Sunday, February 07, 2016

Threatware - legally speaking

The courts maybe faced with dealing with a wide range of mobile and computer criminal cases and civil disputes. These may include exploitation of the latter devices. Given the explosion of discontent in the world the use of "threatware" (a vernacular term adopted for this discussion) requires identification as to the type of threat defined by the outcome.
The supposed threat may not be enough by simply labelling it a threat - a victim's experience may not amount to a skilled opinion: The evidence was held not to be admissible on the grounds inter alia that no expert had given evidence as to the records, and that any connection they displayed between the cars stolen and those connected with the accused was a question of fact, not as in Abadom a question of opinion - Myers .v. D.P.P. [1965] A.C. 1001.
Calling a program "threatware" may require more than a simple label being attached to it; proof that it is what it is claimed to be a court may require substantiation: Patel v Controller of  Customs [1966] AC356 held the words “produce of  Morocco” stamped upon bags of coriander were inadmissible to prove the country of origin of the coriander.  The words were stamped on the bag with express intention of asserting a fact and were thus hearsay.
A person having threatware may amount to possession but not intention to use. Equally, the definition of storage container vis-à-vis stored computer may also be subject to definition of 'computer' in e.g. civil law: Section 5 ss6 Civil Evidence Act 1968 - (6) Subject to subsection (3) above, in this Part of this Act " computer " means any device for storing and processing information, and any reference to information being derived from other information is a reference to its being derived therefrom by calculation, comparison or any other process. Also see Civil Evidence Act 1972 and 1995 for hearsay and opinion.
Where threatware is involved in the form of ransomware that arises in contractual dispute between parties see - Ordanduu GmbH & Anor, R (On the Application Of) v Phonepayplus Ltd [2015] EWHC 50 (Admin) (16 January 2015)
For a case where ransomware and data protection are involved see - CASE STUDIES 2013 - Data Protection Commissioner - Ireland [2013] IEDPC 18 (2013)    
Cyber Warfare: A Review of Theories, Law, Policies, Actual Incidents – and the Dilemma of Anonymity | Reich | European Journal of Law and Technology:   

Speaking of the problem of attributing, General Alexander notes that it is very hard "telling one actor from another and divining actors' intentions":
Not every event that affects our networks rises to the level of a national security threat. It is important to remember that hacking, spreading malware and other malicious activities are crimes, defined domestically as well as internationally by the Convention on Cybercrime, and accordingly have legal consequences. Even if you spot an intrusion and you know it originated from an adversary, you usually cannot tell an intelligence operation from a military one. (*page 5)
As part of the overall strategic plan of the US Department of Defense, emphasis must be placed on deterrence. General Alexander notes:
Attacks by hackers and criminals can cause "nation-state sized" effects; indeed, the accidental "release" of malware might do the same, and the problem of attributing the attack to a particular actor similarly remains difficult to impossible. We have to study deterrence anew, from a variety of perspectives, and to gain clarity on our authorities. To take a thought from Sun Tzu, we must understand the cyber environment and, the capabilities of our adversaries, and our own abilities as well. This is not going to be easy, and it is not going to yield answers soon. If we know one thing from the Cold War, it is that stable deterrence can take years to achieve, and is the product of planning, analysis, and dialogue across the government, academe, and industry, and with other nations as well. Cyber deterrence will require progress in situational awareness, defense, and offensive capabilities that adversaries know we will use if we deem necessary. (*page 5)
The above is a small sample of what is available regarding title variations, possible definitions and legal classification that may have bearing when dealing with threatware. I am not a lawyer merely I am simply using legal references to help support points in this discussion and suggesting a possible direction to seek further clarifications, observations or advice.


Monday, February 01, 2016

Investigation USIM EFs and Service Table

There has been so much going on over the past year and with research and testing I haven't posted as much as I would like. The growth areas in the variety of methods and tools for logical data and physical data extraction, harvesting and examination; impact that apps and malware might have on evidence; wireless options available on smartphones and tablets changing the way traditional cell site analysis can be conducted; and the generally the explosion in mobile information and standards needing to be absorbed and understood has been mind-blowing to say the least. These and other matters have consumed my time and the casualty has been fewer posts at the blog. However, from all the work and research I will endeavour to post here, hopefully, useful examination and investigative information on areas that may have either become outdated or evolved such that particular methods applied or tools used could be out-of-date or updated.

