Friday, December 12, 2008

Is my cell phone bugged? Six steps to resolving the problem.

Is my cell phone bugged? Six steps to resolving the problem.
.
.
There has been a significant increase in visitors to Mobile Telephone Evidence seeking help as to how to detect and confirm whether their cell phones are bugged or not? My observations (note the word 'observations' and NOT 'advice') would be to not fool around in this area trying to outwit those who you think are outwitting you.
.
Remember any action you take is your choice and responsibility, the steps below are only observations.
.
1) Back-up the data that are on handset and SIM card - keep the data safe as you may want it for your new mobile phone.
.
1) Clear the 'handset' of any personal data by using factory restore. Remember, that is handset data and not SIM data.
.
2) Go to a reputable recycling company and give the handset to them. Remember not to leave your SIM card in the handset.
.
3) Get yourself a bog-standard £10.00/$10.00 (something cheap) mobile phone with a manufacturer's proprietory operating system. This phone should be used for business so that you know your competitors are not obtaining the content of your business communications. Do not lend your new phone to anyone and do not leave it unattended for long periods of time.
.
4) If you really cannot do without a symbian or windows mobile phone then make sure the content of your communications do not contain company secrets etc. Do not lend your new phone to anyone and do not leave it unattended for long periods of time.
.
5) Finally, if you are still not happy, you don't like 1) and 2), above, and you still think your phone is bugged, then remove the outer casing of the handset and cut up all the chips on the handset's printed circuit board and then burn everything on the fire. Remember not to leave your SIM card in the handset when cutting up or burning it.
.
6) Repeat step 3) above.

Research into hands-free mobile calls whilst driving

Research into hands-free mobile calls whilst driving
.
I read the research of Dr Melina Kunar from the the University of Warwickshire and Todd Horowitz of the Harvard Medical School into "Hands free mobile phone conversations add 5 metres to drivers' braking distances":
.
As the lead researcher in the project, Melina's research unearthed new findings relating to hands-free mobile calls and driving:
.
Photo: Melina Kunar's research into
hands-free mobile calls and driving
.
"The researchers found that on average the reaction times of those engaging in the hands free telephone conversation were 212 milliseconds slower than those who undertook the task without the simultaneous telephone conversation. A car travelling at 60 miles an hour would travel 5.7 metres (18.7 feet) in that time so the distracting conversation would obviously increase any braking distance at that speed by the same amount. The test participants who were distracted by a phone conversation also made 83% more errors in the task than those not in phone conversations.
.
"The researchers also looked at the effect the hands free telephone conversations had on visual attention if the phone conversation was skewed to a more passively orientated task. To do so they asked the test participants to listen over the speaker phones to a series of words and to repeat each word in turn. The research team also looked at the effect of a much more complicated conversational task in which the test participants had to listen to a series of words and after each word then think of and say a new word which began with the last letter of the word they had just heard.
.
"Our research shows that simply using phones hands free is not enough to eliminate significant impacts on a driver’s visual attention. Generating responses for a conversation competes for the brain’s resources with other activities which simply cannot run in parallel. This leads to a cognitive "bottleneck" developing in the brain, particularly with the more complicated task of word generation."
.
It is the finding of "bottleneck" (causation) that struck me as significant, for would that still be the case of causation where a car passenger engages in conversation with the driver of a car? An article in the Economist titled 'Driving and mobile phones. Just shut up, will you'. Dec 4th 2008 appears to answer this question:
At the University of Utah research into "chatting to passengers have the same detrimental effect on driving? An earlier study found that it does not. That research, led by Frank Drews of the University of Utah, analysed the performance of young drivers using a vehicle simulator. Dr Drews found that when using a hands-free phone, a volunteer “drove” significantly worse than he did when just talking to someone playing the role of a passenger. Passengers, the researchers believed, might even help road safety by commenting on surrounding traffic."

Friday, December 05, 2008

Sound Waves Could Power Cell Phone?

Sound Waves Could Power Cell Phone?
.
Cell phones are only useful so long as they have charge left in the battery, may not be an obvious comment to make when looking at the future as to how cell phones may be powered. Pioneering work, by Professor Tahir Cagin at the Artie McFerrin Department of Chemical Engineering at Texas A&M University, in the area of 'sounds waves' to help cell phones generate self-power could revolutionise, and have profound impact on, 'power harvesting' in the future, and not just for cell phones either, but other lower powered devices, such as radios, laptops, pagers, PMR etc.
.
The way it works, sound waves produced by the user of a cell phone can generate the energy the cell phone needs to operate. The science behind this is generated from materials know as "piezoelectrics". Professor Cagin's research focused on nanotechnology and made the significant discovery in the area of 'power harvesting', "found that a certain type of piezoelectric material can convert energy at a 100 percent increase when manufactured at a very small size – in this case, around 21 nanometers in thickness." To comprehend the minute level at which this work is carried out, nanometers are a microscopic unit of measurement representing one-billionth of a meter. Atoms and molecules are measured in nanometers, and a human hair is about 100,000 nanometers wide.

