Difference between pages "Linux Memory Analysis" and "AT Commands"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Linux Memory Analysis Tools: Volatility now has better Linux support; link to SVN)
 
(Reference Links)
 
Line 1: Line 1:
==Linux Memory Analysis Tools==
+
<ul><li>AT and AT+ commands can be used to manually collect simple information. This is an ideal choice for "full control" over the communications that are sent and returned from the phone. These can also be used when there is no tool available to communicate with the phone. These commands were tested using a Motorola v551 GSM phone using Bluetooth and USB data cables. It is important to note that not all of these commands are supported by all phones, but the AT+CLAC command (usually) displays all of the available commands the GSM phone can respond to.</li>
 +
<li>With Motorola phones (and many others) there are '''NO''' AT commands that can be used to retrieve multimedia content. For these, OBEX commands must be issued to the phone to return directory contents, ringtones, pictures and video.</li><li>Samsung GSM phones, on the other hand, '''DO''' have AT commands that allow access to the multimedia content.</li></ul><br/>
  
Research Projects:
+
To use these AT commands:
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
+
<ol><li> Connect the phone and determine the number of the COM port that is associated with it.</li>
 +
<li>Open HyperTerminal, Realterm or any other terminal program that will communicate with a specified COM port.</li>
 +
<li>With the Motorola phone, type '''AT+MODE=2'''. This prepares the phone for an extended AT+ command set. (+Cxxx and +MPxx)</li></ol><br/>
 +
After following these steps, you can continue with any of the commands below.
  
Open Source Projects:
+
== '''Phonebook''' ==
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental, but available from Subversion in the [http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flinux-support linux-support branch]. (Availability/License: GNU GPL)
+
'''AT+CPBS=?'''<br/>
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
+
Lists the phonebooks that the phone contains. (Choose phonebook storage)<br/>
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
Returns: +CPBS: ("ME","SM","MT","ON","DC","MC","RC","EN","AD","QD","SD","FD")<br/>
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
  
Commercial Products:
+
+CPBS="ME" sets the "retrieve mode" to the internal phonebook.<br/>
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
+
+CPBS="SM" sets the "retrieve mode" to the SIM phonebook.
  
==Linux Memory Analysis Challenges==
+
'''AT+CPBR=?'''<br/>
 +
Describes the phonebook selected above. (Simple) This gives the max number of entries the phone can contain. It also gives the maximum phone number (or email address) length and name length.<br/>
 +
'''NOTE:''' You can substitute +MPBR for any +CPBR command, but the phone returns a much more specific (and less intelligible) response containing more fields that may act as internal “programming” flags of some sort.<br/>
 +
Returns: +CPBR: (1-1000),40,24
  
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
+
'''AT+CPBR=[beginning index],[ending index]'''<br/>
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
+
Returns a list of numbers with the index between the two numbers entered. Also denotes what TYPE of phonebook entry was selected.<br/>
 +
Returns: +CPBR: 9,"18005555555",129,"Contact Name" – 129 refers to a phone number.<br/>
 +
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name" – 128 refers to an email.
  
==Linux Memory Analysis Bibliography==
+
'''AT+CPBR=[index]'''<br/>
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
+
Returns the specified index.<br/>
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
+
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name"
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
+
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
+
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
+
* [http://pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
+
  
Volatility Mailing List Threads on Support for Linux:
+
'''AT+MPBF="Name"'''<br/>
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
+
Searches the phonebook for the Name or string.
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
+
 +
'''AT+MPBR=?'''<br/>
 +
Similar to above, but a more verbose result is displayed.<br/>
 +
Returns: +MPBR: 1-1000,40,24,8,0-1,50,(0,2,4,6,9-30,255),(0),(0-1),(1-30),(255),25,(0-1,255),264,(0),0,0,0,0,0,0,0
 +
<ul><li>1-1000 denotes the number of entries that can be stored on the selected (+CPBS) phonebook.</li><li>40 represents the number of characters that the email or phone number can have.</li><li>24 indicates the number of characters the “friendly” name can have.</li><li>The 8 refers to the different “types” of phonebook entry (i.e. Mobile, Main, Email, Home, Fax, Work … etc).</li><li>The +CPBR command does not list anything after the 24 (as seen above), so there are times when the +MPBR may be useful.</li></ul>
 +
 