USIM (UICC) Cards memory storage and network/user files have seen a massive increase since 2010. Just have a look back at a post in 2010 I made here at trewmte.blogspot and compare the EFUST (elementary files usim service table) in TS 31.102 back then 3g-usim-2g-sim-service-numbers.html compared to the latest releases 12 ( 31_series/31.102/ ) and 13 ( 31.102/ )

The first thing an examiner might wish do first thing in the morning at work is check whether the USIM reader tool is up-to-date. Have a look at the EFUST list and list of elementary files below and check that your reader has the capability to detect, extract and harvest data from these files. Then ask yourself do you actually understand when they are allocated and activated in a USIM what use is made of them? What evidence maybe harvested from them? How would the acquired data assist investigations in the following categories as they would apply to the use of mobile communications?

i)                    Contract Law

ii)                  Tort Law

iii)                Intellectual Property Law

iv)                Criminal (including the new Cybercrime) Law

v)                  Data Protection Law

vi)                Taxation Law

vii)              Computer Law

viii)            Communications Law

ix)                Internet Law

x)                  Etc.

Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi Level Precedence and Pre emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MexE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications
Service n°91 Support for SM-over-IP
Service n°92 Support of CSG Display Control
Service n°93 Communication Control for IMS by USIM
Service n°94 Extended Terminal Applications
Service n°95 Support of UICC access to IMS
Service n°96 Non-Access Stratum configuration by USIM
Service n°97 PWS configuration by USIM
Service n°98 RFU
Service n°99 URI support by UICC
Service n°100 Extended EARFCN support
Service n°101 ProSe
Service n°102 USAT Application Pairing

Particular note: when looking at the EFUST service list above this should not be taken as all the services that may be allocated and activated on modules in a UICC. GSM EFSST (sim service table) has particular services unique to GSM SIM (GSM 11.11), such as Service n°29: Proactive SIM which does not appear in the EFUST list. And if Service n°29: Proactive SIM is important to an investigation (and it can be) it is worth the reminder to look at GSM 11.14 (sim application toolkit) that adds services and most importantly "capabilities" between SIM and smartphone. Perhaps you might think, such as, how this can assist an investigation? My responses is consider (a) man-in-the-middle attacks (b) crime (c) cybercrime.

There has been an abundance in the growth of elementary files, too, in USIM Releases 12/13. The increase in access to varying networks by smartphones and tablets has meant the technical, privacy, commercial and monetisation influences how a subscriber latches and attaches to networks. The relevance being recovered message data for instance requires understanding and identifying how the data got there via which particular network access point etc.

