Saturday, January 31, 2009

Mobile Phones and GPS Forensics & Evidence

Mobile Phones and GPS Forensics & Evidence
.
Mobile telephones are the predominate wireless telecommunications device throughout the world and most certainly in the UK they predominate other technologies, where ownership has reached well over saturation level when compared to the population number and mobile phone usage is embedded in UK culture. Global Positioning Systems (GPS) falls into the category of wireless communications that provides a 'beacon' service from which information can be derived, such as a reference clock and location coordinates. GPS is fast becoming an integrated service in mobile telephones and forms part of the forensics and evidence examination process.
.
I have been in talks with Professor David Last, a specialist and expert in GPS forensics and evidence, for some while on the cross-connection between wireless modules that can be integration into mobile telephones and, in particular, GPS being such a module. The discussion has been directed towards interpretation of GPS data and the importance that once data has been extracted and harvested it is vital that interpretation of the GPS data needs to be accurate.
.
I have similar thoughts regarding mobile telephone evidence and I have raised them, in the past at this webblog, and recently published here discussion about Cell Site Analysis and at Forensic Focus:
.
.
There are many other discussions, too, at my webblog about SIM and mobile telephone examination where help and assistance has been given (free of charge and free of advertising I might add) to aid comprehension about mobile telephone evidence. Similarly, GPS must be taken seriously as people can lose their liberty and a whole lot more where evidence like this can add a contributory factor to the case against them. This matter will become more prevalent in the future as GPS modules are increasely being included in mobile telephones.
.
Market research from ABI indicates that shipments of GPS-enabled mobile phones will hit a speed-bump in 2009, but will still manage to post year-to-year unit growth through the current economic downturn. While global handset shipments are expected to drop by 4—5% in 2009, prior to 2009 GPS-enabled phones will show a climb to 240 million units, an increase of 6.4% for 2008. Moroever, Smartphones are expected to increase at an average 19% from 2009 to 2014 and it is predicted nine of every ten smartphones will contain GPS ICs in 2014, compared with one in three for 2008.
.
Given these latest GPS statistics that have been released it is timely that Professor Last, the immediate past president of the Royal Institute of Navigation (RIN), should have his GPS forensics and evidence article 'Silent Witness' published in Navigation News (an RIN publication). I like the way David has woven in the use of computer forensics, which like mobile telephones, provides a complementary service to GPS devices for the data recovery process. Copying data though is simply not enough and the 'Silent Witness' article is strong on the importance of accurate interpretation of GPS data. A principle I wholehearted agree and why I have been promoting the importance of Mobile Telephone Forensics and Evidence Degrees.
.
David has kindly provided a copy of his 'Silent Witness' article that can be downloaded from Mobile Telephone Evidence at the link below:
.
Professor David Last 'Silent Witness'
Navigation News January/February 2009
Pages 10-13
.
Thanks also to the RIN (www.rin.org.uk).

Tuesday, January 20, 2009

Part 2 MOBILE FORENSICS AND EVIDENCE DEGREES

Part 2 MOBILE FORENSICS AND EVIDENCE DEGREES

I have received a question about the Degrees and whether there is sufficient educational material for them.

Q: Is there 10 years worth of educational material for a Degree?

A: Yes, I have been dealing with GSM for over 15 years and I have reference material and standards going back to 1991 and books that discuss GSM going back to 1988. There are, at mimimum, 100 academic books on GSM. If a starting point for the Degrees were needed then I would probably suggest 1992 as the best reference point to start.

With reference to GSM Standards, there are over a million pages of standards. For instance for GSM there are standards that originate from GSM Phase 1 (1991-1995), GSM Phase 2 (1995 onwards), GSM Phase 2+ (known as Releases R96, R97, R98 etc). To give an illustration how GSM is still going strong, the latest GSM 11.11 standard for SIM cards was published in June 2007.

