Wednesday, November 21, 2007

FORENSIC RECRUITMENT

FORENSIC RECRUITMENT

I get alot of enquiries asking about computer and mobile telephone recruitment. I try and answer as many queries as I can but I can't deal with all enquiries for those seeking employment. Moreover, it seems to me, at any rate, that alot of enquiries I get would be better directed to a recruitment consultant who specialises in this area and is more able to deal with the employment questions and vacancies in the forensic arena.

I have added a new link in the weblinks block under FORENSIC RECRUITMENT (on the right-hand side of this blog) so that students and professionals seeking employment etc can consult those who specialise in this area. I have spoken with David Sullivan of Appointments-UK (www.appointments-uk.co.uk) and he has confirmed to me that he is happy to field enquiries for those seeking employment.

Tuesday, November 20, 2007

Mobile Phone Alarm 'dangerous'

Mobile Phone Alarm 'dangerous'

I read an interesting news article reported by kvue.com about a woman in the East Austin area of the US who found that when she dialled "911" on her mobile telephone it had an audible alarm that activated. In itself the alarm noise was not excessively loud and it may not be a problem for those who have a disability and need confirmation that "911" has been successfull dialled. It could be danagerous though in other situations the user may find themself that may require discretion. Siutations like hostage, burglary, hijack or reporting a crime in progress...these and other scenarios may alert assailant/s to the user attempting to contact the emergency services.

The mobile telephone kvue.com refers to in this case is a Cazio G'ZOne phone from US mobile operator Verizon Wireless. The question is why was such a feature incorporated into the mobile telephone? kvue.com reported Verizon Wireless as saying “The tone our customer experienced is our interpretation of Section 255 of the Telecommunications Act calling for a provider of telecommunications service to offer service that is accessible and usable by individuals with disabilities. The tone, indicating that 911 has been dialed, is one of several features designed to make wireless service is accessible and easy to use, especially for those with disabilities...."

The FCC were reported as saying that Section 255 of the Telecommunications Code requires that phones let a caller know a 911 call is underway, but does not require an audible alarm, according to kvue.com. A spokesman for the FCC also said “The Commission has not implemented any rules pursuant to Section 255 that would require the use of any tones concerning 911 calls,”

The news article got me thinking why the alarm was necessary, if at all? Most mobile telephones have set as default an audible tone that the user can hear when dialling a number. If hearing is a user disability then 1) why does the user have a mobile telephone in the first place (unless for texting etc) and 2) numbers dialled appear on the screen of the mobile telephone, anyway. That is apart from the fact that some mobiles have an ICON the user can select to call the emergency services. Additionally, for those with impaired sight, it has been a feature of "key 5" on telephones and mobile telephones for at least two decades that a small nipple rises from "key 5" which can be detected by touch for the visually impaired. Once "key 5" is depressed for a period of seconds the phone automatically dials 999/911 (whichever is relevant) and hence why it has been termed the 'emergency key'. So the audible alarm approach looks more gimmicky than of benefit to the user.

Whatever reasoning was behind the intention to use an audible alarm, the fact that it cannot be decommissioned may well impact on consumer appeal to have such a handset. If, by accident, 911 is accidently pressed and the audible alarm goes off in the cinema or on the train it may actually aggravate an assailant into shutting the "thing" up - which is the danager the user seeks to avoid.

http://www.kvue.com/news/local/stories/110907kvueverizonalarm-bm.1f46e16ee.html

Tuesday, October 09, 2007

Expert Evidential Disclosure in Criminal Proceedings

Expert Evidential Disclosure in Criminal Proceedings

When dealing with mobile telephone evidence it is important to be aware of the rules of expert evidence. This too goes for technical and examiner witnesses. In the recent case of R -v- Lorraine Harris & Others (2005) EWCA Crim 1980 Lord Justice Gage was invited by counsel for the Crown to give guidance in relation to expert evidence where the evidence was considered frontier evidence and the significant failure within the criminal justice system to control and manage expert evidence. Counsel argued that there must be a change in approach. The Court of Appeal, however, took the view that, regardless of whether or not the criminal justice system had failed to control and manage expert evidence, they were reluctant to give any new guidance on expert evidence arising from the facts in these particular cases.

Gage LJ took the view that developments in scientific thinking and techniques should not be kept from the court. He considered this to have been demonstrated amply by recent cases involving new techniques such as facial mapping. He went on to express the view that this openness should be so even in cases where scientific thinking was at such an early stage that it could amount to no more than a hypothesis. Obviously, it would be imperative that the true hypothetical nature of the expert’s evidence be frankly indicated to the court.

Using the reasoning of Wall J in the case of Re: AB (Child Abuse: Expert Witnesses) (1995) 1 FLR 181 the current thinking of the Court of Appeal suggests that expert evidence in developing or controversial fields should have its place in court and ought not to be discouraged. However, the expert must be frank and open about the scientific status of such evidence and should reveal any material that might be contradictory. There can never be, said the court, a single test to provide a threshold for admissibility in all cases. It is up to the judge in each case to decide whether expert evidence should be admitted.

These matters follow on the heels of disclosure requirements raised in late 2006 and and 2007. These particularly related to disclsoure by prosecution expert, professional and technical witnesses generally. Set out in the "Golden Rule" (enunciated by Lord Bingham in R -v- C and H 2004) it removed the right of the witness to arbitrarily decide what evidence s/he would or wouldn't provide to the Crown Prosecution Service or Police and to have identified "all" evidence detailed in lists of "used" and "unused" material generated from the witness' work in the case, which should be disclosed in evidence. All data, test results, standards, academic works etc to be recorded and copies provided to CPS or the Police for assessment and disclsoure where necessary. The principle here perhaps suggesting the defendant should know what is in the file that is being used against him or her (Foucher -v- France 25 EHRR 234).
Thanks to Dr Chris Pamplin and the UK Register of Expert Witnesses for the cases and background info to them. For full details of the cases contact UK Register of Expert Witnesses.

