lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 May 2007 12:45:20 +0800
From: "Eduardo Tongson" <propolice@...il.com>
To: "Davide Del Vecchio" <dante@...ghieri.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

gd,
You can also recover SMS from flash memory cards used in these Nokia
phones. The phones has a feature wherein you can archive or backup SMS
to the cards. So even if they delete the backup you could just
undelete the .dat files using something like Testdisk to recover the
messages.

On 5/16/07, Davide Del Vecchio <dante@...ghieri.org> wrote:
> Hello list,
>
> During some research, I found an intersting "feature"
> on my Nokia mobile phone; I was able to retrieve any
> apparently deleted sms/mms.
> Letting aside some paranoid thoughts about WHY this
> sms are not deleted, I think that, while this represents
> an high risk for our privacy, this discover could give some
> hint into mobile phone forensics and anti-forensics field.
>
> First, I would like to tell you that I tested this on
> my Nokia N-gage and on a Nokia 6600 but I am quiete sure
> that this procedure works on every Nokia Symbian S60
> (maybe other vendors). So I strongly incite you to test
> it on your mobile phone and share the results.
>
>
> Tested products:
>
> Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4
>
> Nokia 6600
>
> Maybe the whole S60 series.
>
>
> Procedure:
>
> Download the Nokia PC Suite for your mobile phone and make
> a backup on your local hd.
> I used PC Suite for Nokia N-Gage Version 1.0.0
> http://www.nokia.com/pcsuite
>
> It will create a huge number of ".dat" files in a specified
> directory.
>
> Download, install and start Cygwin. This is not required but
> suggested, you could use an hexadecimal editor and a bit of
> patience but using Cygwin is surely faster.
> http://www.cygwin.com
>
>
> Move into the backup directory.
>
>
> $ ls -al | less
>
> total 6016
> drwx------+ 2 Administrator Nessuno      0 Feb  6 01:35 .
> drwx------+ 7 Administrator Nessuno      0 Feb  5 23:00 ..
> -rwx------+ 1 Administrator Nessuno   2972 Nov 27  2003 1.dat
> -rwx------+ 1 Administrator Nessuno  22913 Nov 27  2003 10.dat
> -rwx------+ 1 Administrator Nessuno   1062 Feb 16  2005 100.dat
> -rwx------+ 1 Administrator Nessuno   3912 Aug  9  2005 1000.dat
> -rwx------+ 1 Administrator Nessuno   2750 Aug 25  2005 1001.dat
> -rwx------+ 1 Administrator Nessuno   8741 Dec 15  2005 1002.dat
> -rwx------+ 1 Administrator Nessuno   9926 Dec 20  2005 1003.dat
> -rwx------+ 1 Administrator Nessuno     63 Dec 30  2005 1004.dat
> -rwx------+ 1 Administrator Nessuno  23988 Jan 13  2006 1005.dat
> -rwx------+ 1 Administrator Nessuno     18 Jan 23  2006 1006.dat
> ...
> ...
> etc etc (files created by the nokia pc suite).
>
>
> Choose a file to examine.
>
> $ ls -al 3102.dat
> -rwx------+ 1 Administrator Nessuno 666569 Feb  5 23:59 3102.dat
>
> Use the command "strings" to find printable characters.
>
> $ strings 3102.dat | less
>
> Ciao! Auguro a te ed alla tua fa@...ica Farlonesi
> ...
> ...
> etc etc
>
>
>
> This is part of an sms I deleted and that I don't see on my phone.
> So, just grep every file in the directory to find the complete sms:
>
> $ grep -i "Auguro a te ed alla" *
>
> Binary file 1770.dat matches
> Binary file 3102.dat matches
>
> The sms has been found in 1770.dat file, let's see what's inside it:
>
> $ strings 1770.dat
>
> Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E.
> 4+393915253350
> 4+393922378986
>
> Got it! The complete sms, with the phone number of the sender (phone
> numbers have been changed).
> In earlier versions of Nokia PC Suite it just creates a ".nbu" file and
> you can just edit it with an hexadecimal editor.
>
> I mailed the Nokia support and they told me they didn't know about this
> bug and would like to know more informations about impacted models but
> they don't have any intention to release some kind of patch.
> I contacted Symbian too, they told me that Symbian sources are
> distributed to mobile phone vendors and so they cannot release any
> final-user patch.
>
> This description is also avaiable here:
> http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG)
> http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA)
>
> Regards,
>
> Davide Del Vecchio.
>
> --
> http://www.alighieri.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