Symbian Forensics

Abstract

A Nokia 5800 XpressMusic Unlocked Phone with U.S. 3G, GPS with Free Voice Navigation, Wi-Fi — U.S. Version with Warranty (Black) is investigated during the process of Symbian forensics. This product is based on S60 5th Edition software. In this paper, steps of how the forensics work is done and what were gained during the investigation process are given. The basic achievements of this investigation process are having a better understanding the file system of Symbian, doing an image of the SDHC card from the phone and doing the backup of the Symbian phone. After that, data was analyzed and problems met in the process were introduced. Ways to solve these problems were discussed. Then, the author figures out what the conclusions he can make during the investigation and analyzing process.

Keywords: Symbian Forensics, SDHC card memory, flash memory, backup


Introduction

This paper is written based on the investigation in the Nokia 5800 XpressMusic Unlocked Phone with U.S. 3G, GPS with Free Voice Navigation, Wi-Fi — U.S. Version with Warranty (Black). This Symbian phone is based on S60 5th Edition software. Considering the fact that the paper is written for the exam purpose, the main task is to propose interesting evidence as much as possible.

The paper could be divided in four parts. First the author gives a brief introduction on the related work done in the forensics field in the Symbian Operate System. Then, the detail process of what the author has done is introduced. After that, problems which are met during the investigation process are discussed. Finally, conclusions are made about what the evidence could be found in the process.

Related work

Savoldi and Gubian (2008) give a brief introduction on how the forensics work could be done in the Symbian system. In their paper, they give a brief overview on the possible techniques that can help the practitioner gain access to internal phone memory both in logical level and in physical level. However, as they proposed in their paper, there is no certain way to bypass the security principle of the Symbian Operate System to gain the entire memory of the phone.

In 2012, Thing and Tan gave their method to acquire privacy-protected data from Symbian Operate System version 9.3 and version 9.4 phones. They bypass the security principles of the Symbian System, and obtain an unrestricted read access to the entire ?lesystem on the phone. In their work, they can get evidence from SMS messages, even if they are deleted.

In the same year (2012), Thing and Chua proposed a Symbian Low-Level Physical Data Acquisition Tool for the Symbian phones which is based on the 5th edition to support evidentiary ?le carving. In their paper, they proposed how ?les were stored and fragmented on the Symbian phone ?ash memory.

In the year 2013, Thing and Chua propose their work in the field of live volatile memory data acquisition pertaining to Symbian smartphones. In their paper, they propose a methodology for the purpose of in-depth malware security and forensics analysis.

Steps of the process

In the investigation process, the first thing an investigator should do is to give a detail description of the status of the mobile phone. At the very first beginning, the status of the Symbian phone is given in the paper, including whether or not the phone is on, the size, the system version and the major interfaces:

The Symbian phone is bought from the amazon.com. As the advertisement describes, it is a like new Nokia 5800 XpressMusic Unlocked Phone with U.S. 3G, GPS with Free Voice Navigation, Wi-Fi — U.S. Version with Warranty (Black). This unlocked cell phone is compatible with GSM carriers. It will not work with CDMA carriers like Verizon Wireless, Alltel and Sprint. It is a touch-screen multimedia phone which can be compatible with 850/900/1800/1900 frequencies and US 3G compatibility via 850/1900 UMTS/HSDPA plus GPRS/EDGE data capabilities.

When the phone is got, it is off status with no battery in it. There is no CDMA or GSM card in the Symbian phone. To check the phone much carefully, pictures are taken and the interfaces are checked. Pictures which include much more details on what the phone looks like are shown as Figure 1 and Figure 2.

 image004

Figure 1

image002

Figure 2

There are only three interfaces that should be noted in this paper. One is the USB interface, one is the SIM card interface and one is the memory card interface. During this process of checking interfaces, a micro SDHC card was found in the mobile phone. It was then taken out of the phones with great care.

To read the micro SDHC card, a mini card reader and an adapter for micro SDHC card are used. Connect the mini card reader to the computer with the USB interface, and make an image of the SDHC card. More detail information of the card reader can be shown as Figure 3.

image006

Figure 3

       To do an image of the micro SDHC card, the following steps should be followed:

1)     Connect the card reader to the computer with the USB cable provided.