3GPP TS 31.102 V12.10.0 (2016-01)
4 Contents of the Files 18
4.1 Contents of the EFs at the MF level 18
4.2 Contents of files at the USIM ADF (Application DF) level 18
4.2.1 EFLI (Language Indication) 18
4.2.2 EFIMSI (IMSI) 19
4.2.3 EFKeys (Ciphering and Integrity Keys) 20
4.2.4 EFKeysPS (Ciphering and Integrity Keys for Packet Switched domain) 21
4.2.5 EFPLMNwAcT (User controlled PLMN selector with Access Technology) 21
4.2.6 EFHPPLMN (Higher Priority PLMN search period) 22
4.2.7 EFACMmax (ACM maximum value) 23
4.2.8 EFUST (USIM Service Table) 25
4.2.9 EFACM (Accumulated Call Meter) 27
4.2.10 EFGID1 (Group Identifier Level 1) 28
4.2.11 EFGID2 (Group Identifier Level 2) 28
4.2.12 EFSPN (Service Provider Name) 28
4.2.13 EFPUCT (Price per Unit and Currency Table) 29
4.2.14 EFCBMI (Cell Broadcast Message identifier selection) 30
4.2.15 EFACC (Access Control Class) 31
4.2.16 EFFPLMN (Forbidden PLMNs) 31
4.2.17 EFLOCI (Location Information) 32
4.2.18 EFAD (Administrative Data) 33
4.2.19 Void 35
4.2.20 EFCBMID (Cell Broadcast Message Identifier for Data Download) 35
4.2.21 EFECC (Emergency Call Codes) 36
4.2.22 EFCBMIR (Cell Broadcast Message Identifier Range selection) 37
4.2.23 EFPSLOCI (Packet Switched location information) 37
4.2.24 EFFDN (Fixed Dialling Numbers) 39
4.2.25 EFSMS (Short messages) 39
4.2.27 EFSMSP (Short message service parameters) 41
4.2.28 EFSMSS (SMS status) 43
4.2.29 EFSDN (Service Dialling Numbers) 43
4.2.30 EFEXT2 (Extension2) 44
4.2.31 EFEXT3 (Extension3) 44
4.2.32 EFSMSR (Short message status reports) 45
4.2.33 EFICI (Incoming Call Information) 45
4.2.34 EFOCI (Outgoing Call Information) 49
4.2.35 EFICT (Incoming Call Timer) 50
4.2.36 EFOCT (Outgoing Call Timer) 50
4.2.37 EFEXT5 (Extension5) 51
4.2.38 EFCCP2 (Capability Configuration Parameters 2) 51
4.2.39 EFeMLPP (enhanced Multi Level Precedence and Pre-emption) 52
4.2.40 EFAaeM (Automatic Answer for eMLPP Service) 53
4.2.41 Void 54
4.2.42 EFHiddenkey (Key for hidden phone book entries) 54
4.2.43 Void 54
4.2.44 EFBDN (Barred Dialling Numbers) 54
4.2.45 EFEXT4 (Extension4) 55
4.2.46 EFCMI (Comparison Method Information) 55
4.2.47 EFEST (Enabled Services Table) 56
4.2.48 EFACL (Access Point Name Control List) 56
4.2.49 EFDCK (Depersonalisation Control Keys) 57
4.2.50 EFCNL (Co-operative Network List) 57
4.2.51 EFSTART-HFN (Initialisation values for Hyperframe number) 59
4.2.52 EFTHRESHOLD (Maximum value of START) 59
4.2.53 EFOPLMNwACT (Operator controlled PLMN selector with Access Technology) 59
4.2.54 EFHPLMNwAcT (HPLMN selector with Access Technology) 60
4.2.55 EFARR (Access Rule Reference) 61
4.2.56 Void 62
4.2.57 EFNETPAR (Network Parameters) 62
4.2.58 EFPNN (PLMN Network Name) 64
4.2.59 EFOPL (Operator PLMN List) 65
4.2.60 EFMBDN (Mailbox Dialling Numbers) 66
4.2.61 EFEXT6 (Extension6) 67
4.2.62 EFMBI (Mailbox Identifier) 67
4.2.63 EFMWIS (Message Waiting Indication Status) 67
4.2.64 EFCFIS (Call Forwarding Indication Status) 69
4.2.65 EFEXT7 (Extension7) 70
4.2.66 EFSPDI (Service Provider Display Information) 70
4.2.67 EFMMSN (MMS Notification) 71
4.2.68 EFEXT8 (Extension 8) 73
4.2.69 EFMMSICP (MMS Issuer Connectivity Parameters) 73
4.2.70 EFMMSUP (MMS User Preferences) 76
4.2.71 EFMMSUCP (MMS User Connectivity Parameters) 77
4.2.72 EFNIA (Network's Indication of Alerting) 77
4.2.73 EFVGCS (Voice Group Call Service) 78
4.2.74 EFVGCSS (Voice Group Call Service Status) 80
4.2.75 EFVBS (Voice Broadcast Service) 80
4.2.76 EFVBSS (Voice Broadcast Service Status) 82
4.2.77 EFVGCSCA (Voice Group Call Service Ciphering Algorithm) 83
4.2.78 EFVBSCA (Voice Broadcast Service Ciphering Algorithm) 84
4.2.79 EFGBABP (GBA Bootstrapping parameters) 84
4.2.80 EFMSK (MBMS Service Keys List) 85
4.2.81 EFMUK (MBMS User Key) 86
4.2.82 Void 87
4.2.83 EFGBANL (GBA NAF List) 87
4.2.84 EFEHPLMN (Equivalent HPLMN) 88
4.2.85 EFEHPLMNPI (Equivalent HPLMN Presentation Indication) 88
4.2.86 EFLRPLMNSI (Last RPLMN Selection Indication) 89
4.2.87 EFNAFKCA (NAF Key Centre Address) 89
4.2.88 EFSPNI (Service Provider Name Icon) 90
4.2.89 EFPNNI (PLMN Network Name Icon) 91
4.2.90 EFNCP-IP (Network Connectivity Parameters for USIM IP connections) 91
4.2.91 EFEPSLOCI (EPS location information) 94
4.2.92 EFEPSNSC (EPS NAS Security Context) 96
4.2.93 EFUFC (USAT Facility Control) 97
4.2.94 EFNASCONFIG (Non Access Stratum Configuration) 98
4.2.96 EFPWS (Public Warning System) 102
4.2.97 EFFDNURI (Fixed Dialling Numbers URI) 103
4.2.98 EFBDNURI (Barred Dialling Numbers URI) 104
4.2.99 EFSDNURI (Service Dialling Numbers URI) 104
4.2.100 EFIWL (IMEI(SV) White Lists) 105
4.2.101 EFIPS (IMEI(SV) Pairing Status) 106
4.2.102 EFIPD (IMEI(SV) of Pairing Device) 107