Conflicts Call Records & SMS Delivery Dates

Conflicts Call Records & SMS Delivery Dates

One of the topics dealt with on my training courses just last week is getting examiners to appreciate the relevance of date and time stamps for received SMS text messages. Essentially, it should not be assumed as fact that a text message date and time stamp and call record date and time stamp for the SMS reflect the actual date and time of receipt by a mobile telephone.

The warning during training is worth raising, but there is nothing better that having a reminder about this matter. I have had two reminders of the fact that delayed text messages can occur. Over the last couple of days, Two text messages that were sent to me arrived yesterday and today. The text that was received yesterday 08/10/07 was sent on the 05/10/07. The text received today 09/10/07 was sent on the 04/10/07. Note how the older dated of the two text messages arrived later.




There may be some who might argue that:

1) 7F106F3C was full up and 7F106F43 threshold was exceeded, thus preventing texts being received? I can confirm 7F106F3C wasn't full and there is plenty of memory for incoming texts, thus 7F106F43 would not have been invoked.

2) That my mobile 'phone inbox was full up? I can confirm that it wasn't and there is plenty of memory available for incoming texts.

3) That my phone had been switched off all that time? I can confirm my mobile 'phone has been switch ON, on most occasions, except at night and for re-charging. Additionally, I have been receiving texts from others.

4) That the mobile had or has been in a poor service coverage areas? No this would not be correct because on the 04/10/07 I was right by the mobile operator's mast from which my mobile receives service and usually the location for my mobile is in a good coverage service area.

This topic raises important matters regarding mobile telephone evidence in criminal proceedings:

A) That the date and time in an SMS text message is the SMSC date and time that received the sent text message from its subscriber. There are some, not many, mobile telephones that do identify a date and time for the text folder when the message was received, but that is not the text message itself. Also the folder date and time is as accurate as the user set the clock on the mobile 'phone. The latter folder issue maybe a moot point though for where the text message is deleted and later to be recovered, the mobile telephone folder or its date and time stamp are not recovered.

B) That the call records reflect the charging parameters date and time, not necessarily the delivery date and time of an SMS text message. Therefore, this can create conflict between the call records dates and time and SMS delivery dates and times.

C) In criminal proceedings, we largely deal with historical data and therefore the subscriber of an mobile telephone account may receive a message that can be some time after the date it was sent and the message maybe subsequently saved or deleted. However it may also be the case that the subscriber may not remember down the line whether a particular text was received late or not.

To overcome this problem and for corroborative purposes, naturally, call record data that identifies details of a received SMS text message should include the network operator's record confirming receipt of the text message including date and time stamp. The network receipt arises as the mobile 'phone is required to provide confirmation of the message delivered to it. You might think this is analogous to a "Registered Post" letter requiring the addressee to sign having taken taking delivery of it.

Conflicts Call Records & SMS Delivery Dates

Conflicts Call Records & SMS Delivery Dates

One of the topics dealt with on my training courses just last week is getting examiners to appreciate the relevance of date and time stamps for received SMS text messages. Essentially, it should not be assumed as fact that a text message date and time stamp and call record date and time stamp for the SMS reflect the actual date and time of receipt by a mobile telephone.

The warning during training is worth raising, but there is nothing better that having a reminder about this matter. I have had two reminders of the fact that delayed text messages can occur. Over the last couple of days, Two text messages that were sent to me arrived yesterday and today. The text that was received yesterday 08/10/07 was sent on the 05/10/07. The text received today 09/10/07 was sent on the 04/10/07. Note how the older dated of the two text messages arrived later.




There may be some who might argue that:

1) 7F106F3C was full up and 7F106F43 threshold was exceeded, thus preventing texts being received? I can confirm 7F106F3C wasn't full and there is plenty of memory for incoming texts, thus 7F106F43 would not have been invoked.

2) That my mobile 'phone inbox was full up? I can confirm that it wasn't and there is plenty of memory available for incoming texts.

3) That my phone had been switched off all that time? I can confirm my mobile 'phone has been switch ON, on most occasions, except at night and for re-charging. Additionally, I have been receiving texts from others.

4) That the mobile had or has been in a poor service coverage areas? No this would not be correct because on the 04/10/07 I was right by the mobile operator's mast from which my mobile receives service and usually the location for my mobile is in a good coverage service area.

This topic raises important matters regarding mobile telephone evidence in criminal proceedings:

A) That the date and time in an SMS text message is the SMSC date and time that received the sent text message from its subscriber. There are some, not many, mobile telephones that do identify a date and time for the text folder when the message was received, but that is not the text message itself. Also the folder date and time is as accurate as the user set the clock on the mobile 'phone. The latter folder issue maybe a moot point though for where the text message is deleted and later to be recovered, the mobile telephone folder or its date and time stamp are not recovered.

B) That the call records reflect the charging parameters date and time, not necessarily the delivery date and time of an SMS text message. Therefore, this can create conflict between the call records dates and time and SMS delivery dates and times.

C) In criminal proceedings, we largely deal with historical data and therefore the subscriber of an mobile telephone account may receive a message that can be some time after the date it was sent and the message maybe subsequently saved or deleted. However it may also be the case that the subscriber may not remember down the line whether a particular text was received late or not.

To overcome this problem and for corroborative purposes, naturally, call record data that identifies details of a received SMS text message should include the network operator's record confirming receipt of the text message including date and time stamp. The network receipt arises as the mobile 'phone is required to provide confirmation of the message delivered to it. You might think this is analogous to a "Registered Post" letter requiring the addressee to sign having taken taking delivery of it.