The original discussion about Degrees can be found here:

http://trewmte.blogspot.com/2009/01/mobile-forensics-and-evidence-degrees.html

Saturday, January 17, 2009

Mobile Forensics and Evidence Degrees BSc, MSc and PhD

MOBILE FORENSICS AND EVIDENCE DEGREES BSc, MSc and PhD
.
The introduction of academic qualifications (at the levels of BSc, MSc and PhD) in the forensic analysis of mobile devices is, in my opinion, long overdue. The issues presented by wireless technologies are sufficiently different from those related to "traditional" computer forensics that I strongly feel the time has come to address them in greater depth than the forensics community has done to date.
.
A Bit of Background
Mobile telephone forensics and evidence has not developed overnight but has been developing from the earliest building blocks of scientific discovery back in the nineteenth century. Below are some of the historical developments from which mobile communications has roots in scientific history:
.
1868: James Clerk Maxwell postulates EM wave phenomenon ethereal wind theory
1886: Heinrich Rudolf Hertz establishes proof of EM wave (Hertz cycle)
1893 - Gugliemo Marconi first use of wireless and first patent of wireless communications
1905: Reginald Fessenden first transmission of speech and music via a wireless link
1908: Nathan B. Stubblefield invented and patented the first mobile telephone a 100-years ago
etc
etc
.
Of course, for those who see the above as relevant to devices that took advantage of a waveform that is analogue by nature, should not over look mobile telephones use of digital waveform that has roots, too, in scientific history going back to the early nineteenth century to the work of French physicist Jean Baptiste Joseph Fourier and the method known as Fourier Synthesis and Measurement that was named after him. His method showed mathematically that “any periodic waveform could be represented as the sum of sine waves with the appropriate maximum amplitudes, frequencies, and phases” (Noll(4)284-ch04). This gave birth to the notion of sine wave being squared off and introduced the notion of Square Wave.
.

Photobucket
Fourier Theorem - Image 1
.
Fourier’s foundation theorem, set out in Fourier series, was a masterpiece of mathematical calculation but contained a small flaw and that was the square was not perfect at the edges - as first observed by Wilbraham in 1848 as “bumps” at the edges creating a square shape with non-uniformity. Albert Michelson (in 1898) built a machine that calculated Fourier’s coefficients and from his re-synthesized results noted “….wiggles around the discontinuities appeared, and even as the number of Fourier coefficients approached infinity, the wiggles never disappeared” (Radaelli-Sanchez; Baraniuk).
.
In 1899, the phenomenon was first explained by J Willard Gibbs who went on to demonstrate in his mathematical calculations that, in effect, the square wasn’t square at the edges, so to speak, and subsequently his extrapolation of the problem came to be known as Gibbs Phenomenon. The phenomenon can be removed with the Lanczos sigma factor.
.

