Thursday, February 23, 2017

Secrets and Evidence of Older Mobiles

It is good to learn that the Nokia 3310 may make a return, albeit with an Android operating system. The nostalgia for these types of mobile phones has clearly not been lost. What it might suggest is that consumers still want a mobile telephone to remain a mobile telephone and to look like one.

The older mobile phones I have in mind though are the ones that are still used in examinations, investigations and research. Since there is nostalgic sentiment in the air I thought you might be interested in some examples of older mobile phones from my lab toolkit.


Now these old buzzards are used for basic GSM telephony services. There isn't a universal SIM that will work with these as some from my collection operate with a 5-volt SIM and so on. Importantly they are used due to the fact they have an external antenna and extendable external antenna. In some investigation instances RSSI will show network detection and a small amount of RF power whereas mobiles/smartphones with embedded antennas show Emergency Calls Only.

You might recall I have written numerous articles on radio surveys and two that may seem appropriate to this discussion are:

CSA: Mobile Phones and Fringe Coverage
http://trewmte.blogspot.co.uk/2010/06/csa-mobile-phones-and-fringe-coverage.html

GSM Radio Test Measurements
http://trewmte.blogspot.co.uk/2010/06/gsm-radio-test-measurements.html

The next selection of mobiles/smartphones each provide different radio characteristics due to the manufacturer's selection of RF chipset and functionality.


My five beauties, as I call them, are my Nokia 3210s. Great phones and they still operate perfectly well today. You can also see in the photo that all bar one mobile have embedded antenna. Some are mobile phones and some are smartphones. Combined they offer the ability for RF surveys and testing voice telephony, data downloads, instant messaging etc. The common laptop application Network Monitor (NMonitor/NetMonitor) still provides good feedback when connected to the Nokia 3210 (nmon activated). Blackberry requires a bit of setting up with applications such as MagicBerry, BBHTool, etc., and creating JAD-files (depending on what you want to achieve). Now with the Samsung models GT-I8160 and GT-I9100 both are used with 2G and 3G networks and illustrates the point that two models of smartphone from the same manufacturer display didn't RF survey details.


Now I wont bore you with an explanation of the details just to say these investigation RF surveys require knowing the various ServiceMode states. In particular, if you are conducting a PRACH and RACH survey, relevant to investigations for Access Requests (e.g. the phone is not in idle mode but seeking a service), then the GT-I9100 is useful in that it displays not just the LAC but also the Cell ID the RACH (access) request was made. Quite a few mobiles do not do this when looking into the ServiceMode states. You have to be quick, mind you, as the ServiceMode screen changes fairly quickly if you are not ready to take a photo.


Yet another, quite old-ish, mobile phone that I haven't shown so far is the Nokia 6303. The photo shown below should explain everything. But for those not familiar to testing and examination; where a charge in the billing appears for an SMS or at least details of a called number sent an SMS (even if sent message is free) it is quite possible the party receiving the message can read it but the message wont be saved. This is known as a Class 0 message (commonly referred to as a Flash Message). Depending on make and model of mobile phone, part or all of the message which is only held in RAM might still be recoverable, provided seizure and examination is undertaken and completed fairly quickly, as RAM is updating perpetually. 



The Nokia 6303 is one of those mobiles that the handset manufacturer in combination with mobile network operator enabled this feature as they foresaw revenue generation from it and also recognised that a reasonable memory storage capacity in handset and SIM card need not be blocked up with trivial messages.

The 6303 came with a 940 MB memory card for downloaded applications etc. This proved to be useful in an investigation where text messages didn't have alphabet characters but a series of dots and dashes. At first it was thought this was incomplete text chat messages or some sort of smiley face that didn't form properly when typed on the screen.



When reviewing hundreds of text messages recovered from a mobile or smart phone it is quite easy to overlook or ignore a message as being meaningless. However, I researched the matter and following testing the message turned out to be Morse Code. I tracked down the application for this and cross-checked with the device that had been examined.

            

So next time you see a text message with an odd presentation look closely to see if it has relevance and whether your mobile phone forensic suite software has the capability to either identify the message contains additional features or can translate the message.

Hope you have enjoyed this brief look at older mobile phones used in and for mobile forensic examination, investigations and research.

