US models is also very very low.

AccessData MPE
Notwithstanding all the known and previously discussed issues with FTK 2.0, I found this product to be very "clunky" and not too intuitive. I had common problems with the licensing of the MPE module and it not recognizing phones that were connected. Phone support it also very low. Ease of use is very low.

XACT
XACT is the only tool that is focused on getting a physical image of a phone. I was very excited to see this product and try it out. The hardware and software is almost identical to XRY. The biggest disappointment I had with this product is that it just didn't work or support many phones. Even the phones it said it supported, I had trouble with and later found out that it only supports phones with certain firmware. So if the documentation says it supports a Motorola SLVR L7, it may not work if that phone is using a certain firmware version. XACT can parse the "physical" image of some phones and break out the data into categories and show logical data, such as SMS, photos, etc, but this does not work on all models of phones. I didn't mind this because I could still look at the physical image, but unfortunately many of the phones I tried simply would not work because the firmware version was not supported. I was very happy that an old Motorola SLVR L7 that I examined, XACT was able to pull a physical image, but not parse the data. A manual search of the data resulted in several SMS messages that were deleted and were from 8-9 months in the past. The bummer was that when I tried three more Motorola SLVR L7 phones, a physical image could not be obtained because of an unsupported firmware version on these phones.

Paraben
This device suffers from many of the drawbacks as Neutrino. It does not support many common phone types. As Neutrino, it needs drivers installed for many of the phones.

Fernico ZRT
This really isn't a forensic tool, but rather a solution to process phones manually. It includes an awesome desk clamp, camera, microphone and software so that if you need to process a phone that isn't supported by one of the above tools, you can manually go through the phone and record everything as you do it. This is hands down my tool of choice when having to process or deal with phones that a forensic tool cannot process or when I want to manually capture something on a phone.

Project-a-phone
This tool is similar to Fernico, as it is used to manually process a phone and record right off the phone's screen as the investigator cycles through the phone screens. I found this product to be very low-quality and cheap looking. The camera image is very poor and not very usable. I would not recommend using this product at all.