Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!
Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find them.
The easiest method to get these artifacts is to simply use ssh on the phone and scp the files you need.
No ssh on the phone? You could install it using the application manager and pick your own root password during the install process. If ssh is already on the phone you can reset the root password by opening an Xterm, typing root to get to the root shell, and passwd to reset the root password.
If it's locked, the default unlock code is 12345. It's worth a shot! I haven't seen any sneaky lock bypass tricks yet. If you have, comment on this post and share!
Some files are stored in the zipped backup which is accessible when the device is USB mounted, but not all. For full forensic goodness you'll want raw access.
The /home/user directory stores all user configuration and historical data. Here's some highlights:
Format: berkley database
Contents: address book vcard data.
Access: db4.7_dump -k addressbook.db spits out the hex of the entries.
hextoascii gets you vcard data.
$ cat /usr/bin/hextoascii
#! /usr/bin/env python
Format: sqlite formatted database.
Contents: The events table is the log of calls and sms messages.
Access: via your favorite sqlite tool. Mine: sqliteman
Contents: draft sms messages.
Contents: The status table holds the latest friend statuses retrieved by the
n900 facebook widget including the text, friend ID and friend name.
The status_image table columns image_url and
image_path have the public url and local paths to the friend's profile image.
Contents: Skype contact database.
The avatar_token field links to the .osso-abook/avatars directory of their picture.
using a format of skypename_md5sumhashofimagefile.
Contents: Skype chat logs (chatmsg###.dbb, etc).
Contents. Determines the settings used for browsing.
The default engine setting is "engine=microb" which is the maemo microbrowser.
Content: Surprise! It's a text file of typed urls entered into the browser.
Format: You guessed it.
Content: Standard sqlite firefox entries for browsing.
Format: rfc822 mail text files.
Content: Email artifacts from the email client
Content: Profiles table is a database of devices that have synced with the n900
Content: gps waypoint/route data.
Format: zip archives
Content: settings, history (browsing, etc).
Access Example:unzip -l /mnt/usb/backups/Prem520100114/settings.zip | grep mozilla
107 01-08-2010 18:58 Root/home/user/.mozilla/microb/extensions.cache
5672 01-14-2010 17:30 Root/home/user/.mozilla/microb/cookies.sqlite-journal
221184 01-14-2010 17:31 Root/home/user/.mozilla/microb/places.sqlite
Not an exhaustive list, but hopefully this will help you cut to the chase if you get a chance to do a forensic investigation involving one of these slick linux phones.
Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS, performs forensics, intrusion analysis, and security architecture work on a daily basis and runs p0wnlabs.com just for fun.