Monday, October 08, 2007

Another Mobile Telephone Stun Gun

Another Mobile Telephone Stun Gun
If I carry on like this I will probably end up with the world's largest webblog catalogue of mobile telephone stun guns. Having previously reported on mobile telephones being re-designed as weapons at this webblog, well here's another. Just to be clear I will not promote where these products can be obtained, but I do highlight that these devices do exist and, as always, ask those who are seizing, handling or examining mobile telephones to take care, so as to avoid personal injury.

This realistic looking smartphone-style stun gun delivers 900,000-volts of so-called "protection" and using only three (3) CR2 batteries. Previous mobile telephone stun guns claimed 800,000-volts or lower. As a generous bonus the manufacturer of this device has added 12 LED flashlight, so that users can white-light blind the vision of their victims before whacking the poor souls with 900,000-volts - how generous! The unit is 4-inches in height and comes with a snazzy holster for those who are fashion conscious. So as to prevent users from zapping themselves the manufacturer as thoughtfully put in two levels of safety - well quite, it just wouldn't do would it for the user to be zapping themselves?
Take care, be lucky.

Sunday, August 26, 2007

Cloning GSM SIM Card Report

Cloning GSM SIM Card Report


This report that is available for download was written back in 2002 and was one of the first on the market to look at what was happening with GSM SIM Card cloning marketplace and I believe this report was the first to report on this matter in the mobile telephone evidence and forensic community.

I am letting this report out as it was written in 2002 but largely because there is so much about cloning of SIM Cards that is available by way of the Internet (Google says 1,580,000 threads) that I think it is hardly likely that I am breaking any professional, forensic or moral taboos.


Cloning GSM SIM Card Report

Cloning GSM SIM Card Report


This report that is available for download was written back in 2002 and was one of the first on the market to look at what was happening with GSM SIM Card cloning marketplace and I believe this report was the first to report on this matter in the mobile telephone evidence and forensic community.

I am letting this report out as it was written in 2002 but largely because there is so much about cloning of SIM Cards that is available by way of the Internet (Google says 1,580,000 threads) that I think it is hardly likely that I am breaking any professional, forensic or moral taboos.

http://www.filebucket.net/files/4289_kt8qi/Special_Edition_2002_SIM_Cloning.pdf

Tuesday, July 24, 2007

Updated download links - Files-Upload

Updated download links

I have updated a number of the download links using the free file sharing service files-upload.com and will try to have all download links completed very soon.
The change over is because filebucket.eu seems not to function any longer, which happened previously with filebucket.net. There was no notice of any up and coming changes. I was grateful for the free service filebucket provided, thanks, and wish them well, wherever they are going.

Saturday, July 21, 2007

Stun Gun Cellphone

Stun Gun Cellphone

Having previously reported on Stun Guns being designed like mobile 'phones in MTS Newsletter: http://trewmte.blogspot.com/2007/05/mobile-phones-to-be-used-in-counter.html, below is yet another Stun Gun designed as mobile phone (cellphone). With this design, which gives a vague impression (but not distinctly promoting a particular brand name) of being a Nokia or similar brand name design is, in my view, more worrying. Because its design has the potential to fool, due to its appearance, those seizing or handling mobile phone evidence may be at risk.

Designed to accurately resemble an actual cell phone but, emits a powerful 800K volts with the press of a button. Easy to operate and equipped with a safety swith to prevent accidental firing. Includes leather case with belt attachment. Uses 3 CR123a batteries (not included). Please note this is not an actual cell phone but, a "very powerful self defense weapon" apparently.

Monday, July 16, 2007

Cellphone Transformer

Cellphone Transformer

Some people shout on the mobile telephone whilst on the train, annoying all the passengers. With Parkoz Hardware's new cellphone tranformer I can use the mobile and entertain the passengers at the same time.

Photo Sharing and Video Hosting at Photobucket

Saturday, June 16, 2007

China Mobile Telephones

China Mobile Telephone Exports
It wasn't difficult to guess that with China's industrial revolution into manufacturing everything and its growth markets in mobile telephones that China would aim to compete with the world's best known handset brandnames, such as Nokia, Motorola, Samsung, SonyEricsson, Alcatel, Sagem etc. I thought it might be helpful for mobile telephone examiners to be aware of the new China mobile telephone imports and publish a list of new arrivals of mobile telephones from China. The list is not exhaustive and covers those models that are available now. All of these handsets are operating in the frequency ranges of: 900MHz, 1800MHz and 1900MHz.

