During investigations, you may occasionally find that identifiers of potential interest are not decoded by the tools. This often depends on the type of extraction you’re doing and the supported parsing for that device.

This blog will teach you how to use Hex to uncover additional artifacts of interest. We’ll also demonstrate how to locate IMEIs, IMSIs, and ICCIDs from a physical extraction of an Android device.

Getting Started

The first step is to open the physical image in “Hex View” by double clicking on “Image1,” which is located under “Memory Ranges” in the left pane. (Note: If the physical extraction has multiple image files, they should be listed here. You should repeat this process for each of them to ensure nothing is missed.)

Cellebrite Physical Analyzer

Once the Image is properly opened you will see the Hex. Simply select the magnifying glass icon (circled above) to expand the window and start your Hex search.

There are many options in this view, but to be more accurate, we are using “ASCII,” since we are searching for an ASCII string (“IMEI”).

Under “Search parameters” (shown above), we need to specify the search argument. In this case it is “IMEI.”

Check the “Show after” box and type in the number of characters to display after the search result. (The default here for “Length” is four, but Ron used 20). Adjusting this will result in the examiner expanding their view of the bytes that follow the search hit. The Hex search is powerful in that you can control the views of your results. Make sure you select ASCII so the results don’t appear as Hex, unless that is your intention.

Once the search is completed, you will get a list (below) of all the locations that the string “IMEI” (we didn’t use case-sensitive search) found. The screenshot below shows that there were 14,998 such results.

Since we know that IMEIs generally start with 35, Ron used “35” to filter the results, which reduced the list to 4,752 results. (Note: There are other prefixes, but we started with this main prefix of “35.” Filtering your results can be as easy as typing “35” into the “Find” box as shown below.)

IMEI search results: (filtered using the IMEI main “35” prefix)

Examining The Filtered Data

Now it’s time to examine the results of the filtered data.  Not all of the results represent a real IMEI as the argument we used to filter (“35”) might be part of the filename or other artifact. Therefore, we need to manually review the result list until we identify a real IMEI candidate.

Once a valid IMEI is identified, you have the IMEI value for that device. The “Source” will identify the file that contained the IMEI. Please note that clicking on each search result will show the result in Hex View, so you can also see the surrounding data of that hit.

Clicking on the “Source” file name will also move the left-pane file system view and select that specific file, so you can open the file for full review.

In order to locate the different files that store this value, copy the full IMEI that you identified and paste it into the “Find” box to filter the search results even further. This filter reduced the number of results to 2,792 as shown below.

IMEI filtered search results: (using the full IMEI identified number)

From here, you can export the full search result into Excel and then use “remove duplicates” in Excel to reduce the list to unique files only.

For IMEI, Ron’s search resulted in these files:
/data/user_de/0/com.samsung.android.fmm/shared_prefs/com.sec.pcw.device.xml
/data/data/com.samsung.android.mobileservice/shared_prefs/coreapps_pref.xml
/data/user_de/0/com.samsung.android.fmm/databases/value.db

As stated at the beginning of this blog, we can search for many identifiers. If you want to search for IMSI results from SIM cards, the steps above can be repeated.

Once we found the results, we identified a possible IMSI that started with “44.” Upon this discovery, we filtered for “44” and then identified an IMSI of interest and filtered on that specific identifier as shown below.

IMSI search results

The files in Ron’s example resulted in the following files containing IMSI information:
/data/user_de/0/com.android.providers.telephony/shared_prefs/simprof.preferences_name.xml
/data/data/com.kddi.android.cmail/files/logs/comlib.log.1
/data/data/com.kddi.android.cmail/files/logs/comlib.log.2
/data/data/com.kddi.android.cmail/files/logs/comlib.log.3
/data/data/com.kddi.android.cmail/files/logs/comlib.log.4
/data/log/omc/logcat_home_fota_update_log.txt

For ICCID, Cellebrite Physical Analyzer has built-in support for the Hex search to guide you along your way. Heather conducted a search on the Android image below. Notice that the “Search parameter” was left blank, which allowed her to search for all ICCIDs from SIM cards and not one specific ICCID. Again, this type of search gives the examiner the power to control how much or how little they see in the results.

ICCID Search

The search results for ICCID showed 123,482 hits on the Android image. To filter this down, I quickly scanned my results and added a filter of “8,9011.” The results dropped to 83.

If you click through the results and look at the Hex, you will notice that the data is stored in a Reverse-Nibble format. Cellebrite Physical Analyzer understands this format and will search accordingly.

ICCID Filtered Results

If you have a specific ICCID of interest, you may have to change your search in order to find the hits as the data may not be stored in a Reverse-Nibble format. Below I changed my search to an “ASCII Strings” search for a known ICCID.

ASCII Search for a Known ICCID

The search results for the ICCID in ASCII resulted in 86 hits as shown below. Checkin.xml is the file that tracks the SIM cards inserted into the Android. This file is commonly parsed and presented by the tools. This is where Heather found the IMEI to start this search as it was shown in the Cellebrite Physical Analyzer Extraction Summary.

ICCID ASCII Search Results

The following files in Heather’s example resulted in files containing ICCID information (Note: There are exact copies of each file below in the /sbin/.magisk/mirror as a systemless root was used to extract this Android data by Josh Hickman).

/data/vendor/radio/dummy_file
/data/data/com.google.android.apps.messaging/databases/bugle_db
/data/data/com.google.android.dialer/files/coalesced_rows_for_missed_calls
/data/data/com.google.android.dialer/files/coalesced_rows_for_conversation_history_all_calls
/data/data/com.google.android.dialer/files/coalesced_rows_for_all_calls
/data/data/com.google.android.dialer/databases/annotated_call_log.db
/data/data/com.google.android.dialer/shared_prefs/com.google.android.dialer_preferences.xml
/data/data/com.google.android.gms/databases/MdpSimBasedDatabase
/data/data/com.google.android.gms/shared_prefs/Checkin.xml
/data/data/com.google.android.apps.tycho/files/ps/963853422764
/data/data/com.android.providers.contacts/databases/calllog.db
/data/user_de/0/com.android.providers.telephony/databases/telephony.db
/data/user_de/0/com.google.android.dialer/shared_prefs/com.google.android.dialer_preferences.xml
/data/user_de/0/com.android.server.telecom/files/phone-account-registrar-state.xml
/data/user_de/0/com.android.phone/shared_prefs/com.android.phone_preferences.xml
/data/user_de/11/com.google.android.dialer/shared_prefs/com.google.android.dialer_preferences.xml

Summary
Hex Diving in Cellebrite Physical Analyzer is powerful, and many examiners don’t venture into the unknown territory. You can uncover so many artifacts that are yet to be explored by conducting a Hex search. Try it for yourself. Try the different options. Educate yourself on the possibilities and share your findings with the community and those you work with.

DFIR is a career where we never stop learning. We need to lean into our tools and the features that encourage us to dive into the unknown.

References:
[1] https://thebinaryhick.blog/2020/02/15/android-10-image-now-available/

Share this post