Thursday, October 09, 2014

Fast moving wireless world

I have been working on research for as the changing landscape for cell site analysis (CSA) requiries comprehending the complex involvement with the various wireless connectivity creating a universal point-of-presence for mobile users. Moreover, CSA is equally being impacted with the architecture defining internet of things (IoT) causing a growth expansion for M2M wireless devices, naturally wireless forensics in this area will grow, too.

M2M was highlighted back in 2011

M2M Crime

Mobile Markets: Nokia 'Mobile Man' tells of a story


Reverse Engineering For Beginners

Steve Hailey*, who kindly sent out a reminder about Reverse Engineering for Beginners, that this is guide with "Lots of great information that will be especially helpful for reverse engineering malware that you come across in your investigations......" It is  "652 pages, all free. You do not need to give out your personal information or subscribe to anything..."

The original link to get the publication is no longer current. However, a copy can still be downloaded using the following link: 

*Steve is President/CEO CyberSecurity Institute, a practicing Consultant, Digital Forensic Examiner and works also as an Educator, InfoSec Author & Lecturer

Tuesday, July 22, 2014

LTE-WiFi Aggregation

LTE-U workshop: LAA (Licensed Assisted Access) - Use cases and scenarios


LTE workshop: LAA (Licensed Assisted Access)

Saturday, July 19, 2014

International Telecommunications Union and CSA

International Telecommunications Union and CSA

Were the standards to be made binding that could have political implications / ramifications regarding national sovereignty etc. However, a standard adopted by the ITU are called "recommendations". The recommendations carry a voluntary adoption by members states. The recommendations can though become directly or indirectly binding if it is incorporated into member states legislation where the legislation refers to a particular ITU recommendation. That would have a direct binding agreement. An indirect binding agreement could be where European legislation does not mention ITU recommendation per se but refers to CEPT or ETSI standards that become recorded that are in-turn derived from ITU recommendations. Were there to be an inextricable link requiring identical wording for CEPT/ESTI standard/ITU recommendation then that may amount to an indirect binding agreement with or to the ITU recommendation.

CSA - Site Survey Method 2/ITU -

As this discussion relates to CSA and identified recommendations listed here ( ) the detail below highlights the radio subject matter from the division ITU-R.

Sunday, July 13, 2014

CSA, propagation and keeping norms

CSA, propagation and keeping norms is an in-for-the-long-haul series of discussions about CSA (cell site analysis) and highlighting all the wider area topics of CSA that seldom get discussed. The first three discussions can be found here:

CSA - Site Survey Method -

CSA - Site Survey Method 1 -

CSA - Site Survey Method 2 -

Sunday, June 08, 2014

GSM Normal Burst Power/Time Template

The image (below) is of the power/time template to illustrate a GSM Normal Burst (GSM05.01/05.02). A single burst when transmitted may contain up to 114-bits of useful speech data. Given the speed at which GSM radio signals traverse the ether calculated in micro-seconds to be received at a destination handset and processed by that handset in milli-seconds and converted into audible speech within one or seconds opens possibilities for examiners to demonstrate the power of mobile communications.

For instance, an attacker communicating a single 'provocative' word consisting of 80-bits in a normal burst to an accomplice could be:

D               E              T              O              N             A              T               E
01000100 01000101 01010100 01001111 01001110 01000001 01010100 01000101

The entire timing of this event may last no longer that 2 seconds. When you get time try a simple test to see how many clearly audible words you can speak within 2 seconds and what messages can be communicated in that time. Moreover, the clock for recording call records can be operated in 1000-ths of a second separated into 5 x 200-ths of a second. Whilst it is possible to see a call detail record showing a 0-second call duration and it is generally accepted there is no meaningful communication taking place, what about call that lasts 1, 2 or 3 seconds?

The knowledge tool to demonstrate the GSM Normal Burst power/time template, the power output of MS and BTS etc can be found in 3GPP TS 05.05 V8.20.00 (2005-11) Release 99.

