Saturday, April 30, 2016

Special Branch

Just reading an excellent book about Special Branch A History: 1883-2006 before it was subsumed 2006 into the Metropolitan Police Counter-Terrorism Command.

Highly recommend reading.

Saturday, April 16, 2016

St. George's Day and Brexit

St George's Day 23rd April
Give England a good chance before the BREXIT vote to decide about England's future by looking at our history, culture and values. This is something the REMAIN IN campaign hasn't discussed yet; only doom, gloom and fear - is this nightmare really black or are the windows painted that we are being asked to look through?

So far none of the campaigns (IN/OUT) have defined what England would lose in a Federal State of Europe with regards to our (a) Nationality (b) Heritage (c) Culture (d) Values and (e) Freedoms. Do remember should England remain in Europe as a small island in a federal quango history has shown the smaller islands lose their hard fought position of relevance (c.f. United State of Hawaii (  If Hawaii is the 50th state of the US then does this demote England to the 164th state of Europe, a state that may become irrelevant through erosion over 50-100 years? The English people and people of England have not been informed nor given absolute guarantees from our elected Parliament where England will be in the next 50 years, let alone 100 years. The current human incumbents would all have popped their clogs and left this mortal coil. As William Shakespeare so poetically put it "For in that sleepe of death, what dreames may come..."  (Hamlet act III scene I). This leaves the rest of the future generation to clean up all the crap they left in their barracks when their souls departed. 

St. George's Day has deep roots in England's heritage and culture. What I love about St. George's Day is that it is not about the colour of someone's skin and so on, but it is about unity and bonding a country's people together to share and enjoy the same values and at the same time extend those values to others who are not of our faith and culture but wish to share and integrate with us and them. 
To celebrate St George's Day is to celebrate England itself: our history, culture and heritage that has created our nation. Patron saints are chosen as special protectors of life and culture.  Like England, every country in the UK has its own patron saint that in times of great threat is called upon to help save the country from its enemies. Legend says St George was a dragon-slaying knight and he was made patron saint of England in recognition of his great acts. St George is also a popular figure outside England in the countries: Portugal, Catalonia, Georgia, Serbia, Bulgaria, Bosnia and Herzegovina, Republic of Macedonia and the Gora. His symbol, a red cross on a white background, is the flag of England, and part of the British flag. St George's symbol was originally adopted by Richard The Lion Heart and brought to England in the 12th century.

St George
Very little is known about the real St George. He is thought to have been born into a noble Christian family in the late third century in Turkey. He followed in his father's military footsteps and became part of the retinue of the Emperor Diocletian (circa 245-313). St George was a brave soldier in the Roman army who died for his beliefs. The emperor ordered the systematic persecution of Christians and George protested against the Romans' torture of Christians. For that he left the Roman army. For leaving, he was tortured, executed in Palestine, and finally beheaded, becoming an early Christian martyr in 303 AD. St George was also adopted as the Saint of Battles. This was because St. George is said to have appeared to the Christian army before the Battle of Antioch (nearly 920 years ago) in  1097 AD.

So on the 23rd April 2016 remember that Europe didn't create this day England created this day and today we still defend our nation. Our patron saint, St. George, is a heritage defining moment in our history. Naturally England will celebrate our National Day with parades through streets, floats will be seen, music will be played, dancing for fun, and laughter will be heard. There will be a special St George's Day service at local churches. Moreover, April 23rd is the day for a red rose in the button hole, England's national flower. Shakespeare's birthday falls on the same date, and the Globe Theatre (built in 1599 AD) will be having its usual big celebration. There are events all around the country so join in, take part and have pride in who we are.

Finding our about our great country is not difficult and here are a few weblinks to help you:

St. George International Man of Mystery -
English Heritage -
Portal:England -
A timeline of English History -
History of England -
English Culture -


Saturday, April 02, 2016

Update: Mobile Weapons and Seizure Procedure

UPDATED: FCORD2016 Chapter 27 Discussion Document Seizure and Handling preparing a Best Practice Model - DOWNLOAD DISCUSSION DOCUMENT

Update: Mobile Weapons and Seizure Procedure

Regrettably a further manufacturer has entered into the arena by adapting a mobile device design(above) that transforms into a weapon for firing bullets.

The MTEB (Mobile Telephone Examination Board) Eighth Edition Section 4 Mobile Telephone Seizure Procedure (Mobile Weapons) updates on new items and handling procedures for them.  

There has been a slow but persistent level in mobile/smart phones being adapted for use as some form of weapon.

Back in 2008 trewmte.blogspot reported about the mobile phone that fires bullets. The story of this wasn't new, by any means, but was highlighted to illustrate the variety and exposure of devices that those involved in seizure procedure and mobile phone examiners can come into contact. 



UPDATED: 2015 Imitation Style Mobile: Cost Approx 20-euros
Note the gloves for handling procedure.

