Sunday, March 22, 2015

CSA Wi-Fi Testing

As modern smartphones (3G/4G) have the detectors to access multiple wireless technologies,  Wi-Fi coverage analysis extends the range of cell site analysis (CSA) radio measurements to be identified at site for location-based tests. See previous discussion

ITU 150th Anniversary (1865-2015)

The 150 ITU 1865 2015 logo is copyright to the International Telecommunications Union
and reproduced with kind permission

This May 2015 the International Telecommunications Union reaches its 150 Anniversary, .

So what has happened in the world between 1865-2015? I thought I would highlight some events that usually go under the radar:

- football clubs established at that time :
- some cyclists have been pedalling for a really long time :
- as well as a bygone era in railway :
- Nokia started out as a wood pulp mill :

For more well known events just search the world wide web (www).

The ITU plays an important global role producing technical reports, recommendations and guidance on telecommunications, cellular and satellite, to name just a few technology sectors. That influence should never be underestimated. Indeed, the work of the ITU impacts on mobile forensics and cybercrime too. I have recorded a few trewmte blogs as examples.

International Telecommunications Union and CSA

CSA - Site Survey Method 2

CSA - Site Survey Method 2/ITU

Cybercrime: procedures, deterrent and investigation

It seems to me fitting that since I have gained so much knowledge and understanding from the work of the ITU that to pay tribute to them is to invite readers to visit their website celebrating the 150 anniversary of this phenomenal and great institution known as the International Telecommunications Union:

Thursday, March 19, 2015

Emotion Icons

From a recent discussion about knowledge/skills and experience and operators of forensics tools having a range of training, contributors comments varied as to exactly where the demarcation line lay regarding 'competence'. That is how far should an examiner go to valid the extracted and harvested data from a mobile phone. Bits and Bytes levels, carving out etc. brought some responses suggesting these were not seen as paramount to know, which seemed to me to suggest, at any rate, reliance on the forensic tool to get it right.

A couple of observations I raised were these:

Some examples of required technical competence

(c) Good example of checking the tool's output can be seen when cross-checking the output on the physical mobile handset device. Take the standard Smart Messaging which can contain images. The tool extracts and the output is harvested. The image shown by the tool is not always the same as shown on the mobile phone. Why? Proprietary applications that reside on the handset are not the same as on the tool? A smart messaging image can be interpreted differently by another make/model of handsets? Or did the tech / examiner incorrectly perform the extract and harvesting properly? So where would blame lay in a situation like this?

I have added an example for a Phillips Savvy mobile phone 1999 (from 15 years ago) when it was known makes/models handle emotion icons (emoticons) differently.

 (d) Remaining with SMS text you may know about 7-bit, 8-bit and 16-bit encoding for SMS text messages. But how about variations such as Fernschreiber 5-bit encoding that can be used in SMS PDU mode allowing one single message to contain 244 characters. A user may send one text but with 7-bit encoding (244 characters) but the mobile phone sends this as a GSM concatenated text message e.g. in say 2 messages (concatenation of messages can be up to max: 255 messages). Does the tech / examiner immediately mistake the 5-bit 244 character message as a concatenated message?

I choose these observations because they highlight how deceptive recovered data can be when viewed through the GUI of the tool used to extract and harvest data. Viewing recovered data can be a trompe l'oiel (a lie to the eye) if as examiners we merely accept on the face of it what the tool tells us. Additionally, a tool cannot encompass all a mobile's features or its interpretation libraries associated with particular data.

The emotion icons discussion interested me because on first blush emoticons may be perceived as simple smiley faces and different Unicode characters etc. However, with Emotion Icons and Emoji widely in use on mobile devices Emoji can also e.g. be used for encrypting messages; which takes these icons into a completely different ball park when it comes to evidence. Another example for the potential for mistaken identity about the meaning of the data.

Appeal case - Boardman - phone evidence/cell site

The serving of evidence and arbitrarily what should be served or should be not served is highlighted in this Appeal case. It is noted the Appeal Court dealt with issues surrounding making burdensome requests for evidence from the police. I suspect the comments of the Appeal Court could be misconstrued meaning there is a potential for further hearings as to relevance of evidence. The Appeal Court indicates it is an abuse for the defence to get the police to do their work. Also, too much weight was being placed on the issue as to the police not supplying the evidence in the format received from the operators (in .xls(x) format as opposed to served .pdf) being used as an element in dismissing a case.