Polarizable Charge Equilibration Interaction
Potentials are essential in describing piezo-
and ferro-electricity in ABO3 ceramics for sensors,
actuators and energy harvesting applications.
.
Chambers Science and Technology Dictionary identifies the term 'piezo' is derived from the Greek word 'piezein', a verb meaning 'to press'. In 1880, French scientists P.& J. Curie discovered "Those crystals having one or more axes whose ends are unlike, that is to say hemihedral crystals with oblique faces, have the special physical property of giving rise to two electrical poles of opposite signs at the extremities of these axes when they are subjected to a change in temperature: this is the phenomenon known under the name of pyroelectricity." They went on to state, "We have found a new method for the development of polar electricity in these same crystals, consisting in subjecting them to variations in pressure along their hemihedral axes." [Curie, P. and J. Curie, Development by pressure of polar electricity in hemihedral crystals with inclined faces. Bull. soc. min. de France, 1880. 3: p. 90-93.].
.
From the research I conducted into 'piezoelectrics' it suggests that it is not a new science, per se. Thus, has this science been used for any other technologies that took advantage of the ability of certain crystalline or ceramic materials to develop an electric charge proportionally generated from some form of stress presented to them? Examples that I was able to find on the Internet: the spark that ignites the fuel in a lighter occurs due to pressure of the lighter button impacting on a piezoelectric crystal; night clubs that use piezoelectrics built into the floors that absorb the energy of dancers foot-movements to provide energy to power the lights; the same principle applied to using gymnasium equipment to provide energy is yet another example. Indeed, walking can help produce the same energy to generate back up power supplies. Professor Cagin's further discovery of researching the basic laws of physics that relates to human speech (pressure) and from that to 'power harvest' from speech waves to generate energy can only add to the incredible scientific phenomenon that piezoelectrics has become.
.
Extrapolating what might be possible should such a science be implemented into mobile telephones, certainly users would like it as they may never again need to obtain another battery when the life-span of a battery has been reached, no recharging at the electric socket, or have a flat battery preventing mobile calls until the battery is recharged back at home or the office. I should imagine mobile network operators would love this technology, too, as it implies more people will have an excuse to spend even more time yakking on the mobile, thus call traffic revenues could increase. From a climate greenhouse emissions standpoint it should be an exciting draw, particularly for Government, because piezoelectrics allows for renewable energies with minimal carbon-footprint, apparently.
.
Some downsides: how will battery manufacturers see their future?; train and bus passenger complaints will probably increase about other passengers using their mobile phones in carriages etc, not convinced by the mobile phone user-offenders claiming they are only recharging their phones; for mobile phone examiners, though, this could be problematical for mobile phones exhibits with no-charge in them to operate and conduct data acquisition. How to energise the phone will be one question needing to be answered? Evidentially, having to admit the mobile phone examiner had been chatting on the phone to power it raises all sorts of issues, and what about when the examiner has 20 phones to be turned around quickly?
.
Source of scientific development and photo: Texas A&M University

Tuesday, December 02, 2008

Nokia 6233 Clock

Nokia 6233 Clock
I have mentioned Vinny Parmar's name on this webblog previously. Vinny has just sent to me an email setting out a quirk that he has noted with the Nokia 6233 Clock.
.
Vinny Parmar, Lead Forensic Examiner:
"Basically I was working on a Nokia 6233. I used XRY and Oxygen Phone Manager (OPM) to read the data. No issues with the content as far as the text was concerned. XRY, as always, advanced the time of each SMS by 1 hour and Oxygen did not, howvever Oxygen did not pull off the SMSC associated with each SMS.
.
"Now your asking so what was the issue, well let me tell you. After the read I proceeded with a manual verification of the date\times for each SMS. What I noticed was that although Oxygen pulled of the dates\times there was a slight issue in what was displayed, for example: An SMS received - OPM listed the date\time as 15/05/08 15:51:49, the handset displayed this as 15/05/08 03:51:49.
.
"As far as the verification goes, one would assume that the correct time was as reported by the handset which was 03:51:49 which would suggest AM due to the format. However what I noticed was that when I checked the date\time format setting on the handset this turned out to be set to the 12 hour clock, but the handset did not display what I was expecting, which was the AM or PM prefix?
.
"So after a little adjustment with the handset, changed the format to 24hr clock all the SMS date\time were now displayed exactly as displayed by OPM. My suspicions were also confirmed by the content of messages and the suspects involved, they are school kids, so I couldn't really see SMS transmissions being sent/received at 3am. So, in essence, the above would suggest that as examiners we may need to consider adjusting the date\time format setting on a handset to confirm the correct format. Most of the handsets which are set to the 12-hour clock tend to display the appropriate prefix of AM or PM but for some unknown reason this was not the case with the Nokia 6233. This certainly requires further research."

Another ultra-thin membrane device

Another ultra-thin membrane device

John Lorne, Technical Officer for South Manchester GMP, having read the discussion in the thread "Ultra-thin membrane changes (U)SIM card usage"**, wants to raise awareness that, during his examinations, John has had firsthand experience with another similar device and emailed some comments to the webblog, along with the images below, which he thought would be of interest to readers
.
John Lorne, Technical Officer:
"I have used one of these its named MT-SIM. They are for using one's phone on any network. It works by punching a small hole into your SIM and laying the contacts of the MT SIM onto the contacts of your SIM.
"The small hole is required as the chip on the MT SIM faces the opposite way (upwards and away from the SIM compartment) and is the same thickness.The MT SIM is not a solution for multi unlocking as it has to sit with its surrogate all the time (the MT SIM works by making the handset omit from asking the question on start up "what network are we on?") as soon as the MT SIM is seperate then the handset will revert to its network provider.
"I have tried this on a test phone for examination purposes and found it works and allows one to get into the handset. I lost my call history with this operation but I would've lost this in any case when I use my test SIMs (I use Motorola test SIM to bypass network issues, but in every case I lose call history, Focus 112 can recover this for me). In the end a colleague of mine asked could I unlock his daughter's phone to any network, it was a BB5 phone and at the time couldn't be unlocked in the more traditional way ie UFS/JAF box. I slid this in and it worked exactly as it said it would, so in some cases its actually quite advanced."

Another ultra-thin membrane device

Another ultra-thin membrane device

John Lorne, Technical Officer for South Manchester GMP, having read the discussion in the thread "Ultra-thin membrane changes (U)SIM card usage"**, wants to raise awareness that, during his examinations, John has had firsthand experience with another similar device and emailed some comments to the webblog, along with the images below, which he thought would be of interest to readers
.
John Lorne, Technical Officer:
"I have used one of these its named MT-SIM. They are for using one's phone on any network. It works by punching a small hole into your SIM and laying the contacts of the MT SIM onto the contacts of your SIM.
"The small hole is required as the chip on the MT SIM faces the opposite way (upwards and away from the SIM compartment) and is the same thickness.The MT SIM is not a solution for multi unlocking as it has to sit with its surrogate all the time (the MT SIM works by making the handset omit from asking the question on start up "what network are we on?") as soon as the MT SIM is seperate then the handset will revert to its network provider.
"I have tried this on a test phone for examination purposes and found it works and allows one to get into the handset. I lost my call history with this operation but I would've lost this in any case when I use my test SIMs (I use Motorola test SIM to bypass network issues, but in every case I lose call history, Focus 112 can recover this for me). In the end a colleague of mine asked could I unlock his daughter's phone to any network, it was a BB5 phone and at the time couldn't be unlocked in the more traditional way ie UFS/JAF box. I slid this in and it worked exactly as it said it would, so in some cases its actually quite advanced."

