Heading to the DoD conference with not only a level of excitement in presenting on Thursday but also about seeing the “regulars”. From Cellebrite, Microsystemation, Susteen and others who regularly attend the conference it is always interesting to hear about the things that have happened since last we got together. Some of course are more guarded than others primarily due to my relationship with AccessData and what I do or they believe I do. It is a time I usually end up having to explain myself and justify my work for the community on a whole to some, but if it makes a relationship better then all is good. Although, I find it terribly tiring to do it every time we all get together. The mobile phone community is extremely volatile to the point of paranoia. Primarily due to the currency involved, the bottom line, the mighty dollar. Ok let’s get some education into this blog.
Date and times are always important to any type of examination or investigation. In our mobile phone training courses, both online and in the classroom, we talk about the value of seeking the truth. The truth I will touch on are the truth in dates and times in cellphone examinations. Mobile Forensics Inc I would say pioneered the addition of carving for these artifacts in our training offerings, starting with our 202 course (I am sure I will be corrected if I am wrong).
Why are dates and times important when software already parses out that data for me already? Well let’s answer that with a few bullets.
Most software reports date/time arrival to handset, which could be drastically different than the sent time (we are talking about SMS for this example)
A lot of dates/times cannot be parsed by software. This is usually due to the developer not knowing the format or location(s).
Software reports incorrect date/time due to the many different types of formats.
Deleted data might have a truncated date/time which is not picked up by software.
A lot of mainstream software will take the file date and display that as the SMS date/time. Now this could be extremely close for outbound SMS, but for incoming messages this could be very far off. And if I want to know the date/time the bad guy sent the message to my victim’s phone then I better start my hunt. A rule of the thumb I always use before diving into the HEX in the handset’s filesystem will be to determine if the date/time show up on the device along with the message. If this is the case, it HAS to be in the phone’s data right? Well, yes it does, but the format it might be in is the difficult part. This, along with where in the file the artifact might reside.
Another issue you will face is the problem with becoming overjoyed with the location of a date/time format on a LG-VX5300 only to be at square one when you look at a Motorola V3m. It is tedious, but the payoff is well worth it.
What tools can I use when trying to locate these artifacts? In our training courses we use several.
All are listed in alphabetical order and should not be construed as order of preference.
AccessData FTK 3.2
Added to the HEX Interpreter window the user can sweep bytes and convert the associated HEX bytes to a date/time. The converted data can then be bookmarked and saved via copy.
Cellebrite Physical Analyzer
Used in our 303 course where the student can sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats on files not automatically parsed.
MFI HEX Assistant
Free App (can I use App?) I put together that allows the user to sweep bytes in evidence, paste in assistant, and convert to proper date/time. Similar to Decode that is used for computer forensic date/time conversion.
RevEnge
Used in our 202 course and from Sanderson Forensics. The student can import any file into the interface and sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats within the files being examined. Data can be bookmarked for each hit.
All are fantastic tools and can be used collectively or independently depending upon your situation.
All support the following dates/times: HEX/DEC 6 Byte, BREW/Qualcomm/GPS, LG/Samsung, OSX/DOS, UNIX
Of course the utilization of each tool is different, but the outcome is always consistent over all the listed applications. The tool is not the difficult part but the location and parsing of the data is, but the payoff is emense! Uncovering data manually from a phones’ fileystem can make a case that was solid, now ROCK SOLID.
So if you are at DoD Cybercrime this week, look me up at the AccessData booth and let me know what you think.
Lee Reiber