The problem with Appeal cases like this is that whilst they are excellent in giving guidance on how to go forward they do not establish what the police should be doing in relation as to what evidence to obtain in the first place. If the police simply obtain call records and cell details and do no more what weight can be given to this?

Looking at other issues

(a) If the police decide on minimal evidence (e.g. cell details) then is it the position that the police or the prosecution (for that matter) are waiting on the defence to conduct cell site analysis including radio test measurements at points of interest, thus doing the work for the police/prosecution?

(b) If the police conduct cell site radio test measurements is there a requirement to find out (i) the operational performance of the cell site/s at the material time/s to compare with conducted investigatory tests, which happen after the alleged offence has been committed, or is it the case (ii) that the defence cannot ask for justification as to the validation of any tests as to whether the police/prosecution have made the appropriate enquiries to the operator/s concerned regarding operational performance of particular cell sites?

These are just some of the many questions that arise.

Cell site analysis is important not only from a criminal investigations aspect but at national security level as well. The value as a useful investigation tool is not one sided, but can become that way if the science approach, technical understanding and evidential pillars are randomly chosen.

Saturday, December 06, 2014

Santa Arrest

Olden but golden. Still a good laugh to watch.

Wednesday, October 29, 2014

Apple's New Nano-SIM Card

Should make examinations interesting. Apparently, an open-ended SIM that can be either postpaid or prepaid account without the need to change SIMs but still switch between carriers. Either Apple intend to go for their own IMSI (thus become an operator) or the IMSI will need to be updated OTA...hmmmm

"If you are among the millions who will purchase one of the 4G versions of the new iPad Air 2 or iPad mini 3 tablets from Apple in the next few months, and you live in the US or UK, then when you switch the tablet on for the first time, you will find a nano-SIM card already installed in the SIM card slot."


"What Apple envisions with its SIM is that users will be able to quickly and easily switch between different carriers to take advantage of the best short-term deals available at any given time - without having to go through the hassle of getting a new SIM card.

"Obviously, if you have signed up to a two-year contract you won't be switching deals that often, but if you are on a pay-as-you-go deal, then this could be a real money-saver......."

Quotes from:

Thursday, October 09, 2014

Fast moving wireless world

I have been working on research for as the changing landscape for cell site analysis (CSA) requiries comprehending the complex involvement with the various wireless connectivity creating a universal point-of-presence for mobile users. Moreover, CSA is equally being impacted with the architecture defining internet of things (IoT) causing a growth expansion for M2M wireless devices, naturally wireless forensics in this area will grow, too.

M2M was highlighted back in 2011

M2M Crime

Mobile Markets: Nokia 'Mobile Man' tells of a story


Reverse Engineering For Beginners

Steve Hailey*, who kindly sent out a reminder about Reverse Engineering for Beginners, that this is guide with "Lots of great information that will be especially helpful for reverse engineering malware that you come across in your investigations......" It is  "652 pages, all free. You do not need to give out your personal information or subscribe to anything..."

The original link to get the publication is no longer current. However, a copy can still be downloaded using the following link: 

*Steve is President/CEO CyberSecurity Institute, a practicing Consultant, Digital Forensic Examiner and works also as an Educator, InfoSec Author & Lecturer

Sunday, September 28, 2014

CSA - Site Survey Method/LTE SIBtype1

CSA - Site Survey Method/LTE SIBtype1

Before continuing with GSM/GERAN System Information Message Types, thanks for the enquiries regarding LTE and requests for an example of a systeminformationblocktype(SIB). It would appear there is a requirement to explore LTE and UMTS SIBs some more before moving on to GSM/GERAN. I will do my best to answer some of the enquiries.