A818 Multi-media Phone +Bluetooth
BEST D2000 Multi-media Phone
BOEING 777 Dual SIM Card Phone
BELLWAVE 830 Dual SIM Card Phone
CECT Q500
CECT C1000+ Dual SIM Card Phone
CECT 1000D
CECT A800
CECT Jie Bao
CECT N90 Dual SIM Card Phone
CECT V8 Multi-media Phone + Bluetooth
CECT Q500 Dual SIM Card Phone + Bluetooth
CECT N538 Dual SIM Card Phone
CECT 1000D Dual SIM Card Phone
CECT A800 Dual SIM Card Phone + Bluetooth
CECT A706-2 Dual SIM Card Phone + Bluetooth
CECT N95 Dual SIM Card Phone + Bluetooth
CECT Y890 Dual SIM Card Phone
CECT C1000I Dual SIM Card Phone
CECT W958 Multi-media Phone
CECT N788 Multi-media Phone
CECT C99 Dual SIM Card Phone
CECT Q500 Dual SIM Card Phone
CECT N55 Multi-media Phone
CECT A900 Dual SIM Card Phone + Bluetooth
CECT V007 Multi-media Phone
CoolPAD 728B GSM + CDMA
CoolPAD 298 GSM + CDMA
CoolPAD 288 GSM + CDMA
HUI FENG 666 Multi-media Phone
HUI BAO 520 Dual SIM Card Phone + Bluetooth
ICOOL D66 Dual SIM Card Phone + Bluetooth
JIN SHA A203 Dual SIM Card Phone
JIA XIN N95 Dual SIM Card Phone + Bluetooth
K007 Multi-media Phone + Bluetooth
KAI RUI 666 Multi-media Phone
KAI RUI 169 Multi-media Phone
LANG XING M558 Dual SIM Card Phone
Long Run L821 Dual SIM Card Phone + Bluetooth
Ma Bao 99 Dual SIM Card Phone
NCKIA E95 Dual SIM Card Phone + Bluetooth
O3 838 Multi-media Phone + Bluetooth
Qi Tai X689+ / ZT 68 Dual SIM Card Phone + Bluetooth
San Sunc N96 Dual SIM Card Phone + Bluetooth
TIAN Long 788 Multi-media Phone
TIAN SHI XING T900 Dual SIM Card Phone
Ya Qi Yi Hao Dual SIM Card Phone + Bluetooth
Zhong Than 199 Dual SIM Card Phone + Bluetooth
ZT 988 Dual SIM Card Phone
ZTC 988 Multi-media Phone
ZTC C2000 Dual SIM Card Phone

Monday, May 07, 2007

Mobile Phones to be used in counter-terrorism

Mobile Phones to be used in counter-terrorism
USA Today ran an interesting news article titled "Phones studied as attack detector", which discusses The Department of Homeland Security developing "Cell-All" program.
The work undertaken in the project apparently will look at cellular telephones and how isotope and biological detectors can be incorporated into them and their use. As a mobile telephone is carried should it (the cellphone) detect a known reference element, having the inclusion of Global Positioning System (GPS) in the cellphone would allow it to transmit the location coordinates of the detection to authorities.
The idea is interesting, but is not new. In the issue INDEX NO: VOL 2-MTS02-2005 Mobile Telephone Surveillance (MTS) Newsletter it contained a collection of short articles I had written going back to 2002 in which I identified how mobile telephones and mobile systems can be used as weapons, used for interception and detectors. The MTS edition was sent to military, law enforcement agencies and security specialists in the UK as it also discussed mobile telephone issues associated with the July 2005 bombings in London UK. One of the short articles discussed "Cell phone could warn of bio-attack".
A mobile phone able to warn against fire, leakage of methane or other types of toxic gas. The phone includes a battery with sensors that provides periodical information about quick temperature changes, the presence of smoke, methane and carbon monoxide, which are compared by an internal device with pre-established normal values. The alarm telephone will not be much more expensive than a common one, as a sensor costs about 5-10 dollars and only the phone'ssoftware will be changed.In the future, the mobilephones might also include biosensors, which will warnabout the presence of bacteria,viruses, toxins, micro-organisms,radiations, nuclear particles and explosive powder. Such a project should also take into account the high price of the biosensors of about 300 dollars. The biosensors are currently in the test phase.
The original concept of biosensors being used in mobile telephones has been developing since 2003. It is interesting to see, though, in 2007 how far that concept has come, and how mobile telephones are, once again, being adapted to operate in so many different ways well beyond the original concept for consumer use, such as mobile calls and text messaging.

Monday, April 16, 2007

Privacy: Phones, Emails, Internet

Privacy: Phones, Emails, Internet

The European Courts of Justice gave a further decision recently regarding the importance of Human Rights and the right to Privacy when it comes to communications - Copeland -v- United Kingdom [COPLAND v. THE UNITED KINGDOM - 62617/00 [2007] ECHR 253 (3 April 2007) ]. The impact of this decision will again focus minds on what is reasonable conduct and relevancy of performing the conduct in the first place. The elements to the case of Copeland began in 1998 relating to monitoring of the Complainant's communications, revealed in 2000. However, such monitoring was before the Human Rights Act 1998 came into effect in October 2000 and prior to The Telecommunications (Lawful Business Practice) Regulations 2000 having effect due to the requirements of The Regulations of Investigatory Powers Act 2000. Two important elements of the last two pieces of legislation are: prevent or reduce cases of spying on peoples' communications; and remedy by which to measure whether the conduct and actions are unlawful or not.

I have some understanding of these issues. Back in 2001 I was head of a Fraud and Security SIG in the UK for an association whose members spent approx £8B per annum on communications. You could say I used this time over a four year period to increase my forensic skillsets for evidence arising in the workplace. One issue I dealt with in 2001 was Communications Surveillance in the Workplace in responce to the requirements in The Telecommunications (Lawful Business Practice) Regulations.

I generated a discussion document and researched certain relevant issues at that time and the document was circulated to members and other interested parties. It is based on aspects of UK and EU legal issues. I have looked back in archive and have put a .pdf document into a Winrar file, which can be downloaded:


http://www.filebucket.eu//files/25/Communications%20Surveillance%20Workplace.rar.

This document is a 2001 document, so you need to be aware of latency of the document as to its usefulness in today's marketplace and forensic investigation.

A copy of the full Judgment can be found at: http://www.bailii.org/eu/cases/ECHR/2007/253.html.