Photobucket
Lanczos sigma factor applied Image 2
.
There is more to the intriguing discovery above, but for now, if you haven’t guessed, the purpose of discussing square wave is that it is the waveform that can be used to represent positive polarity and negative polarity which can be presented in another format called binary: ones (1) and zeros (0). Binary is a basic building block which is used in digital signalling and communications. The GSM mobile telephone system is a fully digital mobile communication system. Digital signalling and communications are used in GSM handsets and SIM cards.
.
So we can see the link between mobile devices having roots in scientific history, but how does that correlate to digital mobile telephone forensics and evidence today? Well, forensically we need to understand digital communications sent by and received at the handset by understanding the ‘radio DNA bracelet’ and any discovery that can be made from it leading to evidence? Of equal importance is how an examiner gets to this information that provides the building blocks of mobile telephone forensic evidence? Furthermore, we need to know how digital communications occur in the handset and SIM card, as well as how to examine the devices to understand the various formats and coding schemes used for data that are stored, in order to appreciate, once decoded or decrypted, what the content yields as evidence?
.
Policies, practices and procedures combined with examination tools are needed to obtain the evidence above. Some are being developed and some have been developed. I had raised spirits recently when Paul Sanderson of Sanderson Forensics launched his RevEnge and PMExplorer tools, designed to decode and extrapolate the data imaged from particular mobile phones. These tools make the examiner (in an educational way) explore the raw data, define its format and type, and corroborate the information that the data reveals to determine, if the same data were to be read through a mobile phone, would the data be identical?
.
Those of you who know, I worked with Quantaq Solutions' USIM Detective (my details should still be in the help file in USIM Detective) to include forensic aspects to the software and enable analysis of the raw image from GSM and USIM cards, which has proven itself to good effect.
.
I have been quietly partnering with radio test measurement manufacturer Anite (UK division), who produce Nemo Handy, with the specific aims and objectives to produce a 'de facto' standard for cell site analysis. That is because mobile telephones are predominantly wireless telecommunication devices and covered by primary legislation in the UK (e.g. Wireless Telegraphy Act, Telecommunications Act, Communications Act etc). Indeed wireless devices also come under Regulations such as, Telecommunications Terminal Equipment (TTE) Regulations and Radio and Telecommunications Terminal Equipment (R&TTE) Regulations etc. And, equally, as important are the technical standards containing mandatory requirements.
.
So where is this taking all of us in our branch of forensic science? It is taking us towards what I believe are needed and that is BSc, MSc and PhD in Mobile Forensics and Evidence degrees. We should have had these four years ago but have been held back, but the time is now right for degrees specific to our area of work. Importantly, those who have completed modules in Computer Forensic (BSC and MSc) degrees can use those module passes as credits towards one of the Mobile Forensics and Evidence degrees. The feed back from several Universities I have spoken to so far, in the UK, has been positive. It is appreciated QAA will be required for the degrees, showing that the foundation is right and that the Universities can deliver the training.
.
TEST YOUR SKILLS
Do you think you could have sufficient knowledge and experience? To see whether you think you could undertake a Mobile Forensics and Evidence degree at BSc level have a look at the diagram below. It provides a representation of a model about establishing not only past mobile telephone usage but also looking to determine, as far as possible (in time and space), what evidence can be determined about future usage too.
.
Primer
(C now) = Point in time and Space (which is a constant reference point) in the present tense when the examiner is contacted for an investigation and from which the examiner uses to look back at and into the future regarding mobile telephone evidence.
.
(T) = Time is the timeline, limited by how far the examiner can see into the past and future based upon discovery.
.
(S) = Space is the space line that is used as a constant reference point from which all other events occurring in space can be considered based upon discovery (seizure of device, chain of custody of an exhibit etc)
.
(F) = Future relates to things that have yet to happen (future events). This is based upon things that maybe discovered from the time the examiner is contacted
.
(F d) = F d represents, as far as possible, thus not set to a specific period of time, how far into the future the examiner can identify events beyond which no further discovery is possible.
.
(PU usage) = Past User usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)
.
(PR usage) = Past Record usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)
.
Smith Diag 1
.