Wednesday, February 01, 2017

HERREVAD Databases Geo Location Artefacts

From a recent discussion regarding HERREVAD Databases it has emerged that they are in fact undocumented Android features for google mobile services (GMS). Any extracted and harvested data from these databases is on the basis "as is" recovered. Oxygen Forensic Detective 911 WiFiHistory.png presents a helpful and useful example of recovered data from HERREVAD:


From research conducted the results identified little has been written about HERREVAD (GMS). It may be there is more information out there, possibly in a internet walled garden, but not very much is revealed using the well-known internet search engines. From what has been discovered it is recorded below so should more information come to light this discussion can be updated.

As can be seen in the above screen image it shows records of WiFi History of connections to WiFi network servers. In this regard, as has been previous stated in another discussion at this blog, WiFi location analysis should naturally form part of cell site analysis as smartphones have multiple radio in them (http://trewmte.blogspot.co.uk/2014/08/csa-site-survey-method4cell-types.html).


Three databases have been identified so far, but no information was found that actually described what each database actually recorded, so assumptions are based upon the title of the databases and data recovered:

'/data/data/com.google.android.gms/shared_prefs/herrevad.xml'
'/data/data/com.google.android.gms/databases/herrevad'
'/data/data/com.google.android.gms/databases/herrevad-journal'

Moreover, no guidance was found to define whether each of databases are providing data-support to one another. It is an assumption that the information stored in each combines together to provide an abstract of connection events. It could be said this is evidence of the 'fact' the data are recorded there. It means the recording was made due to a smartphone's sensor activity showing the device had detected and decoded the WLAN networks, including SSID and BSSID (MAC address) info, as well as timestamps; thus there is proximity to a source. So here is potential evidence, but that doesn't necessarily confirm what is happening during the connection.

In the above image WiFiHistory.png it displays a number of connections consistent with the same network (so to speak) and on various dates and times. It is possible to draw an inference from that of a device in regular proximity to a particular WiFi network, thus a 'distance' (in space and time) to a location. This would support the merits of investigating those identities.

the only independent document found at this time discussing HERREVAD is that from Connie Bell, in her partial MSc thesis:

'PROVIDING CONTEXT TO THE CLUES: RECOVERY AND RELIABILITY OF LOCATION DATA FROM ANDROID DEVICES'
http://etd.fcla.edu/CF/CFE0005924/Bell-Connie-ThesisFinalDraft.pdf

In this thesis Connie states:

"However, during a review of the databases’ contents, it became clear that the database did not capture all of the instances in which the  devices were connected to WLAN networks, based on test session activity."

"From these examinations, it seems clear that connectivity-related log artifacts may be quite useful in ruling out the possibility that the  WLAN sensor was disabled at a particular time. However, it may be more difficult to affirm that the sensor was indeed enabled at a particular  time, since these logs seem to only document when the device is actually connected to a network."

"A device may have the WLAN functionality enabled but be out of range or not connected due to wireless network security, for example. In  situations like these, it seems the log files would not indicate that the device WLAN feature was active, since the device would then default  to cellular data services"

The research took into account Connie's observations regarding lost WiFi updates to the databases. Two useful web resource site to search are github and pastebin; both commonly have various types of processing dumps which field useful clues for investigation.

The following is part of a logcat dump. This logged failed event (colour red) could be due to the device's sensor proximity to/from a network or surrounding noise meant insufficient data was available to complete sending a HERREVAD record entry update or that the third party plugin failed for some other reason:

(com.estrongs.android.pop) from content://downloads/my_downloads/6 format 2
98.12-26 19:31:01.741   536   536 I installd: free_cache(6186696) avail 33903247360
99.12-26 19:31:01.764  4260  4260 V Herrevad: NQAS connected
100.12-26 19:31:01.776  1016  2567 D WifiService: New client listening to asynchronous messages
101.12-26 19:31:01.796  4678  4678 I ConfigService: onCreate
102.12-26 19:31:01.927  4260  7615 I ReportNQOperation: [202] g.a: Not enough data to save wifi report to local dbcom.google.android.gms.herrevad.g.s@nnnnnn

This .pdf https://www.dropbox.com/s/ds89ulvcgezcgsy/Pandora%20Herrevad.pdf shows a complete logcat dump from a post on pastebin. Another example can be found here at github https://gist.github.com/mujeebulhasan/b5e910fc23ec5a41c924e7b5971f1e31

It was noted during research that a number of logcat dumps were for third party apps making use of HERREVAD Databases, so any further research may wish to include:

- Gaming
- Apps download
- Weather
- Travel
- Leisure (running etc)
- Photos
and so on