Friday, November 28, 2008

Radio Tactics New Offices

Radio Tactics New Offices
.
I received an invitation recently from Radio Tactics inviting me to attend on the 21st November 2008 in Southamption for the opening of their new offices. The Rt Hon. John Denham MP Secretary of State for Innovations, Universities and Skills was invited to formally open the offices at Millbrook Technology Campus and there was an impressive list of speakers to talk about how technology and crime detection can work hand-in-hand, which is always useful to hear the experiences of the guest speakers.
.
What struck my eye as well, and which I thought was a nice touch, as many of my family on my Mother's and Father's side were in the Military and RAF, was the promotion of Help for Heroes, http://www.helpforheroes.org.uk/ given by Col DCN Giles and Brigadier (Ret'd) Ian Fulton, both of RMP. What a wonderful cause this really is and how amazingly and tirelessly they work to help rehabilitate the severely injured brave men and women of our armed forces, who do so much to protect our country. Do visit the Help For Heroes website and read what they are doing, who knows, you may get involved as so many others have done and new supporters are doing so.

It was good to meet up again and see familiar faces from some of the Police mobile phone specialist units and to learn more about Radio Tactics vision of the future. DCI Susan Southern West Midlands Police gave a very good presentation how they are effectively using RTL's IMEI detectors to seek out stolen handsets.

Andy Gill greeting John Denham (above) and (below) John Denham opens the offices whilst RTL's Neil Maitland ably assists


In chatting with John he spoke about how small businesses are the backbone of the UK and how they can apply for grants that are within the gift of this Government and learned more about the focus of his Ministry, Innovation, Universities and Skills. I remember John, as Chairman of the House of Commons Committee dealing the Terrorism of Detention Powers, and talking with him again I remembered what a thoroughly personable man he is particularly when he remembers the names of those who he has spoken to in the past, which is a good quality when you think he must meet so many people in his work. I was lucky enough to snatch a photo opportunity with John and Dr James Hart, Ex. Commissioner of City of London Police.

(L to R) Dr James Hart, Chairman of RTL, Rt Hon John Denham MP and Greg Smith.


Mobile Phones and Fringe Coverage

Mobile Phones and Fringe Coverage

.
I have this habit with mobile phones and cell coverage that when I see something that interests me, even if I am holiday, I have to see what I can find out about it there and then. Whilst on holiday in Cornwall I noticed the area I was staying had fringe coverage. I thought this was strange as I would have expected to find the Cornish village of Mousehole to have at least a microcell, given the popularity of this tourist attraction to see the Mousehole Lights at Christmas. I decided to conduct an experiment to see how various mobile phones would react under fringe coverage radio conditions. I used no special equipment, nor did I switch ON an network engineering software. The mobile phones were as any ordinary user would have them and the radio conditions with which they would be faced. Yes, I know I know, I can be a bit of an anorak at times.


1. The place I was staying was Duck Street, Mousehole, Cornwall. Accessed at one end by a no through road for cars to use a car park and Duck Street narrows to an alley for pedestrians and no access for cars.
2. The place in Duck Street where I conducted tests is in a car park that has been marked with a black cross (X) in the photo above. The close proximity of clutter (housing and a warehouse) falls within the clutter range of 10m to 30m in line with propagation models for dense to urban areas (ITU-R P.1546-2)

3. The above image displays how far Mousehole extends and the terrain clutter, along with natural phenomenon.

4. This last image provides an approximate indication of how far the main town of Penzance is from Mousehole and the general area where the Masts were located.
.
Okay, so I have now laid out the background to the tests. For the tests I used three mobile phones, all with built-in antennas, which were a Motorola Pebble U6 (which I nicked off my wife, much to her annoyance), Alcatel BH4 735 and a Nokia 3210. I ran tests at different times of the day (morning, afternoon and evening) and with three battery charge levels (charge in battery nearly empty, charge in battery half full and fully charged battery). The GSM networks were Orange, T-Mobile, O2 and Vodafone. The test area as has been shown is at para 2, above.
.

An interesting factor I noted was that all network coverage there was fringe all day, so that was the first matter. The second, and of far more interest, was how the mobile phones reacted to the radio conditions profiling the phones when switched ON.
.
Motorola Pebble U6:
Displayed 'No Service Available'. No calls or texts could be sent or received.
.
Nokia 3210:
Displayed 'Emergency Calls Only'. No calls or texts could be sent or received.
.
Alcatel BH4 735:
Displayed 'One bar of coverage and, intermittently, no coverage'. Attempted made and received calls either rang and when answered no voice communication and/or call dropping. However, surprise, surprise I could send and receive text messages.
.
Now, bearing in mind all the tests were being conducted in the same area, yet varying results obtained indicated alot about the various sensitivity of the antennas for these mobile phones. Technically, the BER of 2% for the measurement where the received signal strength is at a standard -100dBm and that a c-value would not be obtained, theoretically, below the reference BTS1 (-105dBm). I hear, though, that because of the loose wording in the standard -112dBm has been noted in some cases. Surprising, yes, but not in the realms of fantasy as GSM defines a mask lower level received signal strength, during testing, of -120dBm.
.