2)     Click opens the FTK Imager to create an image of the card.

3)     Click the Creating Disk Image from the File table, choose physical drive, click next, choose the SDHC card and click “finish”.

4)     Click Add button in the table, and then fill in the proper information of the investigation process.

5)     And then choose a proper location where the image should be stored. Click finish to have the image from the SDHC card.

After the steps are all finished, the hash value should be verified to certificate that the image is valid. The screen shot of it can be shown as Figure 4 and Figure 5.

image008

Figure 4

image010

Figure 5

After the verification process, the image could be checked by the FTK Imager. The detail steps could be:

  1. Choose Add evidence Items from the File table, in the FTK Imager.
  2. Choose the image file box and click next to go on.
  3. Choose the image file that is generated by the FTK, and click next to finish.
  4. After the all the evidence is imported, click the evidence tree open to see the detail information provided by the image file.

The screen shot of the evidence tree is shown as Figure 6.

image012

Figure 6

To make the evidence tree much easier to investigate and analyze, autopsy.exe, an open source digital investigation tools, is used. To download this program, visit http://www.sleuthkit.org/autopsy/download.php. After downloaded and installed, the autopsy can be used as directed:

  1. Create a new case when the autopsy is clicked open.
  2. Add the image file in the case by clicking the browse button and choose the image file location.
  3. Click “next”, “next” and “finish” to add the evidence tree in the case.

After the evidence is added in the autopsy, it is much easier to know where the important files are. Pictures can be shown as Figure 7.

image014

Figure 7

During the process of clicking into each document, images, videos, audio and archives were found. Besides, many documents such as word files, txt files, rtf files and PDF files were also found. Among these files and images, most of them are just system files, but some of them are quite interesting for the simple reason that they really contain some important information. Two doc files are an example of this. They contain the telephone number and salary information of a man in Berlin. These two files are located in /img_SDHC content image.001 /cities/diskcache/RI2008/POSTfestival. More detail information about when they are created and what is in the file could be found in Figure 8, Figure 9, and Figure 10.

image016

Figure 8

image018

Figure 9

image020

Figure 10

Another file which is very is important is an rtf file which is modified in 06/06/2008. It is a file which contains different emails from the mail box. Considering the fact that the file is written in German, most of the content could not be understand. However, some of the significant information could be picked up from the entire emails, such as the address and telephone numbers. More detail information could be found in Figure 11 and Figure 12. They are all from the VVR_BerlFenster.rtf. It could be found in the img_SDHC content image.001/cities/diskcache/RI2008 folder.

image022

Figure 11

image024

Figure 12

There are 4 other significant rtf files which could be found in img_SDHC content image.001/cities. Their locations and modified time could be shown as Figure 12 and Figure 13. Most of their content is written in Germen. Considering the fact that the practitioner could not understand the language, further help should be asked.

image026

Figure 13

image028

Figure 14

       Though, it is difficult to understand what it means in the rtf file, some significant information about the prior owner could be learnt. Detail information could be shown as Figure 15.

image030

Figure 15

image032

Figure 16

The ex-owner of the mobile phone downloaded many videos and audios, the time which he downloaded them are shown in Figure 17 and Figure 18.

image034

Figure 17

image036

Figure 18

Another 36 PDF files are found in the SDHC card, most of them were downloaded from the internet. All of the files are tables. But no enough information can be got from those tables because of the language problem. But we can infer that the ex-owner of this mobile phone might be a professor because he receives so many conference materials and some many people talked to him in the email. Names and time that the files were modified could be found in the Figure 19.

image038

Figure 19

The time when some of the files were downloaded from the Internet or from the computer is also very interesting. This can be seen from Figure 20.

image040

Figure 20

       By analyzing the timestamps provided by the evidence tree in the FTK Imager, more inference can be got. By reading the evidence tree, we can infer that the privacy folder could be a system folder, which could contain what the system has done. From the timestamps of the privacy folder, we can know most of the documents are modified on the same day. It could be shown as Figure 21.

