I downloaded the latest Version of Nokia PC Suite from the Nokia site (6.8.3 Rel 14.1). I then sent a message to myself and deleted it after it arrived. Backing up my phone created a single .ndu file (not multiple dats). I analyzed the strings in the file (file uses no compression/packing) and although I can see all my other Messages/Contacts - the test message was not present.
<br><br>The test was carried out on a Nokia N73 running Symbian 9.X<br><br>Robert McArdle<br>-- <br><a href="http://www.RobertMcArdle.com/blog/">www.RobertMcArdle.com/blog/</a> - Techie/Security/Inane Ramblings<br><br><div>
<span class="gmail_quote">On 5/15/07, <b class="gmail_sendername">Davide Del Vecchio</b> <<a href="mailto:dante@alighieri.org">dante@alighieri.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello list,<br><br>During some research, I found an intersting "feature"<br>on my Nokia mobile phone; I was able to retrieve any<br>apparently deleted sms/mms.<br>Letting aside some paranoid thoughts about WHY this
<br>sms are not deleted, I think that, while this represents<br>an high risk for our privacy, this discover could give some<br>hint into mobile phone forensics and anti-forensics field.<br><br>First, I would like to tell you that I tested this on
<br>my Nokia N-gage and on a Nokia 6600 but I am quiete sure<br>that this procedure works on every Nokia Symbian S60<br>(maybe other vendors). So I strongly incite you to test<br>it on your mobile phone and share the results.
<br><br><br>Tested products:<br><br>Nokia N-gage, firmware version: V 4.03 26-11-2003 NEM-4<br><br>Nokia 6600<br><br>Maybe the whole S60 series.<br><br><br>Procedure:<br><br>Download the Nokia PC Suite for your mobile phone and make
<br>a backup on your local hd.<br>I used PC Suite for Nokia N-Gage Version 1.0.0<br><a href="http://www.nokia.com/pcsuite">http://www.nokia.com/pcsuite</a><br><br>It will create a huge number of ".dat" files in a specified
<br>directory.<br><br>Download, install and start Cygwin. This is not required but<br>suggested, you could use an hexadecimal editor and a bit of<br>patience but using Cygwin is surely faster.<br><a href="http://www.cygwin.com">
http://www.cygwin.com</a><br><br><br>Move into the backup directory.<br><br><br>$ ls -al | less<br><br>total 6016<br>drwx------+ 2 Administrator Nessuno 0 Feb 6 01:35 .<br>drwx------+ 7 Administrator Nessuno 0 Feb 5 23:00 ..
<br>-rwx------+ 1 Administrator Nessuno 2972 Nov 27 2003 1.dat<br>-rwx------+ 1 Administrator Nessuno 22913 Nov 27 2003 10.dat<br>-rwx------+ 1 Administrator Nessuno 1062 Feb 16 2005 100.dat<br>-rwx------+ 1 Administrator Nessuno 3912 Aug 9 2005
1000.dat<br>-rwx------+ 1 Administrator Nessuno 2750 Aug 25 2005 1001.dat<br>-rwx------+ 1 Administrator Nessuno 8741 Dec 15 2005 1002.dat<br>-rwx------+ 1 Administrator Nessuno 9926 Dec 20 2005 1003.dat<br>-rwx------+ 1 Administrator Nessuno 63 Dec 30 2005
1004.dat<br>-rwx------+ 1 Administrator Nessuno 23988 Jan 13 2006 1005.dat<br>-rwx------+ 1 Administrator Nessuno 18 Jan 23 2006 1006.dat<br>...<br>...<br>etc etc (files created by the nokia pc suite).<br><br><br>Choose a file to examine.
<br><br>$ ls -al 3102.dat<br>-rwx------+ 1 Administrator Nessuno 666569 Feb 5 23:59 3102.dat<br><br>Use the command "strings" to find printable characters.<br><br>$ strings 3102.dat | less<br><br>Ciao! Auguro a te ed alla tua
fa@Enrica Farlonesi<br>...<br>...<br>etc etc<br><br><br><br>This is part of an sms I deleted and that I don't see on my phone.<br>So, just grep every file in the directory to find the complete sms:<br><br>$ grep -i "Auguro a te ed alla" *
<br><br>Binary file 1770.dat matches<br>Binary file 3102.dat matches<br><br>The sms has been found in 1770.dat file, let's see what's inside it:<br><br>$ strings 1770.dat<br><br>Ciao! Auguro a te ed alla tua famiglia un felice anno nuovo! E.
<br>4+393915253350<br>4+393922378986<br><br>Got it! The complete sms, with the phone number of the sender (phone<br>numbers have been changed).<br>In earlier versions of Nokia PC Suite it just creates a ".nbu" file and
<br>you can just edit it with an hexadecimal editor.<br><br>I mailed the Nokia support and they told me they didn't know about this<br>bug and would like to know more informations about impacted models but<br>they don't have any intention to release some kind of patch.
<br>I contacted Symbian too, they told me that Symbian sources are<br>distributed to mobile phone vendors and so they cannot release any<br>final-user patch.<br><br>This description is also avaiable here:<br><a href="http://www.alighieri.org/advisories/retrieving_deleted_sms.txt">
http://www.alighieri.org/advisories/retrieving_deleted_sms.txt</a> (ENG)<br><a href="http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt">http://www.alighieri.org/advisories/recuperare_sms_cancellati.txt</a>
(ITA)<br><br>Regards,<br><br>Davide Del Vecchio.<br><br>--<br><a href="http://www.alighieri.org">http://www.alighieri.org</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://www.RobertMcArdle.com/blog/">
www.RobertMcArdle.com/blog/</a> - Techie/Security/Inane Ramblings