SANS Digital Forensics and Incident Response Blog

Hex Dumping Flash From a Mobile

Most mobile phone manufacturers sell or provide tools allowing for the management of data. There are some exceptions with the very low cost devices. The problem that arises is that few of these tools are forensically sound. Hence the need for an alternative, hex dumps from a flasher.

Model: UN-0412100 Flasher by Twister
A Hex dump of the device is a physical acquisition of the device's memory. In the majority of devices available this will necessitate the use of a "flasher" or "twister" device. These are specialist support tools that are designed for the repair and servicing of mobile devices. The benefit to the forensic examiner is that these devices allow for the dumping of the device's memory. These are called "flashers" as they enable the manipulation of the flash memory on the device.
A number of specialist software offerings have been developed that can analyze a hex dump or "flash file" in order to produce a report or extract data from the image. Some of the better known products include:
  • Pandora's Box for Nokia
    • hex dump analysis
    • Date and Time Decoding
    • PDU encoding/decoding
    • Hex conversion functions
  • Cell Phone Analyzer (CPA).

Flashers allow one to capture a phone's memory (the Flash) as an image. This image may then be examined in the same way any computer image would be examined. When securing a mobile phone, always obtain the PIN code for the SIM if possible. Also record the make, model, colour and condition of the device. Other areas to note include:

  • IMEI, SIM card number
  • Hardware/Software Used
  • Data recovered

The forensic process is highly dependent on the make and model of the device. Any process should include an attempt to obtain the following:

  • Call Logs, Phonebook
  • Calendar
  • Text, Audio, Video
  • Messages sent/received
  • Internet cache, settings
  • Hex dump of the devices filesystem

Where possible, a hex dump of the system is the most important thing to obtain. With this information, a standard forensic analysis may be conducted and in many cases the filesystem can be checked for known malware signatures. On newer phones such as the iPhone and Mio A701, the GPS logs can provide information about the movement of the device.

Craig Wright (GFCA Gold #0265) is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.