If you want to read the final version of my diploma thesis don’t hesitate to write an email. Because of data privacy the published version doesn’t contain Chapter 4 (the functionality as well as the applicability of the developed tool is tested on several mobile phones by analyzing extracted data in a forensic way).
Within the scope of this diploma thesis, a tool for forensic analysis of Twister Box dumps for Nokia smartphones has been developed. The tool contains sev- eral scripts which are written in Python. The various scripts correspond to modules which are responsible for certain telephone functions (address book, SMS, call history, etc.). Those are accessed
The calendar is stored in block 51 of the internal memory on a Series40 smart-phone. The layout of the storage content is outlined in the figure above. Here it has to be noted that the date is decoded again as shown in an earlier post named “Convert date from GSM to DEC”.
The three call histories stored on the smartphone are: ‘received calls’, ‘outgoing calls’ and ‘missed calls’. Those three lists are stored within the blocks 59 to 61 when dealing with Series40 phones. Here it has to be mentioned that block 59 contains the ‘outgoing calls’, block 60 contains the ‘missed calls’ and block 61 exhibits
When dealing with Series40 smartphones those information are kept in the blocks 4, 5, 13 and 35 of the dump files. When decoding the HEX values of block 4 one can find the values of ‘serial number’, ‘product code’, ‘product basic code’, ‘module code’ and ‘hardware number’ in the lines 3 to 7. Block 5