4.3 DFs at the USIM ADF (Application DF) Level 108
4.4 Contents of DFs at the USIM ADF (Application DF) level 108
4.4.1 Contents of files at the DF SoLSA level 108 EFSAI (SoLSA Access Indicator) 109 EFSLL (SoLSA LSA List) 109 LSA Descriptor files 112

4.4.2 Contents of files at the DF PHONEBOOK level 113 EFPBR (Phone Book Reference file) 113 EFIAP (Index Administration Phone book) 115 EFADN (Abbreviated dialling numbers) 116 EFEXT1 (Extension1) 119 EFPBC (Phone Book Control) 120 EFGRP (Grouping file) 121 EFAAS (Additional number Alpha String) 122 EFGAS (Grouping information Alpha String) 123 EFANR (Additional Number) 123 EFSNE (Second Name Entry) 125 EFCCP1 (Capability Configuration Parameters 1) 125 Phone Book Synchronisation 126 EFUID (Unique Identifier) 126 EFPSC (Phone book Synchronisation Counter) 127 EFCC (Change Counter) 128 EFPUID (Previous Unique Identifier) 128 EFEMAIL (e-mail address) 129 Phonebook restrictions 130 EFPURI (Phonebook URIs) 130

4.4.3 Contents of files at the DF GSM-ACCESS level  (Files required for GSM Access) 131 EFKc (GSM Ciphering key Kc) 131 EFKcGPRS (GPRS Ciphering key KcGPRS) 132 Void 132 EFCPBCCH (CPBCCH Information) 132 EFInvScan (Investigation Scan) 133
4.4.4 Contents of files at the MexE level 134 EFMexE-ST (MexE Service table) 134 EFORPK (Operator Root Public Key) 134 EFARPK (Administrator Root Public Key) 136 EFTPRPK (Third Party Root Public Key) 137 EFTKCDF (Trusted Key/Certificates Data Files) 138

4.4.5 Contents of files at the DF WLAN level 138 EFPseudo (Pseudonym) 138 EFUPLMNWLAN (User controlled PLMN selector for I-WLAN Access) 139 EFOPLMNWLAN (Operator controlled PLMN selector for I-WLAN Access) 139 EFUWSIDL (User controlled WLAN Specific Identifier List) 140 EFOWSIDL (Operator controlled WLAN Specific IdentifierList) 141 EFWRI (WLAN Reauthentication Identity) 141 EFHWSIDL (Home I-WLAN Specific Identifier List) 142 EFWEHPLMNPI (I-WLAN Equivalent HPLMN Presentation Indication) 143 EFWHPI (I-WLAN HPLMN Priority Indication) 143 EFWLRPLMN (I-WLAN Last Registered PLMN) 144 EFHPLMNDAI (HPLMN Direct Access Indicator) 144