Friday, June 06, 2014

D-Day 6th June

On the 6th June 2011 I wrote about D-Day at this blog. I did so because much of history was being forgotten by the younger generation. When I posted the thread below the blog received nearly 3000 hits in a few days. In 2014, we are now seeing a substantial increase, reported in the papers and on television, raising awareness about this day and other important historical dates that allow the young generation to re-connect with their heritage. It is so important to keep this knowledge flowing from generation to generation if the mistakes of the past are not to be forgotten but, worse still, to be repeated.

Today, this day, is remembrance of those men and women who fought, and so many gave their lives, to bring hope that we could enjoy our sunny days of freedom. 

This photo reminds me of how appropriate it is to use the words real heros.  

D-Day 6th June

I mentioned today's important date to a number of people. Quite a few had forgotten the date and mainly the younger generation didn't know about events that took place on this date back in 1944.

For anyone who may have missed it or might want to know more, here are some links providing the historical background.

British Legion Remembrance d-day-65
Wikipedia Normandy Landings
Britannica DDay
Remembrance D-Day.html
Lifeformation D-Day


Sunday, May 04, 2014

iPhone factory reset bars access to revevlation

It has been known for sometime there is no general release that can handle the deleted encrypted data on iPhone 4s onwards.  The latest article in the The Register ( ) rehearses discussion the forensic community has already had about deleted keys and deleted encrypted data. The factory reset point merely reconfirms another method how a user can select an iPhone process to cause the data to no longer be available for access by the user.

These are just my own observations but I would find it highly surprising if the 'clever department' at Apple had not prepared for the day when National Security walks through the door with a grade 'X-level' warrant to decrypt, no matter the state of the smartphone. Germane and relevant to this type of discussion is that 'keys' are not so randomly generated that Apple couldn't predetermine access-doors or decryption methods based upon the smartphones IMEI, manufacturing batch, core processor, chip/s, board layout, country of supply and iOS etc being one side of the coin **. We are of course all being induced into talking about the other side of that same coin, the iPhone encrypted data made inert such that the data having no inherent power of action, motion, resistance or having little or no ability to react.

Fig.1 Example of a hacker's study for accessing an iPhone memory chip 

History has shown that due to necessity or hacking revelation can always be possible. Such an example of gaining access where the manufacturer failed to correct a security flaw inspite of being advised about it is not new ( ). Maybe a solution isn't too far off whether introduced by the manufacturer (vertical revenue stream) or another source divulges a method to reveal. However, we do need to be clear though where we stand. Forensics provides a particular 'defined approach' to examine and analyse a 'thing'. The process and procedures applied to the examination and analysis of a 'thing' takes into account various paths of enquiry including the producer/manufacturer spec of the thing; any inter/national and industry standards and legal requirements applicable to it; any academic and non-academic studies and materials that may be applicable; the skill, knowledge and experience of the individual involved with the examination and analysis. What we don't do or shouldn't do during the forensics process and procedures is 'hack' in the way hacking is commonly understood to be carried out or reverse engineer. The reason for that is by hacking/reverse engineering a thing a potential pitfall that arises is that the individual may cause or induce an event to occur on or in e.g. a smartphone that would have been impossible or unknown to the user of the smartphone and potentially create a suggestion of culpability that wasn't or didn't exist previously (add/loss data etc).

** Update 09/05/2014

"These Guidelines are provided for use by law enforcement or other government entities in the U.S. when seeking information from Apple Inc. (“Apple”) about users of Apple’s products and services, or from Apple devices. Apple will update these Guidelines as necessary. This version was released on May 7th, 2014."

" I. Extracting Data from Passcode Locked iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.   Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

The data extraction process can only be performed at Apple’s Cupertino, CA headquarters for devices that are in good working order. For Apple to assist in this process, the language outlined below must be included in a search warrant, and the search warrant must include the serial or IMEI number of the device. For more information on locating the IMEI and serial number of an iOS device, refer to

Please make sure that the name of the judge on the search warrant is printed clearly and legibly in order for the paperwork to be completed."