Full Disclosure mailing list archives
Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)
From: "Aaron Lafferty" <aaron.lafferty () gmail com>
Date: Tue, 15 May 2007 14:54:47 -0400
I was curious, so I took a Nokia N75 (S60 3rd Edition FP 0) and deleted all of my messages. I then hooked it up to my PC and ran a backup with the nokia PC suite. The file was saved into one large .nbu file. At this point I had no SMS messages left on my phone. The .nbu file is binary, but there are enough strings in it to make it worthwhile to look at. A simple strings 2007-05-15\ Nokia\ N75.nbu | less and a search on the name yielded a hit... Name days december depends know ^Lmoment never plans reply this vacation The original content of spoke said something akin to I don't have any plans, but you never know, it depends on my vacation days in December I'm betting with a little more time and understanding of how this file is formatted the message thought to be deleted could be easily reconstructed. So I guess you can consider newer symbian devices affected as well. Thanks, Aaron On 5/15/07, Davide Del Vecchio <dante () alighieri org> wrote:
Hello list, During some research, I found an intersting "feature" on my Nokia mobile phone; I was able to retrieve any apparently deleted sms/mms. Letting aside some paranoid thoughts about WHY this sms are not deleted, I think that, while this represents an high risk for our privacy, this discover could give some hint into mobile phone forensics and anti-forensics field. First, I would like to tell you that I tested this on my Nokia N-gage and on a Nokia 6600 but I am quiete sure that this procedure works on every Nokia Symbian S60 (maybe other vendors). So I strongly incite you to test it on your mobile phone and share the results. Tested products: Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4 Nokia 6600 Maybe the whole S60 series. Procedure: Download the Nokia PC Suite for your mobile phone and make a backup on your local hd. I used PC Suite for Nokia N-Gage Version 1.0.0 http://www.nokia.com/pcsuite It will create a huge number of ".dat" files in a specified directory. Download, install and start Cygwin. This is not required but suggested, you could use an hexadecimal editor and a bit of patience but using Cygwin is surely faster. http://www.cygwin.com Move into the backup directory. $ ls -al | less total 6016 drwx------+ 2 Administrator Nessuno 0 Feb 6 01:35 . drwx------+ 7 Administrator Nessuno 0 Feb 5 23:00 .. -rwx------+ 1 Administrator Nessuno 2972 Nov 27 2003 1.dat -rwx------+ 1 Administrator Nessuno 22913 Nov 27 2003 10.dat -rwx------+ 1 Administrator Nessuno 1062 Feb 16 2005 100.dat -rwx------+ 1 Administrator Nessuno 3912 Aug 9 2005 1000.dat -rwx------+ 1 Administrator Nessuno 2750 Aug 25 2005 1001.dat -rwx------+ 1 Administrator Nessuno 8741 Dec 15 2005 1002.dat -rwx------+ 1 Administrator Nessuno 9926 Dec 20 2005 1003.dat -rwx------+ 1 Administrator Nessuno 63 Dec 30 2005 1004.dat -rwx------+ 1 Administrator Nessuno 23988 Jan 13 2006 1005.dat -rwx------+ 1 Administrator Nessuno 18 Jan 23 2006 1006.dat ... ... etc etc (files created by the nokia pc suite). Choose a file to examine. $ ls -al 3102.dat -rwx------+ 1 Administrator Nessuno 666569 Feb 5 23:59 3102.dat Use the command "strings" to find printable characters. $ strings 3102.dat | less Ciao! Auguro a te ed alla tua fa@Enrica Farlonesi ... ... etc etc This is part of an sms I deleted and that I don't see on my phone. So, just grep every file in the directory to find the complete sms: $ grep -i "Auguro a te ed alla" * Binary file 1770.dat matches Binary file 3102.dat matches The sms has been found in 1770.dat file, let's see what's inside it: $ strings 1770.dat Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E. 4+393915253350 4+393922378986 Got it! The complete sms, with the phone number of the sender (phone numbers have been changed). In earlier versions of Nokia PC Suite it just creates a ".nbu" file and you can just edit it with an hexadecimal editor. I mailed the Nokia support and they told me they didn't know about this bug and would like to know more informations about impacted models but they don't have any intention to release some kind of patch. I contacted Symbian too, they told me that Symbian sources are distributed to mobile phone vendors and so they cannot release any final-user patch. This description is also avaiable here: http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG) http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA) Regards, Davide Del Vecchio. -- http://www.alighieri.org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Davide Del Vecchio (May 15)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Aaron Lafferty (May 15)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Robert McArdle (May 16)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) 3APA3A (May 16)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Michael Holstein (May 16)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) dave kleiman (May 22)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Davide Del Vecchio (May 16)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Randy Wyatt (May 17)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Matthew Leeds (May 17)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Michael Holstein (May 16)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Zhihao (May 17)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) Eduardo Tongson (May 20)
- Re: Retrieving "deleted" sms/mms from Nokia phone (Symbian S60) diabol the japanophile (May 25)
(Thread continues...)