SANS Digital Forensics and Incident Response Blog

Nokia n900 mobile forensic cheat sheet

Nokia N900
Shadowed by coverage of all things Nexus and iPad, Nokia's new n900 is the unsung hero of the smart phone world. That's just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!

Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find them.

Imaging:
The easiest method to get these artifacts is to simply use ssh on the phone and scp the files you need.
No ssh on the phone? You could install it using the application manager and pick your own root password during the install process. If ssh is already on the phone you can reset the root password by opening an Xterm, typing root to get to the root shell, and passwd to reset the root password.

If it's locked, the default unlock code is 12345. It's worth a shot! I haven't seen any sneaky lock bypass tricks yet. If you have, comment on this post and share!

Some files are stored in the zipped backup which is accessible when the device is USB mounted, but not all. For full forensic goodness you'll want raw access.

Artifacts

The /home/user directory stores all user configuration and historical data. Here's some highlights:

File: .osso-abook/db
Format: berkley database
Contents: address book vcard data.
Access: db4.7_dump -k addressbook.db spits out the hex of the entries.
hextoascii gets you vcard data.

Code:

$ cat /usr/bin/hextoascii
#! /usr/bin/env python
import sys
import binascii
sys.stdout.write(binascii.a2b_hex(sys.argv[1])+ "\n")

File: .rtcom-eventlogger/el.db
Format: sqlite formatted database.
Contents: The events table is the log of calls and sms messages.
Access: via your favorite sqlite tool. Mine: sqliteman

File: ./.rtcom-messaging-ui/draft.db
Format: sqlite
Contents: draft sms messages.

File: .feedservice/facebook/facebook.db
Format: sqlite
Contents: The status table holds the latest friend statuses retrieved by the
n900 facebook widget including the text, friend ID and friend name.
The status_image table columns image_url and
image_path have the public url and local paths to the friend's profile image.

Directory: .osso-abook/db/tp-cache
Format:sqlite
Contents: Skype contact database.
The avatar_token field links to the .osso-abook/avatars directory of their picture.
using a format of skypename_md5sumhashofimagefile.

Directory: .Skype
Format: Skype
Contents: Skype chat logs (chatmsg###.dbb, etc).

File: .browser
Format: text
Contents. Determines the settings used for browsing.
The default engine setting is "engine=microb" which is the maemo microbrowser.

File: .browser_typed_urls
Format: text
Content: Surprise! It's a text file of typed urls entered into the browser.

Directory: .mozilla/microb
Files:
places.sqlite
cookies.sqlite
downloads.sqlite
signons.sqlite
Format: You guessed it.
Content: Standard sqlite firefox entries for browsing.

Directory:.modest/local_folders/sent/cur
Directory:.modest/local_folders/drafts/cur
Directory:.modest/cache/mail/imap
Format: rfc822 mail text files.
Content: Email artifacts from the email client

File: .settings/maesyncdb
Format: sqlite
Content: Profiles table is a database of devices that have synced with the n900

File:.topos.db
Format: sqlite
Content: gps waypoint/route data.

Directory:backups
Format: zip archives
Content: settings, history (browsing, etc).
Access Example:unzip -l /mnt/usb/backups/Prem520100114/settings.zip | grep mozilla
107 01-08-2010 18:58 Root/home/user/.mozilla/microb/extensions.cache
5672 01-14-2010 17:30 Root/home/user/.mozilla/microb/cookies.sqlite-journal
221184 01-14-2010 17:31 Root/home/user/.mozilla/microb/places.sqlite
..etc..

Not an exhaustive list, but hopefully this will help you cut to the chase if you get a chance to do a forensic investigation involving one of these slick linux phones.

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS, performs forensics, intrusion analysis, and security architecture work on a daily basis and runs p0wnlabs.com just for fun.