Tuesday, April 03, 2007

File Signatures Mobile Phone & Computer Forensics

File Signatures Mobile Phones & Computer Forensics
FILESIG MANAGER

Given the ever growing list of file signatures needed when drilling down into imaged data to determine varying file types that may be recorded in the data can be a real pain if, like me, you create every growing lists of file signatures copied and pasted into notepad documents. The raw data I see from imaging mobile telephones, SIM/USIM, Smart/MMC cards and hard disc drives means that I need to retain a single database for all the file signatures captured. I have found a great little tool called Filesig Manager, created by Tim Coakley (www.filesig.co.uk), which is a "file signature and keyword management tool, acting as an examiner's central repository of File Identification information." Importantly, not only does it work very well, but it's FREE.


Screen Image 1

The screen image 1 illustrates a range of captured file signatures stored in the database that includes file extensions, description and category of file and in addition fields that contain data for segments and offsets used by other computer forensic products. The database comes with some pre-defined file signatures, which are the most common and most useful and the user can enter their own file signatures as and when they are discovered.
Typically, file signatures usually contain the first eight bytes and last four bytes of a file. Below are some examples of common file signature types I have recovered following imaging of mobile phones and MMC cards saved and deleted data.
Header...........................................Footer...................Extension
[FF D8 FF E0 00 10 4A 46]........[A4 83 FF D9]......[.JPG]
[30 26 B2 75 8E 66 CF 11].........[23 AE 00 00].......[.WMA]
[FF FA 61 C0 EA 3D 00 00].......[00 00 00 00]........[.MP3]
[00 00 00 14 66 74 79 70]...........[31 31 31 30]........[.3GP]
[47 49 46 38 39 61 18 01]...........[00 00 00 00]........[.GIF]
[52 49 46 46 AC D3 01 00].........[0D 0A 0D 0A].....[.WAV]
It is worth mentioning that some signatures use a Header that does not require all 8 bytes to be used. For example, .JPG file signatures are commonly referenced with a Header FF D8 FF E0 or FF D8 FF E1.

Screen Image 2
The screen image 2 illustrates file extensions and description of file extension as a look-up table.

Thursday, March 08, 2007

Recover deleted data Smart/MMC Cards

Recover deleted data Smart/MMC Cards
There are times when my clients want to recover deleted data, whether it is from mobile telephones, SIM or USIM cards or smart/mmc cards. The screen images below demonstrates some of the stages involved in recovering deleted data from an MMC card.
The screen image above illustrates that a target device has been selected using the easy to understand GUI.

Importantly, this screen demonstrates just some of the file types that have been selected to be recovered. There are, of course, many file types that can be recovered, such as: (images etc) 3GP, AVI, MOV, MP4. MPEG, RM, WM, DjVU, BMP, CDR, DCR, DWG, GIF, ICO, JPEG, MRW, NEF, ORF, PEF, PNG, PSD, PSP, RAF (1) & (2), RAW, SRF, TIFF, TTF, WMF, XIF. (audio) AIF, AU, AVR, DSS, M3U, MIDI, MP3, OGG, RIFF, VOC, WAV, WMA. This is apart from other document file types (such as .doc, .pdf, etc)

Having selected the file types for recovery that have been deleted (free space), the recovery process needs to be set in motion, shown in the above screen image.


Here we see the number of recovered files that had been deleted stands at 13 files. However, the MMC card from which the deleted data was recovered has memory size 32MB. However, it is possible to recover many tens of deleted files from cards with this memory size, and many hundreds of files for large memory cards (dependent on file size, of course).



Finally, here is a complete recovered file fully working 3GP video and metadata intact.
If you are in law enforcement, public sector, criminal or civil solicitors and need this service, please send an email to me with your full contact details at:
The Digital Evidence Examination Unit (The DEEU)

Friday, February 23, 2007

Can you help?

Can you help?



Please donate to help young Laura who is diagnosed with cancer. During the past couple of years she has undergone many treatments of radiotherapy and chemotherapy, she has had one kidney removed, her spleen has been removed along with part of her pancreas. On Jan 5th 2007 she had 3 tumours removed from her lungs.The out look for Laura is not good, it was her 3rd birthday recently.
The small gift of a donation you make can help towards making lives like Laura's that little bit easier. All donations are paid to *Candlelighters.
*Candlelighters supports the work of the Regional Children and Adolescent Cancer and Leukaemia Unit at St. James's Hospital Leeds and funds research into childhood cancer.
Charity Registration No 1045077
UPDATE: Sad news. Regrettably, beautiful young Laura died on the 6th April 2007.

Thursday, February 22, 2007

Is your cell phone bugged

Is your cell phone bugged

Vortex (a US company) has produced an online Video, which they say is "to explain this issue in a more demonstrative and somewhat less technical manner..."

http://video.google.com/videoplay?docid=-3437321657032158285&hl=en

It raises some quizzical issues. This is not my attempt to be dismissive of what they are saying, but I could not help but think it does rely upon the subjectivity of each mobile phone user to perhaps determine if their battery runs down too quickly or the handset gets hot when not in use that information is being extracted from it.

The video authors do stress that any such use of monitoring mobile phones is not targetted at the general public, but those under surveillance. But that in itself may not stop the general public thinking something maybe up if they find the events occurring that have been suggested .