These very basic practical tests I conducted opens the door, though, to considering what could be extrapolated from the results when dealing with mobile telephone call records and Mast usage. For instance, if I were to conduct radio testing at this location where a person said they were for a particular call or text and I used a Motorola test handset, I may not get a positive result and may report back that not even a text could be sent from that location. Where then might the mobile phone be suggested to be located? What if a mobile phone is put nearer to the scene of a crime than it really was? What might be an inference drawn from that?
.
What may seem an ugly, awkward problem being raised here, is indeed not as bad as it seems. It really requires taking pragmatic steps before going to site to find out what mobile phone the person was using at the material time and then formulate from there how the tests should be conducted. There are other considerations, of course, to be taken into account, as well.
.
Acknowledgement: the screen images were obtained using Google Maps:
http://maps.google.co.uk/maps?hl=en&tab=wl

CSA: From Ockham's (Occam's) Razor to Checking Masts

CSA: From Ockham's (Occam's) Razor to Checking Masts

Creating a 'de facto' standard is always going to be a hard job and none more so than when dealing with 'Cell Site Analysis', abbreviated to the acronym 'CSA'. The objective of the analysis is, as best possible; to determine a likely or approximate location of a particular mobile station (MS) at the material date and time of a call. There are a large and varied number of issues to be considered when entering into cell site analysis. Cell site analysis, or CSA, is not a precise science and this has largely lead many people to misconstrue how cell site analysis can be conducted and for those who require to make an interpretation about the interpretation being given by an expert, giving evidence, leads to mistrust about cell site analysis. So it all becomes rather a vicious circle of events, with few conceding their comprehension about the fragility and instability of the stance they have adopted.

CSA is a highly intelligent science, and an evolving forensics science at that, also. CSA has many elements in its foundation that are based on scientifically proven facts. For instance, the scientifically proven fact that 0-dBm (deciBel milliwatt) always equals 1-mW (milliWatt) of power (energy) is but one good example. Furthermore, such a scientific fact allows experts to make the declaration that each result in the measurements obtained are 'absolute' and can be demonstrated as 'relative' when compared alongside other 'absolute' results.

Given that CSA extends beyond obtaining measurements and extends also into the arena of the radio spectrum, radio protocols, beamforming etc and the infrastructure required to propagate and provide a service, this, too, is an area where many scientifically proven facts and mandatory requirements exists. This again leads to forming conclusions without the need of the expert to make assumptions.

The area where CSA needs assistance is to rely upon human intervention and that requires having deep knowledge of the subject matter and solid skillsets. Again, this does not require the person to make assumptions, but to demonstrate the possibilities and potential conclusions that may help inform a Court in order that the Court can arrive at its own conclusions.

There are indeed some useful scientific philosophy dictums that can aid and support a CSA practitioner that can be adopted when striving for the aim of being 'objective', in addition to ‘independent’ and ‘impartial’, and one of the most important of these is Ockham's (Occam's) Razor attributed to the distinguished 14th century medieval logician and philosopher William of Ockham (c1285-1349). 'Leff, Gordon'; in his 1958 work 'Medieval Thoughts: St Augustine to Ockham' enunicated the so-called Ockham's Razor as 'entities ought not to be multiplied except of necessity'. However, the use of the term 'Razor' in reference to a rather superficially simple phenomenon having a complex mechanism behind it, did not appear until after Ockham's death and, although he didn't invent it, it is the frequency, apparently, with which he used the phenomenon 'should make as few assumptions as possible' in his writings that associates Ockham to this dictum. This can be clearly seen from the dictum commonly associated with the Ockham (Occam's) Razor 'Numquam ponenda est pluralitas sine necessitate', translated, means, 'Plurality ought never be posited without necessity'. How incredible, within six words, he encapsulates in that sentence that a simple explanation would be simplistic if it failed to capture all the essential and relevant parts. It is essential to understand that language and meaning were still developing in the 14th Century and care in translation in relation to subject matter statements makes Ockham's statement even more incredible, for his comments crossed boundaries unlimited to specific subject matter. Ockham probably drew inspiration from earlier philosophers such as Aristotle (384–322 BC), Alhazen (965-1039), Maimonides (1138-1204), Thomas Aquinas (c. 1225–1274) and John Duns Scotus (1265–1308), the latter who Ockham, it has been suggested, studied under him at Oxford.

Essential to Ockham's philosophy, who later, it is suggested, influenced philosophers such as Francis Bacon, is an interpretation given to his work that, when arriving at a conclusion, it is on the basis that 'facts' have already been considered before a conclusion is drawn. It is that philosophy that relates to CSA practitioners, for invariably it is not the conclusion the expert arrives at but what is required to be known is how s/he got to a particular conclusion in the first place that will be tested. By way of illustration, my report in a recent case asked the question that prior to testing what enquiries were made to the mobile network operator as to what alterations had occurred at the Masts prior to conducting radio test measurements, and can the defence please have copies of the operator's written responses?

The question went to the heart of the matter regarding accuracy of test results that underpin the opinion. Significantly, it is the prosecution that deserves praise for their benchmark standard they set in the Soham Murder case of Jessica and Holly and the subsequent conviction of Mr Huntley. I was not in that case, but as I understand it for the prosecution to show how Mr Huntley had used his mobile phone required the resurrection (I believe) of a decommissioned Mast and all the other Masts with a coverage footprint illuminating towards Mr Huntley's property to have been aligned so as to be the same as it was at the material time of mobile calls. This was required, as I understand it, in order to show the mobile telephone evidence had 'weight' and 'substance' and to avoid it being kicked out of evidence were it the case that Masts were generating coverage that would be incompatible with cell coverage at the material time. I have to say I am pro-prosecution on that landmark work and it is important to give praise where it is due. It does also mean, though, that the prosecution has established a precedent for standard of workmanship for a murder case, albeit in a high profile case, and set a marker that they will work to, and would not retract from, that standard for murder cases, at least. So it is clear why I would naturally request in a murder case what checks had been made to the mobile network operator regarding changes they had made to their Masts before the prosecution expert went on to conduct tests?

No names, no pack drill, just suffice to say the defence were told operators had 'no obligation' to keep records and, if they did keep records, were found on occasions to be inaccurate so they didn't ask, was the general thrust of the response. Really! What, no requirements under the Public Mobile Operators Licence (PMOL) to retain records about a Mast up to six months after it had been decommissioned? So how on earth could OFCOM ever check matters of interference to emergency frequencies bands from an unstable Mast if operators simply ditched their records or kept unreliable records? More importantly, what does this say about historical matters?