Some search terms you may wish to consider when analysing images from smartphones or logcat dumps:

Connie Bell thesis suggests:

select local_reports.network_type, local_reports.ssid,
local_reports.security_type, local_reports.bssid,
local_reports.timestamp_millis,
datetime((local_reports.timestamp_millis)/1000,'unixepoch')
as "Converted timestamp (UTC)"
from local_reports
order by local_reports.timestamp_millis asc

Additionally, from the research here it is suggested the following maybe helpful, too:

HERREVAD
BSSID
SSID
UEID
date
time
timestamp
locationid
location
LocationFilter
WiFiInfo
WiFi
MAC
RSSI
download or downloaded
com.google.android.gms.persistent
com.google.android.gms.herrevad.services.LightweightNetworkQualityAndroidService
com.google.android.gms.herrevad.h.g.a
com.google.android.gms.herrevad.h.l.f

For time-stamps they may require conversion so here are a couple of sites that might assist you:
http://www.epochconverter.com/
http://www.unixtimestamp.com/

Further research will continue and efforts will be made to update this thread. If any reader can provide any additional information, please send an email to trewmte@gmail.com and please provide your details and confirm if you wish to have these included in any update.

Thursday, January 19, 2017

The Crime Survey for England and Wales 2016

For the first time in its annual report the Office for National Statistics (ONS) - https://www.ons.gov.uk/ - has included the offences of Fraud and *Computer Misuse (also see sub-label 'cybercrime')  in The Crime Survey for England and Wales 2016 ons.yearendingsept2016/pdf

MTEB & IDF .\fcord adopted Chapter 18 as a focus group from the original Computer Misuse Act (CMA) 1990 Chapter 18 which makes wide provision for events associated with misuse of computer devices and systems; CMA has been to subjected to amendments over the years, such as The Police and Justice Act 2006 Chapter 48 amends the Computer Misuse Act, see Part 5 sections 35-38. The new amendments came into force on October 1, 2008.

Recent work of Chapter 18 can be found here http://trewmte.blogspot.co.uk/2017/01/investigating-aka-usim-milenage-attack.html

Investigating AKA - USIM MILENAGE Attack
For the last two years Chapter 18, Smith et al have been studying AKA (authentication and key agreement). One candidate for AKA is MILENAGE which, in 2014 & published 2015, was hacked using DPA (a side channel attack). 

Having spent 2016 researching through a huge range of documents, presentation, test data and scripts etc., it was noted there had been  nothing written as to what to look for and how practitioners could handle this information. It is hoped with the discussion, embedded links  and those willing to learn this presentation goes some way to help in that regard.

Investigating AKA - USIM MILENAGE Attack

For the last two years Chapter 18, Smith et al have been studying AKA (authentication and key agreement). One candidate for AKA is MILENAGE which, in 2014 & published 2015, was hacked using DPA (a side channel attack).

Having spent 2016 researching through a huge range of document, presentation, test data and scripts etc., it was noted there had been nothing written as to what to look for and how practitioners could handle this information. It is hoped with the discussion, embedded links and those willing to learn this presentation goes some way to help in that regard.

fcord-2016-USIM-MILENAGE-0x48.pdf

Saturday, October 15, 2016

ISO/IEC 17025/17020 - One-Person Organisation

Having just finished part two of the work study into QA and Laboratory Accreditation MTEB UK SEMINARS 2016 II v03- QA Lab Accreditation.pdf ( http://trewmte.blogspot.co.uk/2016/10/qa-and-laboratory-accreditation.html ) I came across this cracking article by Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA) titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons." ( http://forensicfoundations.com/resources/Documents_CLR/2016_10_3_SUMMER.pdf )

Basically Karin's article helps us understand that one, two or three person/s organisation/s should not be put off but can and should apply for ISO/IEC 17020 and 17025 as the requirements are not insurmountable, particularly when it comes to allocation to whom the quality manager's role, audits etc. will be allocated and deemed to be responsible. I also read this to mean that ABs might need to widen their scope to appreciate many roles in a accredited system can be held by one person.

Karin's article is a recommended read.

Sunday, October 09, 2016

QA and Laboratory Accreditation

MTEB UK SEMINARS 2016 II v03- QA Lab Accreditation.pdf
Read more - updated link http://tinyurl.com/zr2oqyp

QA and Laboratory Accreditation. Previously, lab criteria applied to mobile phone forensic testing was randomly applied:

- various industry standards
- public and private approach to best practice
- guidelines/training courses
- Some certified ISO9001, some sought UKAS accreditation.