Whilst videos like this can be informative, they can introduce feelings of worry or paranoia to those who maybe vulnerable to such feelings. Perhaps it might assist, if a mobile phone user thinks this is happening to first rule out common events that the mobile phone may be exposed to:

The mobile
A) had been left in direct sunlight
B) left close to a radiator or devices that emit heat generally in areas (kettles, photocopiers, computers/laptops etc)
C) that the user hasn't just taken the mobile phone out of the coat pocket (obvious I know, but worth saying anyway)
D) reduction in battery power occurs because of resource greedy applications running on the mobile phone
E) does update to the network and in areas were poor radio coverage pockets occur or where the mobile is located at the radio boundary of a Mast's coverage, updating to the network does increase energy consumption (drawn from the battery)
F) where a mobile phone is swtiched OFF and battery still runs low, it could be a fault of a bleed from the battery or that the mobile's firmware is faulty regarding e.g. the clock and draws more power from the battery at a higher rate
G) using broadband might require the ISP or application service to 'ping' the mobile to ensure the account is still connected, which might be a separate event from updating to the network regarding the subscriber IMSI-attach status for example

These are just some observations that might help, but if a mobile user is still concerned, the video does demonstrate a detection method using speakers. But even that may produce a false-positive result. There is of course another method that may eliminate this matter which the video suggests is to remove the mobile phone's battery. OK, but that doesn't take account of when the mobile is switched ON and in the idle mode. If the mobile user still feels uncomfortable, then change to a different or new mobile phone.

Monday, February 19, 2007

USB Profiler mobile 'phone examination

USB Profiler mobile 'phone examination

Ever found it annoying, like I have, when trying to examine mobile 'phones and SIMs/USIMs that given the fast range of applications and USB plug-in devices to be used it becomes difficult to know which USB connections are actually running on the computer. That means not just USB devices logged as previously being used but whether there is a live-link currently running. As always it is the simple, straightforward programs that make our lives so much easier. USBDeview profiles all USB connections and provides a global view of activity on your computer. You could of course spend time scrolling through DeviceManager...but that can be long winded. This freeware program speeds up the detection process. Enjoy.

USB Profiler mobile 'phone examination

USB Profiler mobile 'phone examination

Ever found it annoying, like I have, when trying to examine mobile 'phones and SIMs/USIMs that given the fast range of applications and USB plug-in devices to be used it becomes difficult to know which USB connections are actually running on the computer. That means not just USB devices logged as previously being used but whether there is a live-link currently running. As always it is the simple, straightforward programs that make our lives so much easier. USBDeview profiles all USB connections and provides a global view of activity on your computer. You could of course spend time scrolling through DeviceManager...but that can be long winded. This freeware program speeds up the detection process. Enjoy.

Friday, February 16, 2007

GPS Mobile Phone Computer Training Shoes

GPS Mobile Phone Computer Training Shoes

The conventional mobile 'phone looks set to radically undergo a design change, if the above training shoe becomes popular. The internal microphone and speaker fitted into the trainer can be configured to act as a wireless phone. The trainer even comes with a USB port. Problems might arise of course when going through customs or airport security and you are wearing a pair of these. I must confess perhaps to a little apprehension regarding having to examine this type of exhibit. Will be adding odour eaters and Fabreeze to my forensic examiners toolkit.

To find out more click on the Technologies tab at the bottom of home page - http://www.isaacdaniel.com/fele.htm

Saturday, February 03, 2007

GSM Radio Test Measurements - Non-Dominance

GSM Radio Test Measurements - Non-Dominance

Screen Image 1

Readers and cell site analysis students will recall the thread at http://trewmte.blogspot.com/2007/01/gsm-radio-test-measurements.html regarding GSM Radio Test Measurements. In that thread the discussion related to possible anomalies and interpretation regarding radio test measurements. In this thread I want to highlight another radio anomaly termed non-dominance that may occur.

Generally speaking, non-dominance occurs when radio coverage from two or more radio sources are equally aligned so that they all become dominant. The rare event in Screen Image 1 displays coverage quality and signal strengths of four radio sources are all equal to each other, in a confined area, where the receiver is in the idle mode and at ground level. Attempting to define that one particular Mast would be used to make or receive a mobile call in these circumstances might be difficult. The problems interpreting outcomes due to non-dominance could be numerous. For instance:


i) Who is to say that the receiver camped on a Mast's coverage shown by ACT would actually use that Mast? The coverage at NC2, NC3 and NC4 are equally as likely to be candidates to carry a mobile call.
ii) What happens in the case that the Mast's coverage upon which the receiver is camped at ACT the Mast is not actually best placed or line of sight with the receiver and in other circumstance would not be considered at first instance to serve the geographical area? The receiver under these conditions could be placed in an entirely different geographical area simply from summarising the Mast details shown in the mobile call records.
iii) When call setup (OACSU) takes place and a connection made it could be possible a mobile ‘phone starts a connection for less than a second on the Mast at ACT but forced into hard handover immediately thereafter thus shifts the call to another Mast (say, NC4)? It could be possible the Mast at ACT is shown as the Mast in the call records, which could be rather misleading when attempting to consider geographical location of the mobile telephone when compared to a particular mobile call.
iv) How can the radio examiner, from looking at historical records, correspond radio test measurements against the outward set of event elements recorded in call records? Non-dominance may mean a series of calls being made at one location handled by numerous Masts – thus may amount to a suggestion from analysis of the Masts usage from the call records that the mobile is on the move when in fact it is rather confined to an area. Non-dominance may result in a high number of short duration mobile calls shown in the call records. The short duration calls may not be due to the user terminating the calls, but rather the network dropping the calls.

I introduced, I believe, GSM non-dominance as an important radio anomaly to be considered regarding evidence of radio test measurements into the first criminal case in the UK back in 2003 at the Central Criminal Court (Old Bailey). GSM non-dominance was identified and shown in my evidence. Three other experts appearing for the prosecution or other defendants received my report. Acceptance of my results and findings were agreed and no challenges were made. However, I should point out that the discovery that non-dominance can occur for radio coverage was not my invention but arose from radio propagation studies by mobile network radio engineers endeavouring to agree anomalies for radio principles. The non-dominance principle had already been adopted for the Tetra standards and is accepted in GSM radio parlances as a noteworthy event. Therefore, I was fairly well armed with other independent findings.


