I consider myself to be a heavy flasher box user. From the early days I explored these cell phone maintenance boxes and “abused” them for forensic purposes. A flasher box adds flexibility to the forensic analysis of mobile devices and gives you the opportunity to take that extra step in your investigation.
There is at present no device that can compete with the possibilities that flasher boxes offer. However, this comes with a warning: try before you die.
Learn how a flasher box works and what it does with the cell phone data. Familiarize yourself with the user interface of the software that comes with the flasher box. The “read” buttons are great, but there are also a lot of “wipe the data” buttons. There is only one way to learn all this and that is by using reference phones. Make a hex dump, change something, and dump the handset again. Look in the binary file for the differences and what they mean.
Bear in mind that no two flasher boxes are the same; that applies to the different handset brands and models as well. Even using the same brand and model, but with different firmware, the outcome can be different.
There are four ways flasher boxes can allow you to bypass the handset lock code:
- Read the handset lock code
- Overwrite the handset lock code, existing code is overwritten with a new code (for example, 12345)
- Wipe the handset lock code, existing code is wiped with zeros
- Disable the handset lock code
If two flasher boxes can each bypass the handset lock code, it is essential to work out how this is done because reading a lock code is much preferable to wiping the lock code.
Some flasher boxes are able to access the handset in a less destructive way than commercial tools can. They do not require a full phone boot process and reduce the amount of altered data. There is at present only one way to get the most out of a handset without altering the data and that process is chip extraction.
Methods that alter data on the handset are:
- booting or rebooting the phone’s handset
- installing third party application software
- wear levelling
Interferences that alter data during (forensic) analysis are:
- Bluetooth paring
- changing to infrared settings
- changing menu settings to establish a handset connection
- allowing handsets to connect to the cell phone network
The last instance is the worst offender. Incoming sms text, MMS, e-mail, pictures, and calls overwrite old deleted data. Not to mention the last base transceiver station positions stored on the handset are overwritten by simply driving the exhibit back to the police station.
A full binary flash dump is always the best option. That dump includes the firmware, file system, etc.—a so called physical dump. A logical dump provides roughly everything that you would normally see on the screen of the handset.
Flasher Box Issues
Flasher box manufacturers sometimes protect their products. Besides an internet verification process and a dongle (often found inside the flasher box), they tend to compress or encrypt the output file. This way the created handset backup file (flash file) can only be used with the same flasher box if the handset must be restored.
Thus, when installing or upgrading flasher boxes, the use of a separate computer with an internet connection, or when in a network environment the DMZ zone, is highly recommended. There are often firewall and/or anti-virus issues with the installation or upgrading of flasher boxes/software.
USB Port Monitoring for Raw Flash Dump
What if a flasher box’s “flash dump” output is compressed or encrypted? There is a simple way around this using USB port capturing software. I use Advance USB Port Monitor from AGG software, but any USB port capturing software will work. The software captures the data transferred over the USB port from the handset. This data is uncompressed and unencrypted and can be analyzed using your favorite hex-editor.
It is not a clean process and also gives overhead. When using this method, it is possible that extra bytes will pollute the flash binary file, which will influence automatic search tools. Manual verification of the data is required to see that no important data is left behind.
The output binary will also include the boot loader data. A special boot loader is often used to bypass all protected areas of the handset. These areas and other privileges are often set in the manufacturer’s boot loader firmware.
Another issue can be the use of USB cables (instead of RJ45 cables) together with the device driver that is only loaded during the flasher box’s data acquiring process. This driver is unloaded by some flasher boxes if the flash backup process is finished, but the cache data flow of the port capture is still processed by the port capturing program.
Here is an example using a flasher box in combination with the Advance USB port monitor software.
First select your phone in the flasher box software interface and use the proper settings so that you only have to hit the “start” button to get the flash dump running.
The Advanced USB port monitor requires the next setup in order to work properly:
Select file – new.
Tick the second option.
Choose the device you want to use. In this case the handset is processed with the flasher box. If you have difficulties finding your device, tick the “newly connected device” box.
Give the path to store your output binary file and tick the box to “start logging to a file automatically”.
Deselect all but this option and click the finish button. Then press the “start” button to start your handset flash dump. When the flasher box software is finished, the port capture software is still running the captured data. Don’t close the port capture program until all the data is received.
With the help of flasher boxes it is possible to analyze more handsets than supported by commercial tools. A flasher box adds flexibility to the forensic analysis process and gives you the opportunity to take that extra step or that first step bypassing the handset lock code. But please, watch your step.
Bram Mooij is a senior digital forensics and small scale digital devices expert working at the Electronic Crime Lab for the New Zealand Police. Bram is a former Dutch Police Inspector working as a digital forensic investigator for the National Crime Squad and began his Law Enforcement career in 1984. He is the creator of the online ACID database.