The Curious Case of the Encoded SMS: A Forensic Puzzle in 7-Bit PDU

Did you solve our Friday Challenge we posted on LinkedIn?

Digital forensics isn’t always about brute force tools or high-profile cases, sometimes, it’s about decoding a digital artifact hidden in plain sight. In this challenge, we presented two puzzles: one cryptic binary message and a mysterious string of hexadecimal characters. Together, they unlock a digital message encoded in the language of old-school SMS, the 7-bit PDU format.

Let’s Walk through the journey of solving it.

Riddle #1: The Binary Clue

We start with a simple binary string:

0101 0000 0100 0100 0101 0101

At first glance, it might not scream significance. But if you know your binary basics, you know these group nicely into bytes (or nibbles) that can be interpreted as characters:

– 0101 = 5
– 0000 = 0
– 0100 = 4
– 0100 = 4
– 0101 = 5
– 0101 = 5

Put them together: 50 44 55 in hex.

Turn those hex values into ASCII characters, and you get: PDU

The binary message is telling us that the next string, a block of hexadecimal data is a 7-bit PDU-encoded SMS.

Riddle #2: The Hexadecimal Message

Here’s the hex:

41 79 19 94 7D D7 41 CE B2 9C 0C 2A BA DF F5 33 FA 07

This is a raw Protocol Data Unit (PDU) the format used to encode SMS messages on GSM networks. The PDU format contains a mix of metadata (like sender, timestamp, and encoding type) and the encoded message body.

Understanding 7-Bit PDU

The 7-bit GSM encoding is incredibly efficient. Instead of using a full byte (8 bits) per character, it packs characters into 7-bit chunks, squeezing more data into fewer bytes. But this also means decoding it isn’t as straightforward as hex-to-text.

To decode it:
1. Break down the PDU message. Know the structure, service center address, sender number, and user data.
2. Locate the user data section, you need to understand the correct offset.
3. Unpack the 7-bit encoding using septet shifting, not a task for the faint-hearted.
You can do this manually or use a GSM PDU decoder.

Step-by-Step: Decoding a 7-bit GSM PDU Message

We will take the raw hexadecimal input, apply the GSM septet unpacking algorithm, and recover the original message.

Hex Input

41 79 19 94 7D D7 41 CE B2 9C 0C 2A BA DF F5 33 FA 07

Step 1: Convert Hex to Binary

Convert each hex byte to 8-bit binary:

41 = 01000001
79 = 01111001
19 = 00011001
94 = 10010100
7D = 01111101
D7 = 11010111
41 = 01000001
CE = 11001110
B2 = 10110010
9C = 10011100
0C = 00001100
2A = 00101010
BA = 10111010
DF = 11011111
F5 = 11110101
33 = 00110011
FA = 11111010
07 = 00000111

Step 2: Apply Septet Unpacking (Bit Shifting)

1. From Byte 1, remove its most significant bit (MSB), keep 7 bits.
2. Append that MSB to the end of Byte 2.
3. On Byte 2 (now 9 bits), remove first 2 bits and append them to the end of Byte 3.
4. Continue this for each subsequent byte.
5. Byte 7 will become 14 bits — split it down the middle and pad with leading 0s to get two valid 7-bit values.
6. Convert each 7-bit chunk to a character using the GSM 7-bit alphabet.

Step 3: Decode Septets to Characters

After unpacking, we extract the following 7-bit values and decode them:

Final Decoded Message

Putting the characters together, we get:

“Are You Nerd Enough?”

Final Result

We’ve successfully decoded the raw PDU hex into a human-readable SMS message using the GSM 7-bit packing format. This process shows how deeply technical artifacts like binary bit streams can translate into clear, meaningful evidence when you know how to interpret them.

For digital forensics practitioners, understanding encoding methods like this isn’t optional, it’s essential for recovering, analyzing, and presenting evidence from legacy mobile devices and some modern ones. Why not have a go at creating a python script to automate this process?

Why It Matters

Legacy mobile devices, feature phones, and even SIM card data often store messages in PDU format. If your forensic tools don’t decode 7-bit correctly, or if you don’t recognize a PDU blob when you see one, you could easily miss vital evidence.

Whether you’re decoding a case that involves evidence sent by SMS or recovering data from an old phone, knowing how to decode 7-bit PDU ensures you leave no stone unturned.

“But smartphones store messages in databases now, so this doesn’t apply to me… right?”

Not necessarily. Recent examinations of Android devices have revealed that SMS messages are no longer consistently only found in traditional storage locations such as system databases or unallocated space.

Here’s the twist: when an SMS is sent or received, it’s initially handled in its original 7-bit PDU encoded format. The handset then processes this data and stores it in a database… but… that processing first happens in RAM.

Which means, yes, SMS message content can be temporarily held in memory and, under the right conditions, recovered from RAM during forensic analysis.

Final Thought

Digital evidence doesn’t always get parsed by your favorite forensic tool, sometimes, it is sitting un decoded in plain sight. And if you’re aware of encoding formats, it will jump off the screen from just looking.

A big thank you to Alex Coley – Product Specialist at MSAB for putting together this fun Friday Challenge.

Adam Firman – Tech Evangelist

About the author:          

Adam Firman boasts a distinguished career in law enforcement, with over 15 years’ experience as a police officer and proficiency in various digital forensic solutions. He is well-versed in industry standards related to digital forensics and has been a certified trainer since 2014. He is a frequent speaker at global industry events on digital forensic topics and has served as an expert witness in high-profile court cases. Adam is deeply committed to serving and protecting the community.