Some RegEx’in

Hey we have started the MFI 303 course where we cover grabbing some serious artifacts from the cellphone fileystems.  Do you know that the majority of cellular extraction tools only parse out about 40% of actual data.  What I mean by that is that they target the usual: phonebook, call logs, media and MMS.  What the heck happens to the the REST of the data like URLs, Internet History, Passwords/Usernames and LockCodes???  Well for the most part NO logical software around even touches it.  This is due to either the differences in the locations in the software/firmware on the devices or the lack of examination training the companies that develop the software might have. In either case the loser is really the examiner if they fail to take their time in an examination and only take what the tool give them.

We have been taking the lid off that mess and looking through the files carving the data using standard forensic tools like AccessData’s FTK.  We have been using RegEx (GREP) expressions to find even more data quickly.  For example, we have been using \x01\d\d\d\d\x01 to find lockcodes on LG, Sanyo, Samsung, and Audiovox handsets!  Give it a go.  Some others we have been using are locating internet artifacts, chat and also, carving 3GPP, AMR and other files!

More on this later!  Thanks for reading and I hope to get more of this on the page soon!

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department

This entry was posted in Rant and tagged , , , . Bookmark the permalink.