Monday, April 16, 2007

Privacy: Phones, Emails, Internet

Privacy: Phones, Emails, Internet

The European Courts of Justice gave a further decision recently regarding the importance of Human Rights and the right to Privacy when it comes to communications - Copeland -v- United Kingdom [COPLAND v. THE UNITED KINGDOM - 62617/00 [2007] ECHR 253 (3 April 2007) ]. The impact of this decision will again focus minds on what is reasonable conduct and relevancy of performing the conduct in the first place. The elements to the case of Copeland began in 1998 relating to monitoring of the Complainant's communications, revealed in 2000. However, such monitoring was before the Human Rights Act 1998 came into effect in October 2000 and prior to The Telecommunications (Lawful Business Practice) Regulations 2000 having effect due to the requirements of The Regulations of Investigatory Powers Act 2000. Two important elements of the last two pieces of legislation are: prevent or reduce cases of spying on peoples' communications; and remedy by which to measure whether the conduct and actions are unlawful or not.

I have some understanding of these issues. Back in 2001 I was head of a Fraud and Security SIG in the UK for an association whose members spent approx £8B per annum on communications. You could say I used this time over a four year period to increase my forensic skillsets for evidence arising in the workplace. One issue I dealt with in 2001 was Communications Surveillance in the Workplace in responce to the requirements in The Telecommunications (Lawful Business Practice) Regulations.

I generated a discussion document and researched certain relevant issues at that time and the document was circulated to members and other interested parties. It is based on aspects of UK and EU legal issues. I have looked back in archive and have put a .pdf document into a Winrar file, which can be downloaded:

This document is a 2001 document, so you need to be aware of latency of the document as to its usefulness in today's marketplace and forensic investigation.

A copy of the full Judgment can be found at:

Tuesday, April 03, 2007

File Signatures Mobile Phone & Computer Forensics

File Signatures Mobile Phones & Computer Forensics

Given the ever growing list of file signatures needed when drilling down into imaged data to determine varying file types that may be recorded in the data can be a real pain if, like me, you create every growing lists of file signatures copied and pasted into notepad documents. The raw data I see from imaging mobile telephones, SIM/USIM, Smart/MMC cards and hard disc drives means that I need to retain a single database for all the file signatures captured. I have found a great little tool called Filesig Manager, created by Tim Coakley (, which is a "file signature and keyword management tool, acting as an examiner's central repository of File Identification information." Importantly, not only does it work very well, but it's FREE.

Screen Image 1

The screen image 1 illustrates a range of captured file signatures stored in the database that includes file extensions, description and category of file and in addition fields that contain data for segments and offsets used by other computer forensic products. The database comes with some pre-defined file signatures, which are the most common and most useful and the user can enter their own file signatures as and when they are discovered.
Typically, file signatures usually contain the first eight bytes and last four bytes of a file. Below are some examples of common file signature types I have recovered following imaging of mobile phones and MMC cards saved and deleted data.
[FF D8 FF E0 00 10 4A 46]........[A4 83 FF D9]......[.JPG]
[30 26 B2 75 8E 66 CF 11].........[23 AE 00 00].......[.WMA]
[FF FA 61 C0 EA 3D 00 00].......[00 00 00 00]........[.MP3]
[00 00 00 14 66 74 79 70]...........[31 31 31 30]........[.3GP]
[47 49 46 38 39 61 18 01]...........[00 00 00 00]........[.GIF]
[52 49 46 46 AC D3 01 00].........[0D 0A 0D 0A].....[.WAV]
It is worth mentioning that some signatures use a Header that does not require all 8 bytes to be used. For example, .JPG file signatures are commonly referenced with a Header FF D8 FF E0 or FF D8 FF E1.

Screen Image 2
The screen image 2 illustrates file extensions and description of file extension as a look-up table.