image042

Figure 21

From the timestamps above, we can know that the ex-owner of this mobile phone has used this phone on January 1th, in 2009. From the image file, it is easy to find that most of the modified day stays the same. This could be explained: the files were all modified by the system for the simple reason that human beings could not act so quickly. This can be shown easily in Figure 22. In the picture, all the files are modified in the same time. These files could be found in root/cities/brazilian/Brazilian_female.

 image044

Figure 22

From the principles mentioned above, many files could be recognized as system files. The other files and folders displayed in the evidence tree could be much more important, though the system file could also be significant evidence in some way. Figure 23 is the evidence tree from the FTK Imager. From this tree folder, we can know that the private folder the cities folder could be system folders. However the other folders such as the Sounds, Images and Videos folders could be the private folder of the ex-owner. Clicking into each folder, not too much evidence could be found. The only thing that must be mentioned is that the phone was frequently used from August 2008 to February 2009.

 image046

Figure 23

image048

Figure 24

image050

Figure 25

Most of the pictures and videos were created in two different days, by analyzing each photo and videos, files that could be important are picked up. Most of them contain the address and personal information. The information could be found in Figure 26, Figure 27 and Figure 28.

image052

Figure 26

image054

Figure 27

image056

Figure 28

Considering the fact that not too many evidence could be found in the SD card, the Symbian phone has to be opened. Picture, Figure 29, is taken during the opening process. A new SD card was put into the phone before it was opened.

 image058

Figure 29

Considering the fact that the system does not work until the phone is opened, time information is filled in the box, just as shown in Figure 29. There is no SIM card in the Symbian phone. So the information of SMS and telephone numbers might not be in this phone. However some of the important information could be stored in the mobile phone’s internal flash memory card. Thus how the data could be recovered is becoming a big problem.

When the phone is opened, the version of this operate system is checked. Click settings>Phone>Phone mgmt>About, then we could find that the operate system is the S60 5th edition. As we know, S60 5th Edition runs on Symbian OS version 9.4. However, almost all of the forensics work is done on the 3th edition. The following are some of the efforts which I have tried:

As it is given a description by Savoldi and Gubian (2008), a logical extraction technique focuses only on the visible content at the file system level, i.e., data pertaining to files, databases and registry along with other file system data. The authors recommended the Device Seize as a good tool to do the logical extraction. However, whether or not it can work on the Symbian system is not available. Besides, as it is mentioned in the internet as Figure 30 shows, it could not be used to recover data. So, the physical extraction techniques, which could recover all the data from the mobile phones, are preferred this time.

image060

Figure 30

As it is discussed in Savoldi and Gubian’s (2008) paper, there are three physical extraction techniques that can help in this situation: Using flasher tools, using JTAG test access ports and using forensic de-soldering. However, Savoldi and Gubian (2009, p. 20) said with Symbian S60 platform, it was not possible to extract the full inner state and obtain a forensically sound acquisition. One of the 4 suggestions in the paper, which is called connection agent, is chosen to finish this investigation process. Message mirror V2.50 is downloaded from the internet to have the internal data pulled out. But it failed in the installation process. It says “certificate error, please contact the producer”. Common errors met when the programs are installed were checked out, but the program still could not be installed.

Another way is tried after the installation failed. First, a new Mini SD card is inserted into the Symbian Phone (or it has been in the phone). Second, choose the applications>File manager>Backup. Then choose backup contents and backup all the files. Finally, click the backup now button in the option menu. Wait about 8 minutes, work will be finished. Pull the SD card out of the phone and use the card reader to connect it to the computer. Use the FTK Imager to open this file, a new folder, whose name is backup could be found. It could be shown as Figure 31.

image062

Figure 31

More than 20 files are found by this way, including the deleted files. The name of the file could be found as Figure 32. But after the backup and analyze process is finished, how to read this .arc file becomes a big problem.

image064

Figure 32

Issues or problems

When analyzing the evidence using the autopsy, timestamps seem conflict. Some modified time are earlier than the create time, however the others are later than the create time. How does this happen? One suggestion is that the timestamps was disturbed and damaged when new time is entered into the phone. Another suspicion is that the mobile phone could have been reset several times, and some of the file could be modified by the system. Thus, some of the timestamps could be wrong considering the fact that no all the timestamps are modified.