So does the approach in that recent murder case affect the previous prosecution benchmark approach? In my opinion, No it doesn't, and I have considerably more faith in the prosecution than that. The mobile network operator's witness provided to the court evidence of logs they regularly and continuously retain about changes to their base stations. Interestingly, on and prior to the dates of radio tests being conducted in that murder case the operator had in fact been making changes at some of the Masts targeted for their cell footprint.

Now, if I am picking that up in just one case, what is happening in other cases that have or are being rammed through the Court system to hit targets and what checks have or are being made regarding accuracy?

Of equal importance, the positive aspects coming out of cases like this means we can start to build a ‘de facto’ standard as we know the things that are required to be done.

Wednesday, November 26, 2008

Mobile Phone that fires bullets

Mobile Phone that fires bullets
For those that read today's Daily Mail 26th November 2008 or went online to Mail Online, will probably have noticed the article titled "Dial M for murder: The Mafia gun disguised as a mobile phone" By Nick Pisa. The weblink to the article is below:

http://www.dailymail.co.uk/news/article-1089355/Dial-M-murder-The-Mafia-gun-disguised-mobile-phone.html

This mobile phone gun has been news for quite sometime, although there have been few incidences where there have been published newspaper reports and therefore the Daily Mail and Mail Online article make useful historical reference material.

Indeed, there has been a video in circulation on the Internet about a mobile phone gun for quite sometime and a copy of the video is below.



It is for that reason why this mobile phone weapon is discussed in the section on safety first when handling mobile phone weapons in the TrewMTE Mobile Telephone Seizure Procedure guidelines and observations for examiners who may come across such a weapon. The guidelines will soon be finished but there have been some new developments in mobile phone seizure and handling procedures that require to be addressed before publication.

Acknowledgements:
Video first linked to here: http://images.google.co.uk/images?hl=en&q=cellphonegun&gbv=2
Image first linked to here: http://images.google.co.uk/images?hl=en&q=cellphonegun&gbv=2

Tuesday, November 18, 2008

Ultra-thin membrane changes (U)SIM card usage

Ultra-thin membrane changes SIM card usage

Examiners may come across an ultra-thin (0.3mm) membrane that lays over the contacts of a SIM card. Called the V200 SIM Dialer, the membrane is "Prefix base programmable (For routing prefix and bypass prefix setting)". What does that mean? Well, it allows mobile phones installed with SIM Tool Kit menu (most up to date phones have them) and define access to the network. The point being, if you are looking for least-cost routing for calls or want to use a calling card, rather than have mobile network call charges, then this device makes that happen, apparently.

How does it do it? "Dial the desired number directly each time you call, SIM dialer V200 will automatically dial IP access in front of the dialed number".
As the manufacturer promotes, using their device will not change your dialling habits and there is "No cutting, No pounching your SIM".

As the device has been programmed, and looking at the on-board chip, there should be a reader for it or one could be constructed. This throws me back to the old days of ponyprog and PIC basics. Of course, of equal importance is how does this device impact when examining the handset and SIM card? Will manual examination be the only course for examination or do the current handset and SIM readers detect changes this device makes to them? What evidence is there for call history or data usage? These are just a few of the questions to get examiners started.


It seems this programmable ultra-thin membrane is not limited to just SIM calls, but there is a USIM version (U-SIM V33G) that can be used to unlock iPhones. There is a video that is useful to watch so that examiners can at least comprehend how ultra-thin the membrane is and how it is installed:-
http://tw.youtube.com/watch?v=JQSNJxis7Ds



Please note, this is not a promotion or advert for these products, the information provided is to assist examiners with observations about these devices that may form part of their evidence.

Ultra-thin membrane changes (U)SIM card usage

Ultra-thin membrane changes SIM card usage

Examiners may come across an ultra-thin (0.3mm) membrane that lays over the contacts of a SIM card. Called the V200 SIM Dialer, the membrane is "Prefix base programmable (For routing prefix and bypass prefix setting)". What does that mean? Well, it allows mobile phones installed with SIM Tool Kit menu (most up to date phones have them) and define access to the network. The point being, if you are looking for least-cost routing for calls or want to use a calling card, rather than have mobile network call charges, then this device makes that happen, apparently.

How does it do it? "Dial the desired number directly each time you call, SIM dialer V200 will automatically dial IP access in front of the dialed number".
As the manufacturer promotes, using their device will not change your dialling habits and there is "No cutting, No pounching your SIM".

As the device has been programmed, and looking at the on-board chip, there should be a reader for it or one could be constructed. This throws me back to the old days of ponyprog and PIC basics. Of course, of equal importance is how does this device impact when examining the handset and SIM card? Will manual examination be the only course for examination or do the current handset and SIM readers detect changes this device makes to them? What evidence is there for call history or data usage? These are just a few of the questions to get examiners started.


It seems this programmable ultra-thin membrane is not limited to just SIM calls, but there is a USIM version (U-SIM V33G) that can be used to unlock iPhones. There is a video that is useful to watch so that examiners can at least comprehend how ultra-thin the membrane is and how it is installed:-
http://tw.youtube.com/watch?v=JQSNJxis7Ds



Please note, this is not a promotion or advert for these products, the information provided is to assist examiners with observations about these devices that may form part of their evidence.

Monday, November 03, 2008

Counterfeit Mobile Phones

Counterfeit Mobile Phones

Many thanks to my good friend Vinny Parmar for this contribution he has made exclusively to http://trewmte.blogspot.com.


Vinny has prepared a report for the webblog about "Dummy" mobile phones that are counterfeit Nokia N95, which are currently in circulation. His expert report is well illustrated and Vinny imparts good advice inkeeping with his long term expertise and experience when dealing with mobile telephone examinations.

Vinny's report can be downloaded from the following link:

http://www.filebucket.net/files/7173_hzc7c/Counterfeit%20N95%20Report.pdf

Sunday, November 02, 2008

.DT1 Files

.DT1 Files

Why is this electronic file extension (.DT1) and significantly the data it contains important to the law of evidence and its relevance to generated original material obtained in criminal cases, but equally for civil cases, too? I will tell you more about that soon, its introduction into evidence and the technical and evidential arguments raised to get into evidence.

