Mobile Phone Forensic Toolkit: Terminal view

Within the scope of this diploma thesis, a tool for forensic analysis of Twister Box dumps for Nokia smartphones has been developed. The tool contains sev- eral scripts which are written in Python. The various scripts correspond to modules which are responsible for certain telephone functions (address book, SMS, call history, etc.). Those are accessed via a global script. The global script runDecoding.py accepts the Twister Box dump file, the mobile phone type and the reporting type as an argument.

After starting the tool, data processing is initiated as shown in the figure above. Here we tryed to analyze a Nokia 6500.

Decoding Calendar

The calendar is stored in block 51 of the internal memory on a Series40 smart-phone. The layout of the storage content is outlined in the figure above. Here it has to be noted that the date is decoded again as shown in an earlier post named “Convert date from GSM to DEC”.

Decoding Call History

The three call histories stored on the smartphone are: ‘received calls’, ‘outgoing calls’ and ‘missed calls’.
Those three lists are stored within the blocks 59 to 61 when dealing with Series40 phones. Here it has to be mentioned that block 59 contains the ‘outgoing calls’, block 60 contains the ‘missed calls’ and block 61 exhibits the ‘received calls’. We present the exact depiction of the content of the single storage entries in the figure above. The date contained within those blocks is translated into a readable format with the help of the in the Post “Convert date from GSM to DEC” shown function of GSM Standard.

Convert date from GSM to DEC


# converts a given date from GSM to DEC
decString = encodedDate.decode( ’hex ’)
decString = struct.unpack from(’>H5B’, decString)

This code fragment translates the given date from the GSM Standard to a readable DEC format.

Gathering Information about the Handheld

When dealing with Series40 smartphones those information are kept in the blocks 4, 5, 13 and 35 of the dump files. When decoding the HEX values of block 4 one can find the values of ‘serial number’, ‘product code’, ‘product basic code’, ‘module code’ and ‘hardware number’ in the lines 3 to 7. Block 5 contains the ‘IMEI’ of the device and in block 13 the ‘startup message’ which has been inserted by the user and is displayed when the device is switched on, can be found. The ‘security code’ of the smartphones (set to 12345 by the phone manufacturer) can be decoded from its HEX value in block 35 of the Twister Box dump files.