Within the scope of this diploma thesis, a tool for forensic analysis of Twister Box dumps for Nokia smartphones has been developed. The tool contains sev- eral scripts which are written in Python. The various scripts correspond to modules which are responsible for certain telephone functions (address book, SMS, call history, etc.). Those are accessed
The calendar is stored in block 51 of the internal memory on a Series40 smart-phone. The layout of the storage content is outlined in the figure above. Here it has to be noted that the date is decoded again as shown in an earlier post named “Convert date from GSM to DEC”.
The three call histories stored on the smartphone are: ‘received calls’, ‘outgoing calls’ and ‘missed calls’. Those three lists are stored within the blocks 59 to 61 when dealing with Series40 phones. Here it has to be mentioned that block 59 contains the ‘outgoing calls’, block 60 contains the ‘missed calls’ and block 61 exhibits
# converts a given date from GSM to DEC decString = encodedDate.decode( ’hex ’) decString = struct.unpack from(’>H5B’, decString) This code fragment translates the given date from the GSM Standard to a readable DEC format.
When dealing with Series40 smartphones those information are kept in the blocks 4, 5, 13 and 35 of the dump files. When decoding the HEX values of block 4 one can find the values of ‘serial number’, ‘product code’, ‘product basic code’, ‘module code’ and ‘hardware number’ in the lines 3 to 7. Block 5