The proposition in the diagram above (Smith Diag 1) is intended to represent by use of visualization how mobile telephone usage can be investigated. The diagram tests your powers of observation and, more importantly, your depth of knowledge. So do not be fooled by what you believe to be my poor graphics skills. I deliberately intended that (PU usage) area to be shown larger than the (PR usage) area in order to suggest more data may be found in the mobile telephone than maybe obtained from the network records. That is because not all activity on a mobile telephone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore issues associated with cell site analysis also need to be considered. It does not automatically follow there shall be parity between data obtained from the mobile telephone and the network records and vice versa. The diagram below (Smith Diag 2) represents a number of data elements commonly considered during an investigation.
.
Smith Diag 2
.
The third diagram (Smith Diag 3) uses the classic representation of Time (T) and Space (S). Use of a Time line may be obvious but the Space line may not be so obvious. The point of using Space is as a determinate for e.g. the seized exhibit in the examiner's possession. Let's say the examiner receives the mobile telephone exhibit on the 30th March 2008 at 3.00pm. The exhibit was seized 10th March 2008 at 11.00am. So, the examiner has two facts to work with (a) the exhibit in the laboratory (in time and space) and (b) the exhibit seized at a location from premises or person (in time and space).
.
So at the point the examiner has initial Contact (C now), which is a constant reference point, with the exhibit then past events can now start to be determined. By way of illustration, following examination let’s say the examiner finds that the data recovered from the device reveals activity not connected with Space where the mobile telephone was seized at (b). Space would therefore be highly relevant, because (i) the examiner would need to demonstrate that as a fact and (ii) to demonstrate the separation in Space between each of the locations (a) laboratory, (b) the seizure, and the intervening factor between (a) and (b). This may be supported, for instance, by the last location and frequency details stored on the SIM card or may be the handset has GPS or one of the newer mapping system (Nokia Maps etc) that might be set to automatic logging.
.
Smith Diag 3
.
A visualization of this discussion is represented in the diagram above. To distinguish the two events Space lines have been added representing seizure (dashed Black line) and intervening event (dashed Orange line), to the already existing (C now) constant Space line.
.
So the general discussion above should assist in understanding how the model works with past events. But what may be possible to determine in the future, as far as possible, in Time and Space, has not been discussed at all. That question is for the Test that has been set at the end of this discussion.
.
Some points to remember. Not all activity on a mobile phone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore cell site analysis should not be excluded when you are considering this model. It does not automatically follow there shall be parity between data obtained from the mobile telephone and the network records and vice versa. Do remember a mobile telephone is a common term; Mobile Station (MS) is the correct term, meaning a GSM mobile equipment (ME) and SIM card operating together or 3G* Universal Equipment (UE) and USIM card operating together. *In some countries 3G means that the UE and USIM card, as WCDMA devices, may be profiled also with a chipset/module to work in a GSM radio environment.
.
Finally, do remember to look carefully at the diagram as your powers of observation are also being tested.
.
The Test
This test is open to individuals, companies, forensic firms and University students.
.
Discuss, supported by equations if necessary, to either prove or disprove whether the model is correct at first instance.
.
If you do not believe the Diagram is correct then submit a diagram that you have designed to represents the past and future mobile telephone usage.
.
Identifying, using the above diagram, what events in Time and Space you think an examiner might be able to determine about future usage of a handset and SIM card following examination of them. It may assist if I provide some clues when discussing future events.
.
- Remember that radio signals travel at the speed of light and you may wish to consider whether a 2W mobile telephone or less than 2W could generate radio signals propagated at that speed.
- International time zones vis-à-vis international boundaries
- Proactive SIM
- Calendar/Alarm
- Battery
- Subscription
- Also, think along the lines of kidnap cases and death cases
.
The correct responses that have been emailed to me in acrobat .pdf format will be published here at the blog and at Forensic Focus:
.
.
Please remember to identify who you are in your document so that the author gets the recognition for their work. The Test closes 27th March 2009. From your submitted paper to me, which will be reviewed by a Board of Assessors, you will be able to know from your marked paper whether you have sufficient skillsets to undertake a BSc Mobile Forensics and Evidence degree.
.
Good luck