4.4.6 Contents of files at the DF HNB level 145 Introduction 145 EFACSGL (Allowed CSG Lists) 145 EFCSGT (CSG Type) 148 EFHNBN (Home NodeB Name) 150 EFOCSGL (Operator CSG Lists) 150 EFOCSGT (Operator CSG Type) 152 EFOHNBN (Operator Home NodeB Name) 153
4.4.7 Void 153

4.4.8 Contents of files at the DF ProSe level 153 Introduction 153 EFPROSE_MON (ProSe Monitoring Parameters) 153 EFPROSE_ANN (ProSe Announcing Parameters) 154 EFPROSEFUNC (HPLMN ProSe Function) 155 EFPROSE_RADIO_COM (ProSe Direct Communication Radio Parameters) 156 EFPROSE_RADIO_MON (ProSe Direct Discovery Monitoring Radio Parameters) 157 EFPROSE_RADIO_ANN (ProSe Direct Discovery Announcing Radio Parameters) 158 EFPROSE_POLICY (ProSe Policy Parameters) 158 EFPROSE_PLMN (ProSe PLMN Parameters) 160 EFPROSE_GC (ProSe Group Counter) 161 EFPST (ProSe Service Table) 162 EFPROSE_UIRC (ProSe UsageInformationReportingConfiguration) 162

4.5 Contents of Efs at the TELECOM level 166
4.5.1 EFADN (Abbreviated dialling numbers) 166
4.5.2 EFEXT1 (Extension1) 166
4.5.3 EFECCP (Extended Capability Configuration Parameter) 166
4.5.4 EFSUME (SetUpMenu Elements) 166
4.5.5 EFARR (Access Rule Reference) 166
4.5.6 EFICE_DN (In Case of Emergency – Dialling Number) 167
4.5.7 EFICE_FF (In Case of Emergency – Free Format) 167
4.5.8 EFRMA (Remote Management Actions) 168
4.5.9 EFPSISMSC (Public Service Identity of the SM-SC) 168

4.6 Contents of DFs at the TELECOM level 168
4.6.1 Contents of files at the DFGRAPHICS level 169 EFIMG (Image) 169 EFIIDF (Image Instance Data Files) 170 EFICE graphics (In Case of Emergency – Graphics) 171 EFLAUNCH SCWS 171 EFICON 175

4.6.2 Contents of files at the DFPHONEBOOK under the DFTELECOM 176
4.6.3 Contents of files at the DFMULTIMEDIA level 176 EFMML (Multimedia Messages List) 176 EFMMDF (Multimedia Messages Data File) 179
4.7 Files of USIM 180

I will leave you to conclude whether you may think USIM has little or no relevance to an investigation.

Sunday, January 17, 2016

Malicious Code - training simulator

If you have ever had to assist others understand malware behaviour then every trainer needs a useful tool to illustrate basic concept. Marco Schweighauser has launched a useful online webpage with such a tool ( ) or a github page ( ) to download the working tool so that trainers can play with creating harmless scripts.

Marco has produced a "simulator which provides a simplified assembler syntax (based on NASM) and is simulating a x86 like cpu." The tool is demonstrated by using default code "HELLO WORLD" and presented as a visualisation for illustrative and activity purposes relating to registers, flags, Instruction Pointer (IP), Stack Pointer (SP), RAM, machine code, stack, and memory mapping when following how the harmless code is executed either in RUN or STEP mode.

Iko Knyphausen (Computer Forensic Examiner, Intrusion & Malware Analyst at /d/b/a Datasource Forensics) has played with a simple but harmless malicious code ( to demonstrate malware in action by overwriting HELLO WORLD. Cut and paste the example into the online or downloaded tool and watch the activity.


; Writes Hello World to the output and emulates an infection; At the beginning of the PRINT function a simulated buffer
; overwrite called "stack_smash" pushes 12 values to
; the stack. After the print function has printed Hello World !
; it RETURNs but sets the Instruction Pointer to a manipulated
; address on the stack. From there execution continues on the
; stack, in this example overwriting all output with asterisk *
; characters.