For now, what you can know is it is important to cell site analysis and here is a clue about the device that generated it.


Saturday, November 01, 2008

Cloning Test SIM Cards

Cloning Test SIM Cards
.
Cloning test SIM cards can present problems if their use is not carefully monitored and can lead to loss of data from a device under test (DUT). There appears many different instances under which the loss of data can occur when using a cloning test SIM card. Some examples are:
.
- The inadequate level of notice and advice within the applications that create the clone test SIM card to precisely define that a particular Make/Model of handset has been tested using the cloning application before using with a partricular Make/Model or where the guide generally infers the application is usable with a particular Make.

.
- Whether the cloned test SIM card has been correctly recorded or not, before inserting it into the device under examination (DUT).

.
- The 'trial and error' approach being applied to evidential mobile phones leading to loss of data, where the written advice in the guide, when given, doesn't deal with the examination problem at hand.

.
Taking one example of a mobile phone examination problem relating to the Samsung D880.
.

.
This mobile phone is capable of having two SIM cards inserted, at the same time, in order to allow for two different subscriber accounts to be used separately by a user. To understand the difference compare the position when dealing with the traditional way of having to manually swop a SIM card with another in a device that is a single-inserted SIM card operating mobile phone.
.

Once the user has selected to use one of the two SIM Cards inserted, the option to switch to a particular SIM in normal user mode is via the 'SIM selection key' with visual Icons displayed on the device's screen confirming which SIM and subscription account is in use.

Problematical for the examiner using cloned test SIM cards is what is the safest method for examining a dual SIM card mobile phone. Looking at some options, what problems can arise for the examiner:


1) Take out one of the user SIM cards and produce a cloned test SIM card, whilst leaving the other user SIM card in place? Then insert the new clone test SIM card and then examine the phone? It is unlikely this could work well because an original user SIM card is still in place, thus the mobile phone could still register to the network etc. That is so, because the examiner doesn't know which SIM and subscription account was last used by the mobile phone. The notion of switching the mobile phone 'ON' prior to using a cloned Test SIM card to find out begs the question why is the examiner using cloned test SIM cards in the first place?


2) Take out both user SIM cards and produce two cloned test SIM cards, but insert only one test card and examine on that basis? This might work, provided of course the examiner has selected for access the right SIM slot and subscription account, which is a bit 'trial and error', 'hit and miss'? Moreover, assuming the above method had worked and the examiner safely selected the correct SIM slot/account - for example by taking the pragmatic step of recording which user SIM came out of which slot and replacing the correct cloned test SIM card into the slot - what happens when the second cloned test SIM card needs to be inserted? Using the SIM selection key to switch to another SIM card may not assist because there isn't a cloned test SIM card in the second slot for the device to read any details. Moreover, bearing in mind the device memory has noted only one SIM inserted the first time around what impact might now happen if a second cloned test SIM card is inserted? Will it allow access to the subscriber account user data on the device? Furthermore, what happens when switching over to the other cloned test SIM card?



3) Inevitably, the line of reasoning in this discussion is intended to bring the reader's attention to the option of putting both cloned test SIM cards into the appropriate SIM slots and examining further from that standpoint. But what happens then if the device does not give up its riches and enables the examiner to gain access to the user data? Turning to the cloned test SIM cards guides, what if they provide no assistance at all? What if the cloning application may not record properly to the cloned test SIM card or the data that it does record are insufficient for a particular make and model of mobile phone to function in the way it is expected?
.
In each of the above cases where loss of data might occur, that is to say e.g. where no call history or text messages are accesible, it may not be because the user has deleted them or the user has gone to settings to set a calendar event to delete texts or clear call history on a date and time, but may be because the cloned test SIM card may have removed access to them and the examiner may not be aware of that until either using a device reading program or conducting manual examination.

.
The presumption suggested that the examination and the tools used to recover data from a device were functioning properly and without flaw at the time of the examination arising from the mobile phone data being served in evidence, inferring that it is safe to rely on, may not meet the maxim omnia praesumuntur rite esse acta, as expressed by Lord Griffiths in the case of R .v. Shepherd [1993] AC380. That can be so because it has never simply been solely about whether the original device (exhibit) was working properly at the material time, but of equal significance whether in the obtaining and the processes used to obtain data that the evidence is safe to rely on. The latter requirement did not disappear in the wake of the repeal of section 69 Police and Criminal Evidence Act 1984. Nor did it disappear by the introduction of the Criminal Procedures and Investigations Act 1996, The Police Act 1997, The Regulation of Investigatory Powers Act 2000 and so on.

.
The purpose of raising this discussion (for examiners and students) about mobile phone forensic examination and tools it that discussions on these types of topics are not simply about providing answers and solutions to problems, but identifying potential questions that need to be adddressed before using cloned test SIM cards.

.
Lastly, I have not described every event dealing with the examination of a dual SIM card mobile phone or how Samsung D880 manages the operation and functionality of both SIM cards. By not referring to these matters it has helped simplify and refine the discussion to keep the important points to the fore.

Cloning Test SIM Cards

Cloning Test SIM Cards
.
Cloning test SIM cards can present problems if their use is not carefully monitored and can lead to loss of data from a device under test (DUT). There appears many different instances under which the loss of data can occur when using a cloning test SIM card. Some examples are:
.
- The inadequate level of notice and advice within the applications that create the clone test SIM card to precisely define that a particular Make/Model of handset has been tested using the cloning application before using with a partricular Make/Model or where the guide generally infers the application is usable with a particular Make.

.
- Whether the cloned test SIM card has been correctly recorded or not, before inserting it into the device under examination (DUT).

.
- The 'trial and error' approach being applied to evidential mobile phones leading to loss of data, where the written advice in the guide, when given, doesn't deal with the examination problem at hand.

.
Taking one example of a mobile phone examination problem relating to the Samsung D880.
.

.
This mobile phone is capable of having two SIM cards inserted, at the same time, in order to allow for two different subscriber accounts to be used separately by a user. To understand the difference compare the position when dealing with the traditional way of having to manually swop a SIM card with another in a device that is a single-inserted SIM card operating mobile phone.
.

