±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36763
New Yesterday: 2 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

MMS PDU files contain media

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Warlock
Newbie
 

MMS PDU files contain media

Post Posted: May 01, 09 01:41

I'm running a case presently that I've found a bunch of mms pdu files that contain media such as images audio (RIFF qcp) and video.

Since there is such a number I was wondering if anyone has come across a decoder or quick method of obtaining the data.

Its a slow go because the footer information for the file is not entirely consistant with normal ones found on a phone. I've been getting the data but its been slow and I'm hoping someone has come across a good viewer / decoder etc that will let me see it natively so to speak or identify or parse out the media quicker.

Its a CDMA phone.

Cheers.  
 
  

PaulSanderson
Senior Member
 

Re: MMS PDU files contain media

Post Posted: May 01, 09 11:24

Warlock

Have alook at RevEnge to see if it does what you need - if it doesn't I'll be happy to look at modifying it!!!

www.sandersonforensics...vEnge.html
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

Warlock
Newbie
 

Re: MMS PDU files contain media

Post Posted: May 01, 09 18:02

Thanks sandy711.
I'll try it right now.  
 
  

Warlock
Newbie
 

Re: MMS PDU files contain media

Post Posted: May 01, 09 20:05

It wasn't that helpful in this particular senario.

I've been since able to individually carve out the Jpeg and Qcp files
I was having difficulty in encase quickly exporting the files out due to the numbers.. in addition quicktime didn't like some of the formatting since it did appear to have an non standard footer.

I was hoping to find a emulator / decoder that would parse out these tidbits for me... save me some time but I've since gone on and carved out the data independant and built the report.

However I'm not sure how familiar you are with CDMA phone operating systems. I have been workin on date interpreters and I see you've got a very nice one implemented in your program.

The gsm 7 one did not correctly interpret the timestamps I was looking at but with this phone (LG phone) I'm getting a mix of how the phone stores the time stamp.

As SMS for an example incoming will be stored differently than outgoing.
inbox messages for example interpret the values from straight hex. IE this will be displayed in the logical view of the phone "May 1 12:17 PM"
but in the file itself it shows as 09 05 01 12 17 55 which is 09 = year 05 = month 01 = day 12 = hour 17 = minute 55 = second.
However outgoing will be stored encoded as a binary reference.

I found that (in this case) offset 12 would have a single byte "2C" for example and the AOL time stamp was correct but 5 days back of the actual date.. which I'm figuring is a miss interpretation of a bit shift.. but I've been able to find little by way of Binary Run Time date/time data.
It may not be correct but I found in uncanny that all the times were correct and dates 5 days off in all 200 SMS messages I looked at.

BTW that 512 byte blank for the demo really sucks.. makes it hard to evaluate the product..  
 
  

PaulSanderson
Senior Member
 

Re: MMS PDU files contain media

Post Posted: May 02, 09 16:39

If the dates are 5 days off then you are looking at GPS dates where the epoch is 6/1/1980 rather than the AOL time which has an epoch of 1/1/1980 .

The last few beta releases of RevEnge have support for this date
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

Warlock
Newbie
 

Re: MMS PDU files contain media

Post Posted: May 11, 09 17:21

Interesting.

So how would I get this to display the times correctly?


The time encoding on phones has been a thorn for a while,
I haven't been able to find a reliable decoding method.
Incoming times are stored differently than outgoing, and SMS can be differently than both of them.  
 
  

PaulSanderson
Senior Member
 

Re: MMS PDU files contain media

Post Posted: May 12, 09 17:37

The beta version is only currently available to registered users - you simply select the byte at which the date starts and all selected date types are displayed alongside


_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 

Page 1 of 1