Tuesday, January 13, 2009

Checking Masts - CSA 2

Checking Masts - CSA 2
.
In response to the Checking Masts - CSA previous thread here at my blog, a Forensic Focus member asked the following questions:
.
- Do you, yourself perform Cell Site Analysis/Surveys for cases?
.
- If so what equipment do you use for this very interesting task??
.
Answer:
Yes I do and have been doing so since the early 90s for GSM and since 2006 for 3G.
.
I use Nokia network monitor for 2G and have used, but do not particularly like, some of these newer independent flash files that enable some smartphones to obtain 3G network control data. I do continue to use them as one tool but for fairness reasons in dealing with the radio evidence.
The reason for that is there are no:
.
1) forensic standards for the calibration of test equipment generating evidence
2) forensic standards for the content or quantity of radio data captured for evidence
3) forensic requirements for user mobile phones to be calibrated
4) standards that requires a mobile phone after it has left the manufacturing production line to maintain its radio mask calibration longer than 12-months.
.
For example, dealing with point 4) most mobiles in use do not precisely meet calibration standards, but largely their radio mask is towards the upper or lower limits due to the way in which mobile phones are treated by their users: dropped, fall in water, exposed to fag ash, drink splatter, overcharging, over heating, running the battery flat during calls etc etc. All these things and more take there toll on mobile phone operation over time and it is not surprising to find that calibrated radio engineer test equipment often produce a better RxLv sensitivity. For instance, if one puts a used mobile phone side by side with a radio engineers test rig they both record 'absolute' measurments, obviously, but the disparity between 'relative' measurements can be surprising.
.
For radio engineer test rig I use Anite's Nemo Handy. Also I have secured in evidence the requirement for the readings and the electronic files that contain the readings and the screen prints to be served in evidence because:
.
a) they are original evidence
b) it exposes not just preservation of evidence but the processes which brought the evidence about
c) it means the prosecution can meet the Golden Rule without being fed spurious argument of why things can't be done
d) it stops outsourcer firms holding back on evidence or unilaterally deciding that they control what our courts and criminal justice system can or cannot see
e) whilst I used Anite's Nemo Handy .dt1 file for the criminal case in which I was advising, the requirement is not limited to simply radio test measurements from Nemo Handy but all other radio test equipment etc and equally applies to handset and U/SIM card evidence.
.
The additional benefit this offers is that where the police want to save money extracting and harvesting data that is subsequently produced in reports and want to cut down on unessential data, this means they can still produce reports with only the content they want to show. The full copy of data are still obtained by the examiner and this means the defence, having a copy of the full data in electronic format, can examine all the other data to see whether any vital evidence for the defendant's case has been overlooked or not.
.
Moreover, the defence can still examine the exhibit as the prosecution will have already produced their evidence. This will allow for variations in evidential standard or interpretation to be checked and exposed, if any, in order to maintain the principle 'nothing lost in translation.'
.
This can also work on other levels as well. Such as, we know the Forensic Regulator is due to launch soon and the public sector are rushing around to create and approve their own standards. However, the independent sector has not had the opportunity to qualify whether the public sector standards are better than the standards in the independent sector. The work I have been doing is to highlight issues and attitudes to mobile phone evidence and to let the courts know there is evidence the courts can have. If the Regulator accepts procedures created by the public sector it should not bar the independent sector procedures being accepted also.
.
If the independent sector were automatically disbarred from having their own procedures accepted it could potentially lead to following public sector standards containing systemic failure being promulgated throughout the country. Not only that but the knock-on can directly affect small business by placing heavy regulation and financial demands upon small business, causing collapse and unemployment in MPs constituencies. Apart from which there may be the issues associated with breach of human rights under the Human Rights Act and the European Convention on Human Rights.
.
Apologies for the length of commentary. It was necessary to go along this discussion path because it is important to promote standards and to highlight choices available to people interested in mobile telephone evidence and identify what is possible by knocking over artificially generated psychological boundaries. I would hope to get the message into evidence in the London area, but my instructions come from outside of London these days and London appears to be a bit of a no-go zone.
.
If you want to start a new topic, ask a question or join the discussion on ny previous postings then please join in a Forensic Focus Mobile Forensic Discussion Forum.

CHECKING MASTS - CSA

CHECKING MASTS - CSA
.
Since linking with Jamie Morris at Forensic Focus to create a Mobile Forensics Discussion Forum (http://www.forensicfocus.com/index.php?name=Forums&file=viewforum&f=14) to bring mobile telephone evidence to a wider audience, I have had several discussions with people who are new to mobile telephone evidence and have asked me to provide further discussion on matters concerning Checking Masts. Also from police sections asking me to open up the discussion as to what might happen when Mast checks are not made and how that might impact on a criminal case. Whilst the criminal case discussion is hypothetical, some events happening in the discussion are factual and drawn from a number of criminal cases.
.
The necessity to check with a mobile network operator regarding details of a particular Mast (Cell Site) and the bearing of coverage (azimuth) from it, for a particular Cell ID, at the material time to see whether it has changed prior to conducting cell site analysis is a useful rule to follow. There are, of course, many other matters that need to be checked also, but I have simplified the issues for the purposes of this discussion.
.
The details of Mast changes are recorded by Operators and recorded in their databases. Single Point of Contact (SPOC) is not prevented from asking about Checking Mast details and obtaining the relevant information. However, as a SPOC doesn’t decide what evidence should or shouldn’t be required for a criminal investigation, the SPOC should be asked to obtain this information.
.
The Masts
Below is an image (a) which displays a Mast's radio coverage for a particular Cell ID illuminating in a westerly direction towards a block of flats.


Image (a)
.
The next image (b) below displays the same Mast (as above) relating to radio coverage with its associated Cell ID but this time the radio coverage is illuminating in an easterly direction, in the opposite direction towards a house.



