HTC Fuze Forensics: Part 2

HTC Fuze Forensics

Colby Lahaie

The Senator Patrick Leahy Center for Digital Investigation

Extracting Evidence

Retrieving Audio

The HTC Fuze came with audio files already stored on the phone, which I was able to extract with the Cellebrite UFED Physical Pro, using the “Extract Phone Data” option.  In the outputted folder that Cellebrite provides, there will be a folder containing all of the audio files extracted from the phone and, in the examination report; it will provide information on the audio files such as: the file name, the file path, the file size, an MD5 and SHA256 of each audio file, and other information.

Retrieving Video

Then, I took a short video with the HTC Fuze because there was only one sample video, which was already on the phone when we got it.  I extracted the videos with Cellebrite onto the Target USB Flash Drive.  I then found the video files in the outputted folder and details of the video files in the examination report.

 

Retrieving SMS Text Messages (Active)

I tried sending SMS text messages from the phone to add evidence onto the phone for future examination, but I was not able to send any messages because we did not have an active SIM card in the phone, however; the SMS text messages were saved in the “Drafts” folder and we were able to extract the active messages while using Cellebrite because they were saved on the phone.  The extraction provides a .SMS file, which is a backup file of the extracted SMS text messages, and a MD5 and SHA256 hash for the .SMS file (located in the examination report).  The examination report provides different details about the extracted SMS text messages from the phone such as: name, number, date/time, status, the text of the message, etc.

 

Accessing the File System

While doing some research, I was able to find a tool that would seize all of the data off of the HTC Fuze including the file system.  The tool that I found was called Mobile Internal Acquisition Tools or MIAT for short.  According to the MIAT website, MIAT is a forensically sound tool that doesn’t alter or affect the data during extraction.  You save MIAT onto a SD card, insert it into the phone and then run it.  All of the data on the phone is then seized/copied onto the SD card.

To seize data off of the phone, I first downloaded MIAT for Windows Mobile phones.  Then, per the instructions that came with MIAT, I created a folder (“2577”) on our 4GB Micro SD card and put the MIAT.exe into that folder.  I then inserted the SD card into the phone.  MIAT did not automatically run so I had to manually start it by doing the following:

1.      Click on “Start” and click “Programs”.

2.      Click on “Tools”.

3.      Click on “File Explorer”.

4.      Click the drop down, where it says “My Device” and click on “Storage Card”.

5.      Click on the “2577” folder and then click on “MIAT” to open the tool.

6.      Click on “Seize” and all of the data on the phone will be seized to the SD card.

In the output folder from the MIAT seizure you can see all of the files/folders that are on the phone and part of the file system:

I then chose the “Physical Extraction” option on the Cellebrite UFED, which essentially extracted the file system of the phone, and outputted a .ufd file to be used in the Cellebrite Physical Analyzer.  When you first open the .ufd file in the Physical Analyzer, it gives you a nice summary of the extraction such as: the name of the phone, the connection type, extraction date/time, the types of data files and other information.

I was also able to view the folders/files of the phone/file system that I had seized with MIAT.  I found out that there were 4 different partitions of the phone and that partition 4 is the partition used to store all of the phone data which we extracted. I then right-clicked on “Partition 4” under the File Systems tab and exported the file system of the HTC Fuze to a thumb drive for later acquisition.  The MIAT extraction and the Cellebrite Physical Analyzer provide two different ways for investigators to extract and analyze the file system/data of the HTC Fuze.

For part 3 of this project, see “HTC Fuze Forensics Part 3”.

If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Or feel free to email us atLCDI@champlain.edu, with” HTC Fuze Forensics” in the subject.

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education