The purpose of this discussion thread is to provide yet another example of radio conditions that can prevail when conducting GSM radio test measurements. That simply analysing call records may only present half a picture – a trompe l’oiel ( a lie to the eye) if you will.

Thursday, February 01, 2007

Master Password Unlock

Master Password Unlock

I have received requests for copies of the 2006 supplement edition of Mobile Telephone Evidence (MTE) Newsletter Vol4-MTE-03-2006 supp: 002 regarding Master Password Unlock for Nokia mobile telephones.

http://www.filebucket.net/files/1597_knksh/Handset%20Password%20Unlock.rar

Sunday, January 21, 2007

Thursday, January 18, 2007

GSM Radio Test Measurements

GSM Radio Test Measurements

Radio Test Measurements 1



The screen image (Radio Test Measurements 1) represents the output results of radio coverage detected at the receiver (mobile telephone) and represent a single static view of that coverage at one instance. During cell site analysis there will be many screens obtained but for the purposes of this discussion this single screen image will do the job. Firstly, the reader will need to comprehend, at least, an interpretation that can be given to the identifiers in the screen image above.


TOP ROW
1. Chan: this indicator refers to the Broadcast Control Channel number.
2. RxLv: this indicator refers to the received strength of signal at the test handset measured in deciBel milliwatts, (dBm), where dBm is the notion for the measurement of power of the received radio signal e.g -75dBm.
3. C1: this is a quality indicator (path loss criterion) and is used for cell selection and cell reselection. The parameters are determined from the signal strength, the minimum received power levels for initiation of signals between the mobile and network, the maximum transmit power for accessing the network and the power of the mobile phone itself.
4. C2: this is an indicator used only for cell reselection optimisation and identifies parameters to aid the mobile phone in its cell reselection process.


LEFT COLUMN
5. 'ACT' denotes the strongest, thus dominant, serving cell coverage at that location providing the best quality associated with the BCCH number (Chan). Meaning the mobile telephone has completed the cell selection/reselection processes for normal service and has chosen a cell from which it plans to receive all available services (known as "camping on a cell").
6. 'NC2-NC6' denotes other cells available in an area that may equally offer service, but that the mobile phone has not camped upon them. However, the mobile network is aware that the mobile phone has choices available to it. Displayed beside the NCs are the cells, identified by their respective Broadcast Control Channel (BCCH) numbers.


OBSERVATIONS

If it is accepted that Chan (Channel) identifies the BCCH frequencies of the radio coverage that the receiver (mobile telephone) has detected in the ether (or as Professor Clerk-Maxwell (1886) so put it "ethereal wind" when describing electro-magnetic energy in the air ) then the consideration of the RxLv (signal strength) and C1 and C2 can then be considered.


Signal Strength

The maximum received signal strength at the receiver is understood to be -40dBm for GSM (see e.g GSM 11.10 etc) and commonly -40dBm is said to be at or very close to the transmitter. However, when looking at Radio Test Measurement 1 for ACT and NC1 we see Chan 81 and 87 detected at the receiver with signal strength -27dBm and -37dBm respectively. This raises the suggestion of saturation by the transmitter's coverage determined at the receiver, where the receiver is located on the ground. So what could be the reason for this?


One suggestion might be the sensitivity at the receiver is out of spec. For this instance it would be wrong. When I conduct cell site analysis I have five (5) mobile telephones with me set in network engineering mode in order to account for a faulty handset and other anomolies and for the purposes to determine when several mobile telephones are switched ON and side by side whether they would detect and camp on the same cell (GSM terminology for radio coverage from a particular Mast) or other cells. For the radio test measurements in this case all five (5) were switched ON and all detected Chan 81 with signal strength ranging from -27dBm / -30dBm.


So if it is accepted that the mobile telephones collectively are not revealing false-positives, what other occurrence might cause this to occur. To determine this matter readers may wish to investigate by way of the GSM Standards to comprehend the standard for upper and lower limits of signal strength and review the requirements for BTS (Base Transceiver Station) transmission power etc.


It may equally be helpful to mention at this point that the signal strengths for NC2 (- 44dBm), NC3 (-67dBm), NC4 (-68dBm), NC5 (-69dBm) and NC6 (-70dBm) are very respectable levels of signal strength being that they are of high quality. When I refer to high quality I am of course referring to the term as used by the objective GSM Standard GSM03.22. It contains a useful reference when considering the quality of signal strength (RxLv) recorded in radio test measurements that a mobile network "shall be understood to be received with high quality signal if the signal level is above ‑85 dBm".


Moreover, GSM05.08 identfies the threshold RXLEV (same as RxLv) on the downlink for handover process to commence. Typical range -103 to -73 dBm. Thus NC2 to NC6 received signal strength at the receiver, being above -73dBm, could one conclude from that were the mobile telephone to have camped on either one of NC2 to NC6 the network is unlikely to handover the mobile to another cell in the list? My observation to any reader would be investigate the GSM Standards in order to consider all the elements in order to produce a more rounded opinion on this matter.


C1/C2

Cell selection and cell reselection are rather complex and convoluted matters to discuss in this short discussion thread. My observation to the reader would be to look at C1/C2 and see whether at first instance the threshold results are identical or different? What does it mean if they are not identical? Also look closely to see if cells are indicated as not available for selection or reselection - denoted in Radio Test Measurement 1 as -99. Why would a cell not be selected and/or reselected? Is it due to poor signal strength; the mobile telephone has calculated its own power capability as low; or is it detecting interference etc?