Once the user has selected to use one of the two SIM Cards inserted, the option to switch to a particular SIM in normal user mode is via the 'SIM selection key' with visual Icons displayed on the device's screen confirming which SIM and subscription account is in use.

Problematical for the examiner using cloned test SIM cards is what is the safest method for examining a dual SIM card mobile phone. Looking at some options, what problems can arise for the examiner:


1) Take out one of the user SIM cards and produce a cloned test SIM card, whilst leaving the other user SIM card in place? Then insert the new clone test SIM card and then examine the phone? It is unlikely this could work well because an original user SIM card is still in place, thus the mobile phone could still register to the network etc. That is so, because the examiner doesn't know which SIM and subscription account was last used by the mobile phone. The notion of switching the mobile phone 'ON' prior to using a cloned Test SIM card to find out begs the question why is the examiner using cloned test SIM cards in the first place?


2) Take out both user SIM cards and produce two cloned test SIM cards, but insert only one test card and examine on that basis? This might work, provided of course the examiner has selected for access the right SIM slot and subscription account, which is a bit 'trial and error', 'hit and miss'? Moreover, assuming the above method had worked and the examiner safely selected the correct SIM slot/account - for example by taking the pragmatic step of recording which user SIM came out of which slot and replacing the correct cloned test SIM card into the slot - what happens when the second cloned test SIM card needs to be inserted? Using the SIM selection key to switch to another SIM card may not assist because there isn't a cloned test SIM card in the second slot for the device to read any details. Moreover, bearing in mind the device memory has noted only one SIM inserted the first time around what impact might now happen if a second cloned test SIM card is inserted? Will it allow access to the subscriber account user data on the device? Furthermore, what happens when switching over to the other cloned test SIM card?



3) Inevitably, the line of reasoning in this discussion is intended to bring the reader's attention to the option of putting both cloned test SIM cards into the appropriate SIM slots and examining further from that standpoint. But what happens then if the device does not give up its riches and enables the examiner to gain access to the user data? Turning to the cloned test SIM cards guides, what if they provide no assistance at all? What if the cloning application may not record properly to the cloned test SIM card or the data that it does record are insufficient for a particular make and model of mobile phone to function in the way it is expected?
.
In each of the above cases where loss of data might occur, that is to say e.g. where no call history or text messages are accesible, it may not be because the user has deleted them or the user has gone to settings to set a calendar event to delete texts or clear call history on a date and time, but may be because the cloned test SIM card may have removed access to them and the examiner may not be aware of that until either using a device reading program or conducting manual examination.

.
The presumption suggested that the examination and the tools used to recover data from a device were functioning properly and without flaw at the time of the examination arising from the mobile phone data being served in evidence, inferring that it is safe to rely on, may not meet the maxim omnia praesumuntur rite esse acta, as expressed by Lord Griffiths in the case of R .v. Shepherd [1993] AC380. That can be so because it has never simply been solely about whether the original device (exhibit) was working properly at the material time, but of equal significance whether in the obtaining and the processes used to obtain data that the evidence is safe to rely on. The latter requirement did not disappear in the wake of the repeal of section 69 Police and Criminal Evidence Act 1984. Nor did it disappear by the introduction of the Criminal Procedures and Investigations Act 1996, The Police Act 1997, The Regulation of Investigatory Powers Act 2000 and so on.

.
The purpose of raising this discussion (for examiners and students) about mobile phone forensic examination and tools it that discussions on these types of topics are not simply about providing answers and solutions to problems, but identifying potential questions that need to be adddressed before using cloned test SIM cards.

.
Lastly, I have not described every event dealing with the examination of a dual SIM card mobile phone or how Samsung D880 manages the operation and functionality of both SIM cards. By not referring to these matters it has helped simplify and refine the discussion to keep the important points to the fore.

Thursday, October 30, 2008

Nice to recommend Lee Bowdler Richard Body & Co

Nice to recommend Lee Bowdler Richard Body & Co
A little while back I wrote about a Barrister and Barristers' Chambers to highlight that it is still an important commodity to recognize and thank people for the work they have done (http://trewmte.blogspot.com/2008/04/barristers-surrey-chambers.html). It is a commodity that, at times, seems to be in very short supply in this day and age, but a commodity I am not intending to give up.

One of the pleasures with having a blogspot is to be able to write nice things about nice people. I have just finished a case down in Hastings Sussex and I had the absolute privilege of working with a really excellent professional Mr Lee Bowdler of Richard Body and Co Solicitors. Throughout my expert engagement with this firm I could not have been treated better and the support I received from Lee was first class.

When I needed evidence relating to cell site analysis, as long as I could demonstrate to him why I needed it and its relevance to his client's case, Lee went and got it. Even when this meant taking people to task who were wasting his time; Lee always supported his expert. By way of illustration, specific details we asked about particular radio coverage and the technical arrangements at particular Masts, which I know some have said on the defence and prosecution wasn't obtainable, was in fact available and obtainable - you just have to ask the right questions, pay for it and have the legal privilege to obtain it.

To me this was a first class performance from Lee Bowdler and the solicitors practice of Richard Body and Co. As this solicitors practice works in criminal law and employment law in the Sussex, Surrey and London area, should anyone need legal assistance I would certainly recommend contacting Lee at this firm.

Lee Bowdler
Richard Body & Co
66 Bohemia Road
St Leonards
East Sussex TN37 6RQ
Tel: 01424 201301
Email: crimedept@richardbodyandco.com

Tuesday, September 16, 2008

Panorama and Cell Site Analysis

Panorama and Cell Site Analysis

The Omagh bombing 1998 and Panorama's investigation into the evidence and on cell site analysis and interception.

Reporter: John Ware.


