Greetings fellow cellphone examiners, forensic specialists and anathema to some. We are going to have a few discussions while I am on my 18 hour air journey I suppose. I hope blogs and/or twitter is allowed at my destination, ugh I should have checked that…. At any rate let’s talk about cellphones.
During our courses, every conference and every speaking engagement I attend or am a part of someone always brings up “write protection” and how to achieve it with a cellphone. I have witnessed both trainers and vendors answer this inquiry and explain that it is possible to write protect a cellphone. When questioned further on the how to’s of this revelation I have heard, “it is built into our cables”,”a standard write blocking device works”, and also to “use a simple registry hack to make the USB ports read only.” The last, I heard, is still taught in some cellphone courses. My only question to these accusations is, have you actually tested these? Well, let’s dispel the rumors.
“It is built into our cable.”
I tested these cables manufactured by a very reputable euro company and found that 100% of the time I was not only able to write to the cellphone using tools like Motorola Phone Tools, P2K Commander and even Bitpim when switching off the “Block Writing to the Phone” checkbox, but I was able to remove and re-upload my own phonebook. First theory tested and shown to be FALSE.
“A standard write blocking device”
I tested this claim by using a Tableau USB physical hardware write block device and the same Motorola cellphone as used before. I plugged the USB device into the computer and then plugged the cellphone into the USB device. Shazam, the Tableau actually recognized the cellphone and displayed Motorola on the digital display. Could this really work? Using the same programs as previously mentioned I attempted to write to the cellphone. BAM, I successfully updated my contacts…..again. Wrote right through the USB write block and onto the phone. Second theory tested and shown to be FALSE.
“use a simple registry hack to make the USB ports read only”
I tested this last claim both by manually changing the registry key and also using the automated tool used by a few training companies. This registry hack changes the USB hubs to “read-only” on the windows machine. I inserted a USB flash drive and tried to write to it, only to be told it was unable to complete the task due to the write protection. Ok, sweet that worked, so let’s test the same Motorola that has been abused by the other theories. I plugged in the device and watched as the drivers began to install. Ok, so far so good. Now let’s try to put some new contacts onto the phone using the same tools as previously used in the other tests. KABOOM, again I am the proud owner of new(er) contacts on my Motorola cellphone. Third theory was tested and also shown to be FALSE.
Why is it that the USB port cannot be blocked you ask? Simply put. A phone is not seen as a mass storage device, but as a modem and/or serial port. All types of write blocking methods, both software and hardware, protect devices seen as mass storage devices. Some examples can be portable hard drives, flash drives, media cards, etc and a phone is not.
“But a phone can be seen as a mass storage device”, you scream.
Of course if the phone is capable of that mode, it can, AND when in that mode it CAN be write protected. The issue the examiner will run into will be that the only data the examiner will be extracting when a phone is seen as a mass storage device is from the media card or an area where the media files are stored. Now of course there are exceptions where the phone can store SMS,contacts etc onto the media card but very few are capable of that type of feature. For the most part, the examiner will be missing the user data if only the data from the media are is extracted. So this means the examiner would have to switch the device out of mass storage mode to utilize our standard cellphone tools. Out goes the write blocking tools.
So how then do software tools NOT write data onto the devices that I am examining? The short answer is that specific commands are used to extract data and specific commands are used to write data, and the typical cellphone tools used in our forensic examinations use a only read commands.
Maybe it is time examiners contact the software vendors/trainers and ask to see what answer they give; it might be fun. Hopefully they don’t say that their cables or software write protect the ports.
Thanks for reading, more soon