UPDATED: 2014 Officer suffered shock conducting search
An officer conducting the search suffered a shock as he examined the fake handset but was not seriously injured. Good photo example shown of safe evidence container: iphone-stun-gun-seized-from-a-14-year-old-by-greater-manchester-police
Over time the trewmte.blogspot has highlighted other weapons, such as Stun Guns:

But mobile/smart phones that propel objects or inflict severe shock are not the only adaptations out there. Take for instance the age old weapon of a knife adapted for use with a mobile phone ( seized 2005):

And now in 2012 we now have another weapon that uses an adapted iPhone case which the manufacturers purport can be used for personal protection to spray pepper in the eyes:

The above are by no means the end of mobile/smart phones adapted for some form of weapons. We only know too well how mobile phones have been rigged to set off incendiary devices etc, which the MTEB labels IMD (improvised mobile devices):  


Yes the photos above all present disburbing images, but not for sensational purposes. Thankfully, it is not common for those involved with seizing items and examiners to come into contact with adapted and improvised devices like these on a regular basis. We still need to be aware and have a proposed handling procedure in place to deal with them though. That is on the basis that mobile/smart phone seizure and examination happens globally. The trewmte.blogspot is not simply local to the UK but deals with international matters and therefore articles like this are not only for UK consumption but for other countries that are involved in and employ seizure and examination procedures.

Lastly, and of specific relavance to seizure and examination procedure, it is priority to deal with mobile/smart phone weapon/s as opposed to figuring out what a person may have intended to do with it/them; figuring out is a thought process that can come later on. Why? One very good reason, the person who is seizing an adapted device (e.g. iPhone case above) and accidently sprays pepper into his/her face because s/he had no prior knowledge about the adapted device is clearly a priority. It is immaterial that the owner of such a device may have had genuine reasons (attacker pepper spray) for having such a device. Apart from mal-intention and recklessness of IMDs etc, for the majority of persons seizing or examining the device they wouldn't be the intended target and are nothing more than innocent bystanders.

Sunday, March 27, 2016

The Rise of (IoT) Domestic Appliance Forensic Examiners

The future looks bright for forensic digital examiners as the world of Internet of Things (IoT) has brought the rush of products on to the markets to compete in the IoT domestic appliances market. Already, due to time-to-market products flaws in the secure processes that allow users to initiate personal identity protocols to active appliances have been identified.

Just follow the links to read these articles for some enlightenment on what Pen Testing discovered.

iKettle and Coffee Machine

Protocol for the iKettle

Hacking a Wi-Fi Coffee Machine

Hacking Kettles

Internet map used to showed location of IoT appliances

This could all seem laughable save-to-say that the idea of bleeding details or house locations was an issue raised over 10 years ago when, due to a large spate of house burglaries, it was suggested householders should put device specific RFID tags on their household goods just in case of theft. It didn't take long for people to work out that a burglar could create a shopping list of items to theft order by walking down a street with an RFID scanner and GPS tracker.

The next stage is domestic appliances hijacked for malicious damage to devices, burglaries for those using unsafe appliances bleedings personal details and so on.

With IoT appliances expect to see a boon for law enforcement labs with examinations of kettles, tumble driers, washing machines etc. Of course, test equipment will be necessary.

A training course to assist in the examination process is soon to be available.

Saturday, March 26, 2016

iMessage shown to have encryption flaw

Discussion article here:

Apparently, the research has found:

"It took a few months, but they succeeded, targeting phones that were not using the latest operating system on iMessage, which launched in 2011.

"To intercept a file, the researchers wrote software to mimic an Apple server. The encrypted transmission they targeted contained a link to the photo stored in Apple’s iCloud server as well as a 64-digit key to decrypt the photo.

"Although the students could not see the key’s digits, they guessed at them by a repetitive process of changing a digit or a letter in the key and sending it back to the target phone. Each time they guessed a digit correctly, the phone accepted it. They probed the phone in this way thousands of times.

“And we kept doing that,” Green said, “until we had the key.

"With the key, the team was able to retrieve the photo from Apple’s server. If it had been a true attack, the user would not have known.

"To prevent the attack from working, users should update their devices to iOS 9.3. Otherwise, their phones and laptops could still be vulnerable, Green said."

The research report is here:

The Internet of Things (IoT)

Quality. The reality of IoT future?

Sunday, March 20, 2016

British Exports

Just flying the flag for Great Britain and British Exports.

We're not just known for Brexit, you know.

Great Britain - probably the World's greatest leader in manufacturing and services.


Frequently data recovery work undertaken is on eMMC (embedded MultiMediaCard) found in a large number of the smartphones and memory sticks etc. on the market. I was asked what tool I would use for working with e.g. eMMC. One tool that is most frequently turned to is Up-n-Up UP828P Ultra Programmer ('P' is the latest version).

The hardware reader which can be found here It supports the newest types of FLASH, NAND FLASH, SERIAL FLASH, MoviNAND, iNAND , eMMC etc., in addition, the BOOT area of iNAND, eMMC and MoviNAND can be read and written

Also required are the chip adaptors

And if you want to try your hand with iPhone there are adaptors for them too.

Of course, once an image has been acquired soft tools are still needed to read and interpret the data. Chip removal from iPhone (depending upon version involved A6, A8) would be problematical where data are encrypted.