The above is just a fraction of the information that needs to be considered during and following cell site analysis and from the little I have extrapolated above means that a casual approach to radio test measurements and cell site analysis can result in erroneous conclusions being drawn.
[Update: For more on Cell Site Analysis, see:
http://trewmte.blogspot.com/2006/11/cell-site-analysis-part-1.html ]

More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

Monday, January 15, 2007

Forensic CaseNotes

Forensic CaseNotes

John Douglas of QCC Information Security (http://www.qccis.com/content.php?section=forensics) has produced a new program for preparing contemporaneous notes during examination. Forensic CaseNotes is available free of charge. Nice one, John.

Introduction
The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically.

The main features are:
- Flexible configuration of case meta-data (case details, like the reference number, etc.)

- Secure “write-once, read-many” style of case note data capture
- Full audit trail of case note data entry and meta data edits in a self contained log
- Tamper evident storage of data using internal MD5 hashes for all data entered
- No use of heavy database technologies – all you need is the program and your case file
- Use of AES 512bit encryption (optional) to further secure data in sensitive cases
- Storage of configuration information in a user editable text based .ini file
- Support for running multiple copies of CaseNotes at the same time Tested and works in languages other than English (Japanese, Russian, Greek, Italian, ...)
- Tested on Windows XP, Server 2003 and Windows Vista. (sorry if you use a Mac)
- It’s free! That means no dongles and no restrictions on how many copies you use!

CaseNotes Quick Start Guide
http://www.gastric.com/casenotes/CaseNotesQuickStartGuide.pdf

CaseNotes Setup Program
http://www.gastric.com/forensics/CaseNotesSetup.msi

*Microsoft .NET framework v 2.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&displaylang=en


*John Douglas informs http://trewmte.blogspot.com that Microsoft .NET framework v 2.0 is required to be installed.

Thursday, January 11, 2007

Blackberry to include Push To Talk (PTT)

Blackberry to include Push To Talk (PTT)

I have learned, having entered a licencing agreement, Research In Motion (RIM) are to launch a Blackberry version that has Push To Talk with PTT technology provider Kodiak Networks. A Java version of the Kodiak handset client is to be intergrated into RIM's Blackberry handsets, so I learned. Kodiak also has supporting mobile application suite features, such as: availability status, call me alerts, call waiting, contact list privacy, voice messaging and convert-to-cellular capabilities.

With ever increasing features and functions, Blackberry's are definitely going to get more difficult to examine. Note I said "more difficult" and not used the word "impossible". It takes a number of hours to deal with current versions of Blackberry. With increasing features, start to expect examination times to increase between 1-2 days per device.

Thursday, January 04, 2007

3G USIM-Detective Training Course 2007

3G USIM-Detective Training Course 2007

This core course introduces mobile telephone examiners and computer investigators to foundation information about Universal Subscriber Identity Module (USIM) card computer architecture, operating functionality, file structures and elementary files. The course is intended to assist delegates understand the complexity of 3G USIM cards and potential locations where user and network data can be recorded.

Ideally, delegates on this course should already have undertaken study into GSM SIM cards as the course requires delegates to also examine 3G USIM cards using Quantaq Solutions USIM-Detective software.

Courses: March, April and May 2007

http://rapidshare.com/files/10245341/USIM-Detective_datahseet_2007.pdf.html

Downloading from Rapidshare:
1. Click the above URL link or copy and paste into browser address bar
2. Go to bottom of Rapidshare html page displayed and click box that says FREE
3. Enter the four alphanumeric code into box that says "here"
4. Click Download (that also displays mirror site from which download is being obtained)
5. File download dialogue box appears, choice Open or Save

3G USIM-Detective Training Course 2007

3G USIM-Detective Training Course 2007

This core course introduces mobile telephone examiners and computer investigators to foundation information about Universal Subscriber Identity Module (USIM) card computer architecture, operating functionality, file structures and elementary files. The course is intended to assist delegates understand the complexity of 3G USIM cards and potential locations where user and network data can be recorded.

Ideally, delegates on this course should already have undertaken study into GSM SIM cards as the course requires delegates to also examine 3G USIM cards using Quantaq Solutions USIM-Detective software.

Courses: March, April and May 2007

http://rapidshare.com/files/10245341/USIM-Detective_datahseet_2007.pdf.html

Downloading from Rapidshare:
1. Click the above URL link or copy and paste into browser address bar
2. Go to bottom of Rapidshare html page displayed and click box that says FREE
3. Enter the four alphanumeric code into box that says "here"
4. Click Download (that also displays mirror site from which download is being obtained)
5. File download dialogue box appears, choice Open or Save

Cell Site Analysis EMTE Training Course 2007


Cell Site Analysis EMTE Training Course 2007

Understand the core elements involved in the GSM mobile telephone network and how when combining their use can be used to assist determine geographical location of a mobile telephone for criminal cases and investigation purposes.

Download a copy of the data sheet content for our Cell Site Analysis EMTE Training Course to be run in February and March 2007. Places are limited, as only 10 delegates can attend per course. This is a three day course.

http://rapidshare.com/files/10241385/Cell_Site_Analysis_EMTE_Training_Course_2007.pdf.html

Downloading from Rapidshare:
1. Click the above URL link or copy and paste into browser address bar
2. Go to bottom of Rapidshare html page displayed and click box that says FREE
3. Enter the four alphanumeric code into box that says "here"
4. Click Download (that also displays mirror site from which download is being obtained)
5. File download dialogue box appears, choice Open or Save

Filebucket Download/Rapidshare Download

Filebucket Download/Rapidshare Download

I don't know what has happened to filebucket recently as to why their download site cannot be accessed? If Filebucket comes back online great, otherwise I am now using Rapidshare.

I have updated the links for the XDA Image Tool (see thread)

I shall add links to the other threads for November and December 06 over the next week.

Well HAPPY NEW YEAR to you all