 +
'''AT+MPBR=[index]'''<br/>
 +
Returns: +MPBR: 18,"user@domain.net",128,"Contact Name",6,0,255,0,0,1,255,255,0,"",0,0,"","","","","","","",""
 +
 
 +
== '''SMS Messages''' ==
 +
'''AT+CMGF=1'''<br/>
 +
This tells the phone to display the entries as text rather than binary. +CMFG=0 would display the data in binary format.
 +
 
 +
'''AT+CPMS=?'''<br/>
 +
This displays all of the locations in which the phone can save the SMS messages.<br/>
 +
Returns: +CPMS: ("MT","IM","OM","BM","DM"),("OM","DM"),("IM")
 +
 
 +
'''AT+CMGL=?'''<br/>
 +
Returns the options on which messages you wish to display.<br/>
 +
Returns: +CMGL: ("REC UNREAD", "REC READ", "STO UNSENT", "STO SENT", "ALL")
 +
 
 +
'''AT+CMGL="ALL"'''<br/>
 +
Selects and displays all of the SMS messages on the selected source.
 +
 
 +
== '''Misc. Information''' ==
 +
'''AT+CGSN'''<br/>
 +
Returns the IMEI of the phone.<br/>
 +
Returns: +CGSN: IMEI356252000861622 <br/>
 +
Returns: +GSN: 299B5900 (Samsung)
 +
 
 +
'''AT+CGMR'''<br/>
 +
Returns the manufacturer’s OS revision.<br/>
 +
Returns: +CGMR: "R47_G_08.17.0FR_01"
 +
 
 +
'''AT+GMI'''<br/>
 +
Returns the manufacturer name (Samsung).<br/>
 +
Returns: +GMI: SAMSUNG
 +
 
 +
'''AT+CGMM'''<br/>
 +
Returns the make, model and capabilities of the phones.<br/>
 +
Returns: +CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=V551" <br/>
 +
Returns: +GMM: SCH-A670 (Samsung)
 +
 
 +
'''AT+CNUM'''<br/>
 +
Returns the subscriber name/number from the SIM.<br/>
 +
Returns: +CNUM: Owner Name,15555555555,129
 +
 
 +
'''AT+CLAC'''<br/>
 +
Lists AT commands that the phone supports.
 +
 
 +
'''AT+MODE=22'''<br/>
 +
Prepares the phone (Motorola) for OBEX commands.
 +
 
 +
'''AT+MODE=0'''<br/>
 +
This returns the phone to simple AT command mode.
 +
 
 +
== '''Reference Links''' ==
 +
 
 +
[http://gatling.ikk.sztaki.hu/~kissg/gsm/index.html AT+C Command Set of GSM]
 +
 
 +
[http://www.traud.de/gsm/atex.htm Alexander Traud's GSM pages ]
 +
 
 +
[http://www.anotherurl.com/library/at_test.htm AT Test Commands]
 +
 
 +
[http://www.csparks.com/MotoBackup/MotorolaAT.xhtml AT Commands to Access the Motorola]
 +
 
 +
[http://webapp.etsi.org/key/key.asp?GSMSpecPart1=27&GSMSpecPart2=007  ETSI-3GPP Standards]
 +
 
 +
[http://wiki.forum.nokia.com/index.php/AT_Commands Nokia AT Commands]
 +
 
 +
[http://www.parallax.com/Portals/0/Education/custapps/Nokia_AThelp.pdf Support Guide for the Nokia Phones and AT Commands]
 +
 
 +
[http://www.daimi.au.dk/~jones/sms/packed/Nokia_30_AT_Command_Guide_2_0.pdf Nokia 30 GSM Connectivity Terminal AT Command Guide]

Revision as of 21:42, 26 March 2009

  • AT and AT+ commands can be used to manually collect simple information. This is an ideal choice for "full control" over the communications that are sent and returned from the phone. These can also be used when there is no tool available to communicate with the phone. These commands were tested using a Motorola v551 GSM phone using Bluetooth and USB data cables. It is important to note that not all of these commands are supported by all phones, but the AT+CLAC command (usually) displays all of the available commands the GSM phone can respond to.
  • With Motorola phones (and many others) there are NO AT commands that can be used to retrieve multimedia content. For these, OBEX commands must be issued to the phone to return directory contents, ringtones, pictures and video.
  • Samsung GSM phones, on the other hand, DO have AT commands that allow access to the multimedia content.