Evidentially, do not experiment with exhibits (seized items) to avoid contaminating or corrupting data on the chip. Instead take the common path to chip exploration and obtain second-hand devices to gain your experience.

The above does not include additional hardware and tools used for the actual chip removals.

Hope this helps.

Saturday, March 19, 2016

Emergency Cases - Smartphone Examination

Capturing the target subject's smartphone activities is not as easy as is thought, as we are all finding out with the current Apple and law enforcement debacle.  The Apple case though is not the norm as the two opposing sides are fighting about the "right to access". The public are engaged with this story that continues to unfold as to what "Privacy" actual means, should terrorism enjoy the comfort of privacy and so on. However, there is a sub-text going on here (as well) concerning examination procedures for smartphones and methodology in emergency cases. Having been involved with mobile phone evidence in criminal and civil proceedings for over 30-years I can tell you it isn't as easy at all.

Consider the current Apple case (and the articles still keep coming) and mistakes that are said to have occurred. The - TECH INSIDER - reported (

"The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents."

It is the words "password hadn't somehow" that has significance for me because in those words it doesn't take account of the intense situation people are operating under, speed of investigation operations, timescales, prevention for potential further attacks and pressure to resolve the case etc.  So the sub-text here is learning from adverse outcomes in emergency cases. Put on hold demands for back-door access as the golden cure because, in itself, it is not. There can be a plethora of superlative elements that will be sifted, considered and discarded where found not  to be relevant. For elements that may be relevant they still need to be sifted, considered and conceptualised.

From a range of materials I use in my training courses I use the following which I originated back in 2006 (and I published it back in 2010).

Primer(C now) = Point in time and Space (which is a constant reference point) in the present tense when the examiner is contacted for an investigation and from which the examiner uses to look back in time at and into the future regarding mobile telephone evidence.
(T) = Time is the timeline, limited by how far the examiner can see into the past and future based upon discovery.
(S) = Space is the space line that is used as a constant reference point from which all other events occurring in space can be considered based upon discovery (seizure of device, chain of custody of an exhibit etc)
(F) = Future relates to things that have yet to happen (future events). This is based upon things that maybe discovered from the time the examiner is contacted
(F d) = F d represents, as far as possible, thus not set to a specific period of time, how far into the future the examiner can identify events beyond which no further discovery is possible.
(PU usage) = Past User usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)
(PR usage) = Past Record usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)

The proposition in Smith Diag 1 is intended to represent, by use of visualization, how mobile telephone usage can be investigated. The diagram tests your powers of observation and, more importantly, your depth of knowledge. So do not be fooled by what you believe to be my poor graphics skills. I deliberately intended that (PU usage) area to be shown larger than the (PR usage) area in order to suggest more data may be found in the mobile telephone than maybe obtained from the network records. That is because not all activity on a mobile telephone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore issues associated with cell site analysis also need to be considered. It does not automatically follow there shall be parity between data obtained from the mobile telephone and the network records and vice versa. The diagram below (Smith Diag 2) represents a number of suggested data elements commonly arising during an investigation.

The third diagram (Smith Diag 3) uses the classic representation of Time (T) and Space (S). Use of a Time line may be obvious but the Space line may not be so obvious. The point of using Space is as a determinate for e.g. the seized exhibit in the examiner's possession. Let's say the examiner receives the mobile telephone exhibit on the 30th March 2008 at 3.00pm. The exhibit was seized 10th March 2008 at 11.00am. So, the examiner has two facts to work with (a) the exhibit in the laboratory (in time and space) and (b) the exhibit seized at a location from premises or person (in time and space).. So at the point the examiner has initial Contact (C now) with the exhibit then past events can now start to be determined. By way of illustration, following examination let’s say the examiner finds that the data recovered from the device reveals activity not connected with Space where the mobile telephone was seized at (b). Space would therefore be highly relevant, because (i) the examiner would need to demonstrate that as a fact and (ii) to demonstrate the separation in Space between each of the locations (a) laboratory, (b) the seizure, and the intervening factor between (a) and (b). This may be supported, for instance, by the last location and frequency details stored on the SIM card or may be the handset has GPS or one of the smartphone mapping system that might be set to automatic logging.

Have a go at designing one of these diagrams and show how you would handle the Apple phone (in this case) - the seizure and examination procedure. Just as a heads up F d is intended to represent a text message in the future that has been sent but not yet delivered to the target's handset. So how would you know if a text message is pending and who would you have to cooperate with to get that information (and the text content too)?

Hope this helps.

Exploration - missing the micro-evidence

If you are new to or have all but forgotten the humble (U)SIM Card now maybe as good time as any to refresh on the physical state of (U)SIM Card, in particular the hardware, so to speak.

To assist that refresh process, below are links to previously published materials that investigators and examiners might find useful:

It has been noted that such is the sophistication of attackers skillsets in areas, e.g. in-card listening devices, the skillsets applied borders on high-academic results that to the untrained eye could miss a forgery. [Images courtesy of Houda Ferradi, Rémi Gérau d, David Naccache, and Assia Tria: When Organized Crime Applies Academic Results. A Forensic Analysis of an In-Card Listening Device]

Hope this helps