Image (b)
.
For the purposes of this discussion the Mast is shown close to the properties in both images. This was done for artistic purposes and is not intended to mean the Mast is actually that close to both properties. Also an actual Cell ID has not been shown but the inference about Cell ID being relevant is inferred by the presence of radio coverage being displayed.
.
Criminal Case
Imagine if you will that on a particular date, let us say the 30th March 2008, a dead body is found in the house, shown in image (b). The police have been alerted to the property by a neighbour because of a dreadful smell emanating from the direction of the house. Upon entering the property the police find a decomposing body of a woman on the floor. The Pathologist is called and indicates, following assessment of the decomposing body, that the body had been dead for approximately two weeks. That would generate a time line back to Tuesday 16th March 2008.
.
The police conduct door-to-door enquiries and one neighbour next door but one mentions that two weeks ago as she passed the house there was shouting emanating from inside the property and cries for help. The neighbour thought nothing more of it because the couple that lived there had regular arguments, which the neighbours and passers-by could overhear.
.
The police asked the neighbours had they noticed anything else? One lady who lived a few doors away replied that she looked out of her window and that she had seen the man that lived there leave the property at about 8.30pm, and that would have been a Tuesday, and funnily enough that was about two weeks ago.
.
To cut a long story short, the police found the man who lived in the house a month later, seized his mobile telephone and having retrieved his mobile telephone subscriber details, obtained call records and identified the Masts that routed mobile calls to and from his mobile phone. From the records it was noted that two weeks before the body was found his mobile had used a Mast for a call (on Tuesday at 8.00pm), the Mast was sited 2.4Km away from where he lived with his partner. This was also the nearest Mast to the house.
.
The police called for radio test measurements to be conducted outside the house three weeks later. The time-span from the estimated time of death to radio testing was approximately 9 weeks. The radio tests confirmed that the Cell ID recorded in the call records is the same as detected outside the house.
.
The man, during questioning, confirmed he had not been back to the house since leaving on the Saturday. That being the Saturday prior to the Tuesday when it is approximated the death took place. He had also been living in a Bedsit because the relationship with his partner had irrevocably broken down and they had agreed to split and go their separate ways.
.
The police believed from the evidence that they had thus far that it was enough to hold the man, now a suspect, and the death case turned into a murder case. The evidence they relied upon was:
.
1) The neighbours hearing regular arguments and cries for help on the fateful day
2) The neighbour that says she saw the suspect leaving the house at 8.30pm
3) The call records that shows a call on the Tuesday from the suspect's mobile telephone using a Cell ID from a Mast that is sited 2.4Km away and is the nearest Mast to the house
4) The radio test measurements that show the Mast’s coverage, thus Cell ID, used by the suspect's mobile phone illuminated outside the house.
.
So at minimum there appears to be four good pillars of evidence. However, when the radio test measurements were conducted no checks had been made with the mobile operator whether any changes had been made to the Masts in the area prior to radio test measurements being conducted. It subsequently came to light at trial that the Cell ID illuminating towards the house (image (b)) had only been illuminating eastwards towards the house from Thursday 18th March 2008 after the alleged murder due to changes at the Mast. Prior to that date the Mast had been illuminating westwards, towards a block of flats (image (a)).
.
Impact on Criminal Case
So when the police had noted from the suspect's call records that over the last few months they showed the suspect's mobile phone using a particular Cell ID for mobile calls that the police thought could be made or received from the house, they were mislead and operated under a false assumption. The suspect had, in fact, been having an affair with a married woman in the block of flats (image (a)) and didn't want to say anything for fear of reprisals from the woman’s husband who was known to have a temper and may take it out on the woman if she was called as a witness. It was this affair that the victim, when she was alive, and been tipped off about some months earlier and the cause of the couple constantly arguing.
.
The lack of discovery about any changes to a particular Mast prior to conducting radio test measurements impacted on the case by:
.
- the test results, that should add value to a case, were inaccurate and unhelpful- introduced delays into an investigation as the test results steered the police investigation in the wrong direction
- operational man-hours increased
- operational costs increased
- worst still, a false allegation of murder was made against an innocent person
.
As to the other pillars of evidence: 3) and 4) were no longer valid and the woman with whom the suspect was having an affair corroborated the dates and times she was with the suspect. As to 1) and 2)? On the fateful day, 1) the argument that was heard by a neighbour turned out to be the victim's ex-boyfriend from a previous relationship whom she had given evidence against him for drug dealing, some 5 years earlier, and who had been released from prison 20 days before the murder. He had vowed to seek revenge against the victim. 2) The neighbour who saw the suspect at 8.30pm at night in fact saw a silhouette of the man she thought was the suspect because it was 8.30pm at night and her eyesight wasn't as good at night. The silhouette leaving the house was the ex-boyfriend leaving after having murdered his ex-girlfriend.
.
Further Observations
In consequence, by not checking with the operator about their Masts prior to conducting radio test measurement caused lost investigation time to find the real culprit, unnecessary redundant evidence, increased costs, investigation time increased exponentially, apart from wrongly accusing a person. Moreover, as checking the Masts is a well known procedure, not to have checked it during an investigation may amount to act of intent to plant evidence to create incrimination against someone by using an act of deliberate omission during an investigation.
.
This is only a hypothetical discussion, but if these acts were operated in reality on a regular basis in criminal cases and applied as policy in widespread use across England, it may potentially lead to £20 millions in retrials. Of course that shouldn’t be possible arising from the 'Golden Rule' of disclosure, enunciated by Lord Bingham in R -v- C & H (February 2004), when he said that ‘fairness requires that full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence’. The test is an objective one and is grounded on what is ‘reasonable’. However, the guidance makes it plain that an expert witness is no longer to be trusted to exercise his or her own judgment in deciding what falls within this definition and what is and is not relevant.
.
It is the influence of the Golden Rule placing affirmative duties on the prosecution from 2004 onwards that safeguards the reliability of evidence in criminal cases. That suggests were Her Majesty's Inspectorate called upon to require the prosecution tomorrow to provide, from randomly selected 200 cases from across the country by the Inspectorate, documents of enquiry to a particular operator seeking to be notified of any changes to a particular Mast in a particular case and the documented response received from the operator, they could do so.
.
That doesn't mean to say if the prosecution mobile telephone case has 50 Masts used for calls that documentation for each of the 50 Masts would be necessary, as rarely are all Masts relevant to an alleged crime, anyway, and a large proportion being used for padding simply to show movement. The relevant Masts are those where the Masts and coverage can illustrate that the mobile telephone or telephones could potentially be at the scene of crime, which on the whole usually relates to the last three to six Masts nearest the scene of crime. Besides I couldn't see the prosecution being hoodwinked into believing that because there are 50 Masts in a case that the number amounted to far too many enquiries to be made to the operator and so didn't make any enquiries at all.
.
As I have mentioned above this is purely hypothetical, but hopefully it illustrates the importance of Checking Masts before conducting radio test measurements.
.