The introduction of a UK Forensic Science Regulator (FSR), there are now mandated ‘Codes of Practice and Conduct’, standards and accreditation applicable to mobile phone forensic evidence:

- ISO/IEC 17025 e.g. requirements for the competence to carry out tests and calibrations...
- ISO/IEC 17020 e.g. scene of crime and in the field activity
- UKAS Accreditation

The FSR’s strategy moves the goalposts away from simply applying industry best practice and random approaches to a common purpose – provision of forensic science across the criminal justice system is "subject to an appropriate regime of scientific quality standards"

That common purpose approach has been developing for approximately 6 years but only really in the last several years ISO/IEC 17025:2005 has  started to make its mark and the first accreditation to requirements of Forensic Science Regulator’s ‘Codes of Practice and Conduct’ was  2014.

- still early days for the public and private sectors
- very small number of organisations accredited for mobile phone forensic evidence
- it could be said we are all pioneers to new endeavours
- common purpose does not dilute ‘speciality’ distinguishing one organisation from another
- FSR deadlines for public sector forensic science overall 2017-2020
- e.g. Law enforcement mobile phone forensic test laboratory accreditation by Oct 2017
- Lead times of 18-months to implement suggests 2017 deadline could be missed
- ‘devil in the detail’ causing much more work than at first thought

There is increased demand for practical solutions and helpful insights that may assist prepare for accreditation.

Saturday, September 03, 2016

Adopted Cloud Vocabulary and Architecture

Adopted Cloud Vocabulary and Architecture

Given the amount that is written about the Cloud it is not surprising that many have entered various terminology and definitions into text that it can be difficult to know which are accepted industry vocabulary. Part of the work of the ISO/IEC is produce standards adopted by national bodies; thus they hold greater weight when used to identify particular technology in legal proceedings, for development reports or quotations/tenders or for training/education purposes because such vocabulary and definitions have been adopted by industry (**see more details below).

Two standards I would recommend all organisations retain a copy:

ISO/IEC 17788:2014 1st Information technology -- Cloud computing -- Overview and vocabulary JTC1/SC38 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards.

Download Standard: http://standards.iso.org/ittf/PubliclyAvailableStandards/c060544_ISO_IEC_17788_2014.zip

 

ISO/IEC 17789:2014 1st Information technology -- Cloud computing -- Reference architecture JTC1/SC38 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships

Download Standard:
http://standards.iso.org/ittf/PubliclyAvailableStandards/c060545_ISO_IEC_17789_2014.zip

 
 


(**)
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 17788 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 38, Distributed application platforms and services (DAPS), in collaboration with ITU-T. The identical text is published as ITU-T Rec. Y.3500 (08/2014)

ISO/IEC 17789 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 38, Distributed application platforms and services (DAPS), in collaboration with ITU-T. The identical text is published as ITU-T Rec. Y.3502 (08/2014).

Friday, September 02, 2016

Smartphone Platform Leader

According to Statista Android is the undisputed smartphone platform leader. Of course, a single identified platform does not of itself identify which of the Android OS versions is used more than any other. Wikipedia Android version history states Android Lollipop 5.0-5.1 ( https://en.wikipedia.org/wiki/Android_version_history ) is the single most widely used Android version.

Additional information about Android - https://en.wikipedia.org/wiki/Android_(operating_system)

 
In comparison the above chart illustrates a decline in all other platforms. This again tends to suggest not dismissing other smartphone platforms until identified what they are ( https://en.wikipedia.org/wiki/List_of_mobile_software_distribution_platforms ) and identifying other smartphone OSs ( https://en.wikipedia.org/wiki/Mobile_operating_system ), which can assist forecasting how to structure the investigation process and what examination lab tool/s is/are most likely to be required.

British Airways i360

Took a day off from work to take my wife and grandson to visit the new British Airways i360 viewing tower in Brighton, Sussex, England. The i360 Guide informed me this new tourist feature goes higher than the London Eye but lower than The Chard in London. We had a good time; but I wont spoil it for you by showing you the photos of the spectacular views across Brighton.

 
 
 
 
 

Apple iPhone connected devices

Proliferation of mobile devices and computers associated with cybercrimes and legal disputes grow on a daily basis. I thought perhaps readers might find this 2015 document a useful and helpful reminder. DEFT Practice Notice J10702015.pdf