Wednesday, February 14, 2018

Important principles in digital forensics

At a time when digital forensics is under the spotlight and taking salvos of criticism for poor performance and lack of knowledge about its own scientific subject matter ( and there is no better time than to refresh on principles to signpost the way to go or leave a breadcrumb trail to find the way back to safe ground.

I posted comments back in November 2006 ( identifying principles to remember, recall and apply, when conducting Cell Site Analysis (CSA) - but they apply to examinations also -  that are still relevant to today (2G/3G/4G/5G/etc....) as they were since the inception of digital cellular radio services back in the late 1980s/1990s.

The requirements identified in standards as "mandatory", "conditional", "recommendations" and so on are not written for fun;  nor to be wilfully disregarded just because they appear complex, complicated or difficult e.g. cannot be bothered to learn them, my device/machine does the thinking for me; both render the human-being to be no more than a perfunctory-goffer (human obsolescence) for the processes generated by software and algorithms in a device or machine.

The four principles to easily remember, recall and apply:

- There are mandatory requirements with mandatory outcomes
- There are mandatory requirements with optional outcomes
- There are optional requirements with mandatory outcomes
- There are optional requirements with optional outcomes

Moreover, and a fundamental (and one might suggest absolute) requirement, is the importance to understanding 'Modal verbs terminology' adopted in the standards.

Modal verbs terminology

In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions)

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

Wednesday, January 10, 2018

URN Namespace and IMEI

RFC8141 - A Uniform Resource Name (URN) is a Uniform Resource Identifier (URI) [ RFC3986] that is assigned under the "urn" URI scheme and a particular URN namespace, with the intent that the URN will be a persistent, location-independent resource identifier. A URN namespace is a collection of such URNs, each of which is (1) unique, (2) assigned in a consistent and managed way, and (3) assigned according to a common definition. (

Image courtesy of Diameter-Protocol

RFC7255 - This specification defines how the Uniform Resource Name (URN) reserved for the Global System for Mobile Communications Association (GSMA) identities and its sub-namespace for the International Mobile station Equipment Identity (IMEI) can be used as an instance-id. Its purpose is to fulfil the requirements for defining how a specific URN needs to be constructed and used in the ’+sip.instance’ Contact header field parameter for outbound behaviour. (

RFC7254 - This specification defines a Uniform Resource Name (URN) namespace for the Global System for Mobile Communications Association (GSMA) and a Namespace Specific String (NSS) for the International Mobile station Equipment Identity (IMEI), as well as an associated parameter for the International Mobile station Equipment Identity and Software Version number (IMEISV) as per the namespace registration requirement found in RFC 3406 [ 1]. The Namespace Identifier (NID) ’gsma’ is for identities used in GSM, Universal Mobile Telecommunications System (UMTS), and Long Term Evolution (LTE) networks. The IMEI and the IMEISV are managed by the GSMA, so this NID is managed by the GSMA. (

Tuesday, November 07, 2017

100 Years - Remembrance Day 11/11/2017

I do not know the artist but the message in the painting below is understood. If you haven't done so and you see a person selling Poppies do stop and buy one; even if you give 5p it goes to a good cause.

11th NOVEMBER (1917-2017)

We stand on the shoulders of those who fought and gave us "freedom and liberties" which are so easily taken for granted today.

Sunday, October 29, 2017

Understanding Metadata

NISA 2017 - UNDERSTANDING METADATA - WHAT IS METADATA, AND WHAT IS IT FOR? is available. Surprisingly, not read anywhere else that this update was out, being that it is a highly relevant subject to digital (mobile, computer, audio, etc.) forensics.

Android CDD

As of the 1st September 2017 Android published their updated Compatibility Definitions Document version 8.

9.8.1 . Usage History - Android stores the history of the user's choices and manages such history by UsageStatsManager . Device implementations: [C-1 -1 ] MUST keep a reasonable retention period of such user history. [SR] Are STRONGLY RECOMMENDED to keep the 1 4 days retention period as configured by default in the AOSP implementation.

See also: 9.9. Data Storage Encryption, 9.9.2. File Based Encryption, 9.9.3. Full Disk Encryption,

Face Recognition

Following Apple's Face ID launch this is one of those hot topics at the moment. This technology is not without its sceptics and questions still remain whether it can become full proof. In today's world, that is a big ask.

I have collected some bits and pieces worth reading.

Apple's September 2017 paper on face ID and security - []

Kairos produce a useful comparison chart of facial recognition services[]

The Guardian Newspaper published an article of Samsung's flawed Iris scanner - []

New research proposal just out 'Bypassing 3D Facial Recognition Authentication on Mobile Devices' - []

NCSC Cyber Security: Small Business Guide

Cyber security can feel like a daunting challenge for many small business owners. But it needn’t be. Following the five quick and easy steps outlined in this guide could save time, money and even your business’ reputation.

National Crime Agency - Suspicious Activity Reports (SARs) 2017

A lot of good work being achieved by the NCA.