Thursday, January 08, 2009

SIM PIN Challenge

SIM PIN Challenge
.
Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.
.
The presentation had reached the part "Verifying the CHV" and went on to record:
.
~ To verify PIN, the verifyCHV APDU is used....
.
A0 20 00 CHVNum 08 PINValue
.
~ The message sent from the phone to the SIM in order to check your PIN number 1111, is:
.
A0 20 00 01 08 313131FFFFFFFF
.
This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.
.
.
So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an address 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.
.
To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.
.
As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough :-). However, the first person who posts the correct answer at Forensic Focus , I am sure we can sort out some sort of prize:
.
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349
.
However, there are some rules (there is always something like this):
.
1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2009.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.
.
GOOD LUCK
.
PHASE 1 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
----------------------------------------
Allocated memory :1A47File ID :3F00
Type of file :MFNumber of DF : 2
Number of EF : 3 Number of CHV's : 4
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :2 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
----------------------------------------
File ID :0000
Type of file :RFU
Structure of file :Transparent
File Size :0018
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 15
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 2 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
----------------------------------------
Allocated memory :639C
File ID :3F00
Type of file :MF
Number of DF : 2
Number of EF : 7
Number of CHV's : 2
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0012
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 10
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 3 (2+) SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
----------------------------------------
Allocated memory :0001
File ID :3F00
Type of file :MF
Number of DF : 4
Number of EF : 18
Number of CHV's : 10
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0017
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 11
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------