; Single step through this demo for best results ;-)

    JMP start
name:     DB "Hello World!" ; Variable
           DB 0    ; String terminator

    MOV C, name    ; Point to var
    MOV D, 232    ; Point to output
    CALL print
        HLT             ; Stop execution

print:            ; print characters from var to output
    stack_smash:     ; this would typically be a buffer
            ; overwrite which we simulate by
            ; pushing 12 values onto the stack
            ; in reverse order
            ; the RET operation from the print
            ; function puts the instruction pointer
            ; to 0xDC and overwrites the output
            ; with * characters in reverse order
    PUSH 0        ; HLT
    PUSH 0xDC    ; LOOP back to this address on stack
    PUSH 39        ; JNZ 0xDB
    PUSH 232    ; the beginning of the output memory
    PUSH 3
    PUSH 23        ; CMP D, 232
    PUSH 42        ; character to overwrite output
    PUSH 3
    PUSH 8        ; MOV number to reg_address
    PUSH 3
    PUSH 19        ; DEC register #3 = D
    PUSH 0xDC    ; RET from print will pull this address

    MOV B, 0
    MOV A, [C]    ; Get char from var
    MOV [D], A    ; Write to output
    INC C
    INC D  
    CMP B, [C]    ; Check if end
    JNZ .loop    ; jump if not

    RET        ; loads malicious return address from stack


To understand assembler code visit:

Sunday, December 27, 2015

SDD: TRIM, GC and Greedy Garbage etc

SDD: TRIM, GC and Greedy Garbage etc

It is amazing how we can all look at the same subject but still have a wide range of views. If the discussion is about TRIM and GC then the two should not be confused. That is fair warning, but isn't there something quite obvious in the two different titles? If we extend confusion further what Write Amplification or hot and cold data or SSDs with no TRIM feature at all? The diversity in opinions may well be put down to has:

(a) conducted tests and
(b) which tests were they
(c) any standard involved
(d) any manufacturer spec involved and
(e) any research material read influencing the thought processes?

Who knows the answers as many of the discussions read rarely identify the sources of knowledge.

I cannot guarantee you that this thread will provide all the answers but here are some sources of information that may help. Perhaps you can contribute, too? The materials are not arranged in any particular order.

why-ssd-destroy-court-evidence -

ssd-2014 -

Mac OSx enabling TRIM -

Kingston on Garbage Collection -

On the Optimality of Greedy Garbage Collection for SSDs -

Write Amplification -

A Mean Field Model for a Class of Garbage Collection
Algorithms in Flash-based Solid State Drives

Establishing Professional Guidelines for SSD Forensics: A Case Study -

 Model and Analysis of Trim Commands in Solid State Drives -

To TRIM or Not to TRIM: Judicious TRIMing for Solid State Drives -

DELL Solid State Drive (SSD) FAQ -

SATA-IO Releases Revision 3.1 Specification -

The Fundamental Limit of Flash Random Write Performance: Understanding, Analysis and Performance Modelling -

Performance of garbage collection algorithms for flash-based solid state drives with hot/cold data -

Extending the Lifetime of Flash-based Storage through Reducing Write Amplification from File Systems -

Data Set Management Commands Proposal for ATA8-ACS2 2007 -

Information technology -ATA/ATAPI Command Set - 2 (ACS-2) 2009 -

Information technology -ATA/ATAPI Command Set - 2 (ACS-2) 2011 -

Modelling and Managing SSD Write-amplification -

Sunday, December 20, 2015

Updated: Employment or Computer Forensics Course 2016

There are many people who would like to go into computer forensics that maybe are working elsewhere, currently studying an associated or indirect subject or generally have an interest to find out more. The prospect of employment is naturally the primary objective.

There are many ways to objectify and define a career path. Some look at the academic route first, some the employment route and others take measured assessments to determine the best path forward. It is whatever suits you best because work in civilian careers is different when working with a public sector agency.

1) Interested in working in the public sector - seek out the agency that is of interest to you and find their careers webpage. Now visit other agencies and see if there is a common theme of interest e.g. computer and smartphone forensics, digital investigations etc.

2) Are the qualifications or experience you need for the vacancy and any training offered?

3) Write to an agency to ask for their public statement on recruiting civilian employees in computer forensics?

4) Ask for the link to their public webpage that describes the equal opportunities the public sector agency is lawfully bound to publicise.

