full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Retrieving "delet

Re: [Full-disclosure] Retrieving "deleted" sms/mms from Nokia phone (Symbian S60)

From: Robert McArdle <robertmcardle_at_nospam>
Date: Wed May 16 2007 - 13:52:26 GMT
To: "Davide Del Vecchio" <dante@alighieri.org>


I downloaded the latest Version of Nokia PC Suite from the Nokia site (6.8.3Rel 14.1). I then sent a message to myself and deleted it after it arrived. Backing up my phone created a single .ndu file (not multiple dats). I analyzed the strings in the file (file uses no compression/packing) and although I can see all my other Messages/Contacts - the test message was not present.

The test was carried out on a Nokia N73 running Symbian 9.X

Robert McArdle -- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings On 5/15/07, Davide Del Vecchio <dante@alighieri.org> wrote:
>
> Hello list,
>
> During some research, I found an intersting "feature"
> on my Nokia mobile phone; I was able to retrieve any
> apparently deleted sms/mms.
> Letting aside some paranoid thoughts about WHY this
> sms are not deleted, I think that, while this represents
> an high risk for our privacy, this discover could give some
> hint into mobile phone forensics and anti-forensics field.
>
> First, I would like to tell you that I tested this on
> my Nokia N-gage and on a Nokia 6600 but I am quiete sure
> that this procedure works on every Nokia Symbian S60
> (maybe other vendors). So I strongly incite you to test
> it on your mobile phone and share the results.
>
>
> Tested products:
>
> Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4
>
> Nokia 6600
>
> Maybe the whole S60 series.
>
>
> Procedure:
>
> Download the Nokia PC Suite for your mobile phone and make
> a backup on your local hd.
> I used PC Suite for Nokia N-Gage Version 1.0.0
> http://www.nokia.com/pcsuite
>
> It will create a huge number of ".dat" files in a specified
> directory.
>
> Download, install and start Cygwin. This is not required but
> suggested, you could use an hexadecimal editor and a bit of
> patience but using Cygwin is surely faster.
> http://www.cygwin.com
>
>
> Move into the backup directory.
>
>
> $ ls -al | less
>
> total 6016
> drwx------+ 2 Administrator Nessuno 0 Feb 6 01:35 .
> drwx------+ 7 Administrator Nessuno 0 Feb 5 23:00 ..
> -rwx------+ 1 Administrator Nessuno 2972 Nov 27 2003 1.dat
> -rwx------+ 1 Administrator Nessuno 22913 Nov 27 2003 10.dat
> -rwx------+ 1 Administrator Nessuno 1062 Feb 16 2005 100.dat
> -rwx------+ 1 Administrator Nessuno 3912 Aug 9 2005 1000.dat
> -rwx------+ 1 Administrator Nessuno 2750 Aug 25 2005 1001.dat
> -rwx------+ 1 Administrator Nessuno 8741 Dec 15 2005 1002.dat
> -rwx------+ 1 Administrator Nessuno 9926 Dec 20 2005 1003.dat
> -rwx------+ 1 Administrator Nessuno 63 Dec 30 2005 1004.dat
> -rwx------+ 1 Administrator Nessuno 23988 Jan 13 2006 1005.dat
> -rwx------+ 1 Administrator Nessuno 18 Jan 23 2006 1006.dat
> ...
> ...
> etc etc (files created by the nokia pc suite).
>
>
> Choose a file to examine.
>
> $ ls -al 3102.dat
> -rwx------+ 1 Administrator Nessuno 666569 Feb 5 23:59 3102.dat
>
> Use the command "strings" to find printable characters.
>
> $ strings 3102.dat | less
>
> Ciao! Auguro a te ed alla tua fa@Enrica Farlonesi
> ...
> ...
> etc etc
>
>
>
> This is part of an sms I deleted and that I don't see on my phone.
> So, just grep every file in the directory to find the complete sms:
>
> $ grep -i "Auguro a te ed alla" *
>
> Binary file 1770.dat matches
> Binary file 3102.dat matches
>
> The sms has been found in 1770.dat file, let's see what's inside it:
>
> $ strings 1770.dat
>
> Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E.
> 4+393915253350
> 4+393922378986
>
> Got it! The complete sms, with the phone number of the sender (phone
> numbers have been changed).
> In earlier versions of Nokia PC Suite it just creates a ".nbu" file and
> you can just edit it with an hexadecimal editor.
>
> I mailed the Nokia support and they told me they didn't know about this
> bug and would like to know more informations about impacted models but
> they don't have any intention to release some kind of patch.
> I contacted Symbian too, they told me that Symbian sources are
> distributed to mobile phone vendors and so they cannot release any
> final-user patch.
>
> This description is also avaiable here:
> http://www.alighieri.org/advisories/retrieving_deleted_sms.txt (ENG)
> http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt (ITA)
>
> Regards,
>
> Davide Del Vecchio.
>
> --
> http://www.alighieri.org
>
-- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/