Shadowed by coverage of all things Nexus and iPad, Nokia’s new n900 is the unsung hero of the smart phone world. That’s just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!
Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find them.
Imaging:
The easiest method to get these artifacts is to simply use ssh on the phone and scp the files you need.
No ssh on the phone? You could install it using the application manager and pick your own root password during the install process. If ssh is already on the phone you can reset the root password by opening an Xterm, typing root to get to the root shell, and passwd to reset the root password.
If it’s locked, the default unlock code is 12345. It’s worth a shot! I haven’t seen any sneaky lock bypass tricks yet. If you have, comment on this post and share!
Some files are stored in the zipped backup which is accessible when the device is USB mounted, but not all. For full forensic goodness you’ll want raw access.
Artifacts
The /home/user directory stores all user configuration and historical data. Here’s some highlights:
File: .osso-abook/db
Format: berkley database
Contents: address book vcard data.
Access: db4.7_dump -k addressbook.db spits out the hex of the entries.
hextoascii gets you vcard data.Code:
$ cat /usr/bin/hextoascii
#! /usr/bin/env python
import sys
import binascii
sys.stdout.write(binascii.a2b_hex(sys.argv[1])+ "n")
File: .rtcom-eventlogger/el.db
Format: sqlite formatted database.
Contents: The events table is the log of calls and sms messages.
Access: via your favorite sqlite tool. Mine: sqliteman
File: ./.rtcom-messaging-ui/draft.db
Format: sqlite
Contents: draft sms messages.
File: .feedservice/facebook/facebook.db
Format: sqlite
Contents: The status table holds the latest friend statuses retrieved by the
n900 facebook widget including the text, friend ID and friend name.
The status_image table columns image_url and
image_path have the public url and local paths to the friend's profile image.
Directory: .osso-abook/db/tp-cache
Format:sqlite
Contents: Skype contact database.
The avatar_token field links to the .osso-abook/avatars directory of their picture.
using a format of skypename_md5sumhashofimagefile.
Directory: .Skype
Format: Skype
Contents: Skype chat logs (chatmsg###.dbb, etc).
File: .browser
Format: text
Contents. Determines the settings used for browsing.
The default engine setting is "engine=microb" which is the maemo microbrowser.
File: .browser_typed_urls
Format: text
Content: Surprise! It's a text file of typed urls entered into the browser.
Directory: .mozilla/microb
Files:
places.sqlite
cookies.sqlite
downloads.sqlite
signons.sqlite
Format: You guessed it.
Content: Standard sqlite firefox entries for browsing.
Directory:.modest/local_folders/sent/cur
Directory:.modest/local_folders/drafts/cur
Directory:.modest/cache/mail/imap
Format: rfc822 mail text files.
Content: Email artifacts from the email client
File: .settings/maesyncdb
Format: sqlite
Content: Profiles table is a database of devices that have synced with the n900
File:.topos.db
Format: sqlite
Content: gps waypoint/route data.
Directory:backups
Format: zip archives
Content: settings, history (browsing, etc).
Access Example:unzip -l /mnt/usb/backups/Prem520100114/settings.zip | grep mozilla
107 01-08-2010 18:58 Root/home/user/.mozilla/microb/extensions.cache
5672 01-14-2010 17:30 Root/home/user/.mozilla/microb/cookies.sqlite-journal
221184 01-14-2010 17:31 Root/home/user/.mozilla/microb/places.sqlite
..etc..Not an exhaustive list, but hopefully this will help you cut to the chase if you get a chance to do a forensic investigation involving one of these slick linux phones.
Saturday, March 20, 2010
Tuesday, January 26, 2010
First encounter
I used to have a Nokia N95 8GB 3G and I loved the phone. I was devastated when an idiot stole my purse with my cell phone with it in August/2009. I lived with the hope that somehow I would find my phone. With every single days, the chances were slimmer and slimmer. I was on craigslist and ebay all the time, checking of something is selling a similar phone. I had the IMEI number, so I could easily identified. Then, I decided it was time for a new phone. I started researching the N97 and reading reviews, when I saw the Nokia N900. Nokia was to announce the phone in a couple of days. I fell in love with the phone at first sight and I decided this was the phone I wanted. Then the wait began. The phone was supposed to be released in October, November... It became available in December. I ordered and on 12/31/2009 it arrived. I met the Fedex driver and I started jumping around him like a little child until I got my package. Indeed, he was very entertained. I ran upstairs to my apartment and opened the box. The phone box was inside - all black and very stylish. I took out the phone. It had some battery and I started playing with it. I felt like a person who has lived in a jungle all of their life and is sitting in front of a computer. I was used to the Symbian OS and everything seemed strange. It took me about several hours to get use to most of the main features. The first thing I noticed was the clear and sharp picture when playing movies or just working with the phone. As I am in love with this phone and constantly exploring its endless features, I will keep you posted of new applications and tricks for Nokia N900.
Subscribe to:
Posts (Atom)