What if the private sector is more appealing to you. The above should still stand you in good stead.

Be smart and understand employment advertisements that are simply asking too much e.g. the applicant should be Einstein, know everything, but work for a pittance. These adverts do more harm than good.  Apply a litmus test - (a) what is the time period of experience the person would need to qualify for each subject and then (b) how old does the person need to be.

An example of an employment advertisement seen recently, we looked at the Job description compared with the experience the person would need for each of the subject matters set out in the job description.

A test criteria was identified as to what knowledge skill and experience the applicant would need:

a) read a book,
b) 6mths,
c) 2yrs,
d) 5yrs,
e) 10yrs

Computer Science/Criminal Justice: ........ -v- ..........Time period of experience
- Teach undergraduate and graduate a book, 6mths, 2yrs, 5yrs, 10yrs
- basic and advanced digital forensics and cyber a book, 6mths, 2yrs, 5yrs 10yrs
- Knowledge of digital evidence and a book, 6mths, 2yrs, 5yrs, 10yrs
- network a book, 6mths, 2yrs, 5yrs, 10yrs
- a book, 6mths, 2yrs, 5yrs, 10yrs
- risk a book, 6mths, 2yrs, 5yrs, 10yrs
- information a book, 6mths, 2yrs, 5yrs, 10yrs
- information assurance a book, 6mths, 2yrs, 5yrs 10yrs
- network a book, 6mths, 2yrs, 5yrs, 10yrs
- incident a book, 6mths, 2yrs, 5yrs, 10yrs
- vulnerability a book, 6mths, 2yrs, 5yrs, 10yrs

Given the title of the knowledge, skills and experience sought in the job description realistically a candidate would need to have had maybe between 3yrs-5yrs on each subject. This suggests between 33 to 55 years exposure to dealing with those subjects. So a candidate having started out learning at 20 years of age should be between the age of 53 to 75 to apply for the vacancy?

Alternatively, if only three subjects were the primary requirement then possibly 10 years of knowledge skill and experience might be necessary and the other subjects might be covered by reading a book on each subject.

There are many good employment agencies out there who are sensible and reasonable and define to their clients that given the sum of money they want to pay for the vacancy there needs to be incentives defined for extra knowledge, skills and experience being brought in-house that the company sells as a service to customers as value-added services.  And that is a key-point for potential recruits - what VALUE-ADDED knowledge, skills and experience could you offer above the job description. Never, ever agree to provide every bit knowledge, skills and experience defined in an advertisement.

Absolute goal for research and during interviews:

i) Know the company you want to work for?
ii) Know who are their major competitors?
iii) Seek out the companies market share?
iv) Know whether you can assist maintain their current share or improve on it (e.g. Value Added)?
v) What is the financial status of the company?
vi) Whilst potential employers want to know your life story you equally have the right to know their story, too?
vii) Don't turn down a good job for one thought to be better, only to find out the latter company is using short term government grants to get people off unemployment. Check what is meant by probationary period.

I have updated, as of today (20/12/2015), a list of Universities in England, Wales, Scotland and Ireland offering computer forensic courses for 2016 that are stand alone or incorporated with another subject matter.

These are useful website to find out about the educational qualifications available for computer forensics and related subjects.  I haven't hinted my suggestions about the courses because some fundamental requirements of any forensics discipline is that a person's learns how to:

(1) source information
(2) thoroughly research
(3) identify salient details and facts

University of Bedfordshire

Birmingham City University

Canterbury Christ Church University

Cranfield University

De Montfort University

University of Derby

University of Gloucestershire

University of Greenwich

University of Central Lancashire

Leeds Metropolitan University

Liverpool John Moores University

University of East London

London Metropolitan University

University of London - Royal Holloway

Manchester Metropolitan University

Middlesex University

Northumbria University

The Open University

University of Portsmouth

Sheffield Hallam University

Staffordshire University

University of Sunderland

Teesside University

University of the West of England


Blanchardstown Institute of Technology

University College Dublin

Dublin City University

Letterkenny Institute of Technology

Waterford Institute of Technology


Edinburgh Napier University

University of Glasgow

Glasgow Caledonian University


Cardiff University

University of Glamorgan