Another problem should be most of the documents, which could be very important, are written in German, only a few of them are written in English. Assistantship should be asked in this situation. Further study could be done on what the documents mean and maybe, it can really help the investigator to tell who the people is and what he did in the past.

Finally, how to get the physical bitstream of the phone stays to be a problem. Backup can be done to get the internal memory of the phone. However, doing things like that could not help in recovering the data which has been deleted from the phone. To recover the data and get the bitstream copy of the internal memory of the Symbian phone, a small program should be developed. A Symbian Low-Level Physical Data Acquisition Tool is developed by Thing and Chua (2012). They have already succeed in acquiring the data. But unfortunately, I failed.

Conclusions

During the investigation process, the major documents and files have been pulled out of the memory card and analyzed. Besides, backup of the Symbian phone was made. FTK Imager and Autopsy were used during the process. And conclusions were made after the evidence is analyzed.

First, it is a like new Nokia 5800 XpressMusic Unlocked Phone with U.S. 3G, GPS with Free Voice Navigation, Wi-Fi — U.S. Version with Warranty (Black). This unlocked cell phone is compatible with GSM carriers. It was off status with no battery in it when the phone is got. No SIM card was in the phone, but there was a memory card in it. The mini SDHC card was pulled out of the phone and analyzed. Images were done, and FTK Imager and Autopsy were used to investigate the files.

During the investigation process, salaries and telephone number of the ex-owner was found. This can be shown as Figure 9 and Figure 10. Emails of this phone were found in an rtf file. It could be shown as Figure 11. And many other documents were found during the investigation process, but most of them are written in German. However, some of them can be understood and these documents and files provide many detail information of the ex-owner, such as phone number, the name of the people who was connected with. This could be shown as Figure 15 and Figure 16. There were more than 10 videos and pictures in the phone. Most of them are non-sensitive information. Pictures’ and videos’ names were shown as Figure 24, Figure 25. And pictures that are interesting could be found as Figure 26, Figure 27 and Figure 28.

After the SDHC card has been analyzed, backups were done. That is a system process which could be done by the Symbian phone itself. The data was pulled out of the internal of the phone, and transferred into a new SDHC card. More detail information could be found in Figure 31 and Figure 32. Two different ways were tried before the backup. One to install an application in the phone, the other is to find the tool which is introduced by a paper. Both the two ways were failed. The first one failed because it said certificate error in the phone. The other failed because no such tool was found in the internet.

Further study could be done from two directions. One is to ask for assistant to make sure that all the documents which were written in German are understood. The other direction should be finding one way that could do physical bitstream copy of the Symbian phone. This could help to find the persons who the ex-owner usually talks to.

Preferences

Savoldi, A., and Gubian, P. (2008). Data hiding and recovery on win CE based handheld devices. In Fourth Annual IFIPWG 11.9 International Conference on Digital Forensics, 119-230.

Savoldi, A., and Gubian, P. (2009). Issues in Symbian S60 Platform Forensics. Journal of Communication and Computer, Volume 6, No.3 (Serial No.52), 16-22.

Thing, V. L. L., and Chua, T. W. (2012). Symbian Smartphone Forensics: Linear Bitwise Data Acquisition and Fragmentation Analysis. Computer Applications for Security, Control and System Engineering Communications in Computer and Information Science, Volume 339, 62-69.

Thing, V. L. L., and Tan, D. J. J. (2012). Symbian smartphone forensics and security: Recovery of privacy-protected deleted data. Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, 240–251.

Thing, V. L.L., and Chua, Z. L. (2013). Smartphone Volatile Memory Acquisition for Security Analysis ? Forensics Investigation. Security ? Privacy Protection in Information Processing Systems IFIP Advances in Information and Communication Technology, Volume 405, 217-230.

Leave a Reply