To use these AT commands:

  1. Connect the phone and determine the number of the COM port that is associated with it.
  2. Open HyperTerminal, Realterm or any other terminal program that will communicate with a specified COM port.
  3. With the Motorola phone, type AT+MODE=2. This prepares the phone for an extended AT+ command set. (+Cxxx and +MPxx)

After following these steps, you can continue with any of the commands below.

Phonebook

AT+CPBS=?
Lists the phonebooks that the phone contains. (Choose phonebook storage)
Returns: +CPBS: ("ME","SM","MT","ON","DC","MC","RC","EN","AD","QD","SD","FD")

+CPBS="ME" sets the "retrieve mode" to the internal phonebook.
+CPBS="SM" sets the "retrieve mode" to the SIM phonebook.

AT+CPBR=?
Describes the phonebook selected above. (Simple) This gives the max number of entries the phone can contain. It also gives the maximum phone number (or email address) length and name length.
NOTE: You can substitute +MPBR for any +CPBR command, but the phone returns a much more specific (and less intelligible) response containing more fields that may act as internal “programming” flags of some sort.
Returns: +CPBR: (1-1000),40,24

AT+CPBR=[beginning index],[ending index]
Returns a list of numbers with the index between the two numbers entered. Also denotes what TYPE of phonebook entry was selected.
Returns: +CPBR: 9,"18005555555",129,"Contact Name" – 129 refers to a phone number.
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name" – 128 refers to an email.

AT+CPBR=[index]
Returns the specified index.
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name"

AT+MPBF="Name"
Searches the phonebook for the Name or string.

AT+MPBR=?
Similar to above, but a more verbose result is displayed.
Returns: +MPBR: 1-1000,40,24,8,0-1,50,(0,2,4,6,9-30,255),(0),(0-1),(1-30),(255),25,(0-1,255),264,(0),0,0,0,0,0,0,0

  • 1-1000 denotes the number of entries that can be stored on the selected (+CPBS) phonebook.
  • 40 represents the number of characters that the email or phone number can have.
  • 24 indicates the number of characters the “friendly” name can have.
  • The 8 refers to the different “types” of phonebook entry (i.e. Mobile, Main, Email, Home, Fax, Work … etc).
  • The +CPBR command does not list anything after the 24 (as seen above), so there are times when the +MPBR may be useful.

AT+MPBR=[index]
Returns: +MPBR: 18,"user@domain.net",128,"Contact Name",6,0,255,0,0,1,255,255,0,"",0,0,"","","","","","","",""

SMS Messages

AT+CMGF=1
This tells the phone to display the entries as text rather than binary. +CMFG=0 would display the data in binary format.

AT+CPMS=?
This displays all of the locations in which the phone can save the SMS messages.
Returns: +CPMS: ("MT","IM","OM","BM","DM"),("OM","DM"),("IM")

AT+CMGL=?
Returns the options on which messages you wish to display.
Returns: +CMGL: ("REC UNREAD", "REC READ", "STO UNSENT", "STO SENT", "ALL")

AT+CMGL="ALL"
Selects and displays all of the SMS messages on the selected source.

Misc. Information

AT+CGSN
Returns the IMEI of the phone.
Returns: +CGSN: IMEI356252000861622
Returns: +GSN: 299B5900 (Samsung)

AT+CGMR
Returns the manufacturer’s OS revision.
Returns: +CGMR: "R47_G_08.17.0FR_01"

AT+GMI
Returns the manufacturer name (Samsung).
Returns: +GMI: SAMSUNG

AT+CGMM
Returns the make, model and capabilities of the phones.
Returns: +CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=V551"
Returns: +GMM: SCH-A670 (Samsung)

AT+CNUM
Returns the subscriber name/number from the SIM.
Returns: +CNUM: Owner Name,15555555555,129

AT+CLAC
Lists AT commands that the phone supports.

AT+MODE=22
Prepares the phone (Motorola) for OBEX commands.

AT+MODE=0
This returns the phone to simple AT command mode.

Reference Links

AT+C Command Set of GSM

Alexander Traud's GSM pages

AT Test Commands

AT Commands to Access the Motorola

ETSI-3GPP Standards

Nokia AT Commands

Support Guide for the Nokia Phones and AT Commands

Nokia 30 GSM Connectivity Terminal AT Command Guide