Panorama: Omagh: What the Police Were Never Told

Tuesday, August 12, 2008

Dual International Mobile station Equipment Identity (IMEI)

Dual International Mobile station Equipment Identity (IMEI)


When we think of mobile telephones we mostly think in terms of them of having a single International Mobile station Equipment Identity number. For two decades, whether for an analogue or digital mobile 'phone, we have often associated, to assist in showing importance of, and drawing anology about, that mobile 'phone serial numbers are alike to vehicle chassis numbers - in essence IMEIs are intended to be unique numbers.
.
Because of that unique numbering scheme, it follows that each mobile phone should only have one IMEI. That has changed and mobile 'phone manufacturers can include two IMEIs. The two IMEIs can be viewed via the label under the battery pack (see photo below Samsung SGH-D888), or by entering *#06# (asterisk, octothorp, 0, 6, octothorp).
.



.

Having reviewed the Standards and other documentation and found no definitive statement about the requirement for a dual IMEI numbering scheme, I put out some enquiries and I am grateful to those who assisted. I am told it would appear the occurrence of the dual IMEIs are due to there being two radio chipsets in some handsets. As I understand it, also, I won't find anything in the Standards about this matter - just yet. Moreover, it does not automatically follow that a handset having Dual SIM/USIM slots implies or infers that the handset has two radio chipsets, thus two IMEIs.

.

Evidentially, of course it is noted this matter impacts in numerous ways when conducting examination using automated physical and/or logical harvesting of data and the much-needed handset (manual) examination.

Thursday, August 07, 2008

Staggering figures for mobile phone text and data usage

Staggering figures for mobile phone text and data usage
.
The Mobile Data Association (http://www.themda.org/Page_Default.asp), a not-for-profit organisation, that provides accurate and factual statistics relating to mobile telephone usage in UK, publish their findings month-on-month. Examples of published stats for April and May 2008 (http://www.text.it/home.cfm) identify staggering figures for text and data usage in the UK. Moreover, their latest findings reveal a huge upward spike in text messaging and data-based communications, often at the expense of conventional voice calls.
.
MDA Chairman, Steve Reynolds, added "There are powerful signs all around that mobile Internet access will supersede traditional PC access. The MDA predicts that mobile Internet will become a true rival for traditional desktop internet access." Steve Reynolds comments will further underpin how mobile device wireless data communcations are replacing fixed computer systems.
.
UK Figures for SMS Text Messages (Sent):
May 2008 - 6.5 billion
April 2008 - 6.3 billion
.
UK Figures for Mobile Internet (WAP Users):
May 2008 - 16.43 million
April 2008 - 17.46 million
.
UK Figures for Picture Messaging (Sent):
May 2008 - 46.52 million
April 2008 - 47.13 million
.
The UK possibly has, when measured alongside other countries, the most highly developed mobile phone communication usage in the World, or at least in the Western World, and is producing statistics that do not suggest there is a UK or even a global "downturn" or "recession" when it comes to mobile traffic.
.
From an evidental point of view these statistics and trends shine a very bright torchlight on how underfunded the UK criminal justice legal aid system really is, particularly for experts (like myelf) when I am working for the defence, and particularly so in the Captial where most of the technology crimes takes place. Put simply, we could reach a stage in the criminal justice system where technology is wrongly used to accuse an individual or is used in a crime and in such manner that it wont be properly assessed or scrutinised due to underfunding that much crime using the technology goes undetected and unrecognised by the courts thus perpetrators become immune to prosecution also.

Thursday, July 31, 2008

CDS Regulations SI 2001 No.1437 & ECHR Article 6


CDS Regulations SI 2001 No.1437 & ECHR Article 6
.
Statutory Instrument 2001 No. 1437
The Criminal Defence Service (General) (No. 2) Regulations 2001
.

PART VI - MISCELLANEOUS
.
Authorisation of expenditure

19. - (1) Where it appears to the solicitor necessary for the proper conduct of proceedings in the Crown Court for costs to be incurred under the representation order by taking any of the following steps:
.
(a) obtaining a written report or opinion of one or more experts;
(b) employing a person to provide a written report or opinion (otherwise than as an expert);
(c) obtaining any transcripts or recordings; or
(d) performing an act which is either unusual in its nature or involves unusually large expenditure
he may apply to the Costs Committee for prior authority to do so.

.
(2) The Commission may authorise a person acting on behalf of the Costs Committee to grant prior authority in respect of any application made under paragraph (1).
.
(3) Where the Costs Committee or a person acting on its behalf authorises the taking of any step specified in paragraph (1), it shall also authorise the maximum to be paid in respect of that step.
.
.
.
ECHR Article 6 – Right to a fair trial
.
1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice.
.
2. Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.
.
3. Everyone charged with a criminal offence has the following minimum rights:
a. to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him; b. to have adequate time and facilities for the preparation of his defence; c. to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require; d. to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him; e. to have the free assistance of an interpreter if he cannot understand or speak the language used in court.

CDS Regulations SI 2001 No.1437 & ECHR Article 6


CDS Regulations SI 2001 No.1437 & ECHR Article 6
.
Statutory Instrument 2001 No. 1437
The Criminal Defence Service (General) (No. 2) Regulations 2001
.

PART VI - MISCELLANEOUS
.
Authorisation of expenditure

19. - (1) Where it appears to the solicitor necessary for the proper conduct of proceedings in the Crown Court for costs to be incurred under the representation order by taking any of the following steps:
.
(a) obtaining a written report or opinion of one or more experts;
(b) employing a person to provide a written report or opinion (otherwise than as an expert);
(c) obtaining any transcripts or recordings; or
(d) performing an act which is either unusual in its nature or involves unusually large expenditure
he may apply to the Costs Committee for prior authority to do so.

.
(2) The Commission may authorise a person acting on behalf of the Costs Committee to grant prior authority in respect of any application made under paragraph (1).
.
(3) Where the Costs Committee or a person acting on its behalf authorises the taking of any step specified in paragraph (1), it shall also authorise the maximum to be paid in respect of that step.
.
.
.
ECHR Article 6 – Right to a fair trial
.
1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice.
.
2. Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.
.
3. Everyone charged with a criminal offence has the following minimum rights:
a. to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him; b. to have adequate time and facilities for the preparation of his defence; c. to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require; d. to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him; e. to have the free assistance of an interpreter if he cannot understand or speak the language used in court.