Threema - white paper

Latest white paper Sept 2017

Threema is the world’s favourite secure messenger and keeps your data out of the hands of hackers, corporations and governments. Threema can be used completely anonymously, allows to make end-to-end encrypted voice calls, and offers every feature one would expect from a state-of-the-art instant messenger.

Useful for running lab tests.

Childrens' Smart Watch Tracking Movements

Is a stranger hacking your child's smart watch? Warning that loopholes in the devices are being targeted to track youngsters' movements.

Daily Mail Science Tech Article 4991102

Mobile Data Traffic 2016-2021

Very Low Cost Training $99.00 - US Marketplace

Just been reading a post from Dennis Carroll Special Agent / Law Enforcement Instructor about some very low cost training in the States

"The Fox Valley Technical College in partnership with the National Criminal Justice Training Center (NCJTC) have approved my three day cellular device investigations course. The first course is being offered in Appleton Wisconsin in December as a pilot and then throughout the US as requested. The FVTC and NCJTC have obtained a grant to lower the cost of this course to $99. This is the lowest price you will find for a three day comprehensive cellular device investigation course. There is a link to request this course at your host agency on the link below. Please share if you would."

5G in Five Minutes

New Cyber Report recognises legal actions

June 2015 I sketched foreseen legal actions impacting on cybercrime. I posted a diagram-infographic in Feb 2016 "LEGALLY SPEAKING – OBSERVATIONS CHART FOR JUDGES BARRISTERS AND SOLICIT0RS" -

I am pleased to see that ETSI (European Telecommunications Standards Institute) have also picked up on my themes in their 2017 published technical report (TR) CYBER; Implementation of the Network and Information Security (NIS) Directive ETSI TR 103 456 V1.1.1 (2017-10) with reference to Contract, Tort and Crime.

Sunday, September 10, 2017

Dolphin Ultrasonic Commands Voice Assistance

A newly issued report makes me wonder whether a Dog Whistle could issue commands to voice assistance devices?  Dolphin ultrasonic audio, not within human hearing range, can issue commands to voice assistance Amazon, Apple and Google devices according to a news report  from the BBC -

The basis of the BBC report is underpinned from Chinese research that can be found here: Dolphin Attack: Inaudible Voice Commands -

Tuesday, August 22, 2017

Universal Network Investigations Updates

Universal Network Investigations (at LinkedIn) is a discussion group exists to assist telecoms, cyber, forensics, information security, pen testing, and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.). Investigations can start with examining a device or network activity, so all aspects will be posted in the group.

To join -

Group Rules:
1) Chatham House Rule applies.
2) An essential aspect of joining the Group is to participate and share knowledge, skills and experience.
3) No selling, no spamming.

Latest Posts
- Dropped phones
- Tool for the Investigator ISMS Toolbox
- Apple Secure Enclave Processer (SEP) - Hacked
- Purging Data HDD (InfoSec)
- Rack and Ruin
- When a Genuine Product is used as a Rogue Device
- GDPR-1
- Framework for Digital Forensic Employment KSE (knowledge, skills, experience)
- VOIP Basics (updated)

- Tool for the Investigator ISMS Toolbox
- Cisco IOS Versions
- First Hop Redundancy
- Frame Mode MPLS
- IEEE 802.11 WLAN
- IOS Interior Routing Protocols
- IOS IPv4 Access Lists
- IOS Zone Based Firewall
- IPSec
- IPv4 Multicast
- IPv6
- Physical Terminations
- QoS
- Scapy
- Spanning Tree
- TCP Dump
- Wireshark Display Filters
- BILL - Internet of Things IoT Cybersecurity Improvement Act
- 1995-2017 Computer Security (Information Security)
- So what does the TIMSI get me?
- Federal data collection MRMCD
- Tech Against Terrorism
- Telecommunications (Interception and Access) Act 1979 (2017) (Australia)
- 27,482 cyber security incidents reported in H1 2017
- Surveillance Drones Report
- Smartphone Cybercrime
- PSCR Network Identifiers Demonstration Guidelines
- Plan MNC
- Ping Test
- MNC Probe Metrics
- ITU-T GSM Country Codes
- IMSI Prepaid MVNO
- G42UMTS Security
- Cyber Threats to Mobile Phones
- Building Mobile Tools for Rights Defenders and Activists
- UTC Document Register
- IMSI Assignment and Management Guidelines and Procedures
- Evolution in the Use of E.212 Mobile Network Codes
- 3rd Party Access to Number Portability Data
- Evolution in CLI usage
- Wrong Evidence Capture Tools
- Phone Hacks
- Multi-Traceroute (MTR) in NST
- Detecting Hidden Networks created with USB Devices
- Infrastructure - human access - fake fingerprint
- Operator 'Law Enforcement Disclosure' reporting
- Covert Tactical Measures
- Annual Cybersecurity Report - 2017
- Infrastructure Security Report - Worldwide
- Real Intelligence Threat Analysis (RITA)
- GSM Security Threat Risks
- Where to begin?
- RSOE EDIS Emergency and Disaster Information Service
- GSM Security Threat Risks
- NOC NOC - Fault Management and Troubleshooting
- SS7 and 2FA
- Detection in a multilayer network
- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Application Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)