For educational purposes only, followingthe masterinformationblock(MIB) having been decoded by the UE a useful example of content for systeminformationblocktype1 was illustrated by Ralf Kreher and Karsten Gaenger (c)2011 using Tektronix K2Air as an example when conducting a LTE investigation into signalling troubleshooting and optimisation.

|ID Name |Comment or Value |
systemInformationBlockType1 |
|Tektronix K2Air LTE PHY Data Message Header (K2AIR-PHY) PDSCH (= PDSCH Message) |
|1 PDSCH Message |
|1.1 Common Message Header |
|Protocol Version |0 |
|Transport Channel Type |DL-SCH |
|Physical Channel Type |PDSCH |
|System Frame Number |454 |
|Direction |Downlink |
|Radio Mode |FDD |
|Internal use |0 |
|Status |Original data |
|Reserved |0 |
|Physical Cell ID |0 |
|Subframe Number |5 |
|UE ID/RNTI Value |'ffff'H |
|1.2 PDSCH Header |
|CRC report |CRC ok |
|HARQ process number |0 |
|Reserved |0 |
|Transport Block Indicator |single TB info |
|Reserved |0 |
|1.2.1 Transport Block#1 Information |
|Transport Block#1 Size |144 |
|Modulation Order DL 1 |QPSK |
|New Data Indicator DL 1 |new data |
|Redundancy Version DL 1 |1 |
|Reserved |0 |
|Modulation Scheme Index DL 1 |5 |
|Reserved |0 |
|1.2.2 Transport Block Data |
|TB1 Mac-PDU Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|Padding |'0068'H |
|1.3 Additional Call related Info |
|Number Of Logical Channel Informations |1 |
|1.3.1 Logical Channel Information |
|LCID |0 |
|RLC Mode |Transparent Mode |
|Radio Bearer ID |0 |
|Radio Bearer Type |Control Plane (Signalling) |
|Spare |0 |
|Spare |0 |
|Logical Channel Type |BCCH |
|Call ID |'fffffff5'H |
|3GPP LTE-RLC/MAC Rel.8 (MAC TS 36.321 V8.5.0, 2009-03, RLC TS 36.322 V8.5.0, 2009-03) (LTE-RLC/
MAC) MAC-TM-PDU (DL) (= MAC PDU (Transparent Content Downlink)) |
|1 MAC PDU (Transparent Content Downlink) |
|MAC Transparent Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|RRC (BCCH DL SCH) 3GPP TS 36.331 V8.5.0 (2009-03) (LTE-RRC_BCCH_DL_SCH)
systemInformationBlockType1 (= systemInformationBlockType1) |
|bCCH-DL-SCH-Message |
|1 message |
|1.1 Standard |
|1.1.1 systemInformationBlockType1 |
| cellAccessRelatedInfo |
| plmn-IdentityList |
| pLMN-IdentityInfo |
| plmn-Identity |
| mcc |
| mCC-MNC-Digit |2 |
| mCC-MNC-Digit |9 |
| mCC-MNC-Digit |9 |
| mnc |
| mCC-MNC-Digit |0 |
| mCC-MNC-Digit |0 |
| cellReservedForOperatorUse |notReserved |
| trackingAreaCode |'0000'H |
| cellIdentity |'2000100'H |
| cellBarred |notBarred |
| intraFreqReselection |notAllowed |
| csg-Indication |false |
| cellSelectionInfo |
| q-RxLevMin |-65 |
| freqBandIndicator |1 |
| schedulingInfoList |
| schedulingInfo |
| si-Periodicity |rf16 |
| sib-MappingInfo |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType3 |
| sIB-Type |sibType6 |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType5 |
| si-WindowLength |ms20 |
| systemInfoValueTag |22 |

This form of analysis provides an excellent grounding when conducting ICCSA.Why would that be so? Familiarisation with this education content enables knowledge to be gleaned from the real-world SIBs detected by the UE at particular locations. Importantly information that informs the UE about varying cells benefits an investigation.  For instance, we know that when the UE has successfully received and decoded MIB and SIBs type 1 and 2 etc during its travels SIB type9 might identify (H)eNobeB that is available. To be clear that latter information provides two unique pieces of information. (1) The identity of the radio source (2) it is location specific to tens of metres in an area thus refines location identification where the UE would have dwelt (dwell time - slow moving UE).

It also refines the location for the investigation and even where SIB1 and SIB2 provide a wider location area the UE detection (SIB type9) of the (H)eNobeB coverage would have the effect of demonstrating  pre-requisite requirement of proximity to an area. Now readers could point out how would the person conducting the ICCSA know about the (H)eNobeB in the first place if call/data records are not available. For those situations where immediate is important aspect of current bandit surveillance the UE stores relevant information of the radio resources in an area for up to 3-hours after which old data are discarded. For a live UE acquisition this time frame could be useful. For a UE switched off (e.g. at the target site area) retains that information and requires extraction and harvest without invoking UE power up and network detection and registration.