SIM PIN Challenge

SIM PIN Challenge
.
Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.
.
The presentation had reached the part "Verifying the CHV" and went on to record:
.
~ To verify PIN, the verifyCHV APDU is used....
.
A0 20 00 CHVNum 08 PINValue
.
~ The message sent from the phone to the SIM in order to check your PIN number 1111, is:
.
A0 20 00 01 08 313131FFFFFFFF
.
This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.
.
.So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an address 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.
.
To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.
.
As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough :-). However, the first person who posts the correct answer at Forensic Focus , I am sure we can sort out some sort of prize:
.
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349
.
However, there are some rules (there is always something like this):
.
1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2012.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.
.
GOOD LUCK
.
PHASE 1 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
----------------------------------------
Allocated memory :1A47File ID :3F00
Type of file :MFNumber of DF : 2
Number of EF : 3 Number of CHV's : 4
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :2 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
----------------------------------------
File ID :0000
Type of file :RFU
Structure of file :Transparent
File Size :0018
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 15
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 2 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
----------------------------------------
Allocated memory :639C
File ID :3F00
Type of file :MF
Number of DF : 2
Number of EF : 7
Number of CHV's : 2
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0012
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 10
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 3 (2+) SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
----------------------------------------
Allocated memory :0001
File ID :3F00
Type of file :MF
Number of DF : 4
Number of EF : 18
Number of CHV's : 10
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0017
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 11
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------

Tuesday, January 06, 2009

DAPRA Interference Multiple Access (IMA)

DAPRA Interference Multiple Access (IMA)
.
I saw a YouTube presentation from BAE systems about a new communications algorithms system called DIMA that allows 500% more messages to be combined, transmitted and untangled without encryption and conventional compressing, utilising WiFi (802.11N) as the transmission medium. 802.11N is not tied to a specific portion of the spectrum, but is approved for both 2.4-GHz and 5- GHz (http://en.wikipedia.org/wiki/802.11), unlike 802.11A at 5-GHz and 802.11B & 802.11G with both using the spectrum at 2.4-GHz.
.
The video quotes high WiFi data rate speeds that suggests three times the efficiency of 802.11 (600 M/bits). I was trying to imagine the impact of that on the backhaul to, for instance, the Internet, using an E1 circuit (http://en.wikipedia.org/wiki/E-carrier#E1) where 1E1 = 2.048 Mbits. If the data rate speeds and throughput are too high it could mean E1 might clog the flow causing congestion, choking the system when throughput to destinations might be paramount.
.

.
I could see this technology coming to into use for a security matter, emergency rescue or commercial event in several years time, perhaps for special events like security at the London Olympics in 2012 or perhaps for a search and rescue operation and so on.
.
Mind you, having unmanned aerial vehicles (UAVs) hovering above in the sky might seem strange at first, but would they be cheaper and more carbon-footprint friendly than helicopters? As the BAE video suggests UAVs (http://en.wikipedia.org/wiki/Unmanned_aerial_vehicle) reduce the need for fixed systems, thus enable immediate deployment of hot networks when they are needed. I wonder whether it could be adapted to receive the UAV images and video onto smart phones? Can you imagine looking at spectacular live aerial photographs and video evidence and trying to process and preserve it as evidence? Probably would need to have the evidence recorded to a x-Gb sized smart card.

Sunday, January 04, 2009

Mobile Forensics Discussion Forum

Mobile Forensics Discussion Forum
.
I have linked up with Jamie Morris of ForensicFocus (www.forensicfocus.com) to run a Mobile Forensics Discussion Forum. It is high time the profession had such a forum that doesn't require limiting people to join a forum whilst being excluded from other parts of a forum.
.
Currently Jamie posed a question in the new forum:
.
"Forensic analysis of mobile phone internal memory"
-----------------------------------------------------
"I'm interested in how current practice in mobile phone forensic memory analysis reflects or differs from the paradigm and procedure(s) discussed in Svein Y. Willassen's paper here (PDF). All thoughts and comments welcome! Jamie"
.
I have posted my reply, albeit rather long, which is below. If you want to join the discussion it is going on at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3335 right now, so join in.
.
Greg Smith reply to Jamie Morris
There are some interesting reports that have been written regarding recovery of deleted data from mobile telephone flash memory chips and they all make a useful contribution in this field of examination.
.
I do have my suspicions about the way in which deleted data recovery from mobile telephones is being conducted and the need to be conducting such a process on anything that looks like a mobile telephone.
.
Jamie, as you started the discussion about methodology then I'll add my 2p worth.
.
Extracting and harvesting physical data as opposed to logical data needs to be balanced between methodology vis-a-vis forensic standards and evidential admissibility. Different countries have different requirements, rules and laws when it comes to deleted data. In the UK there are many issues surrounding 'interference with goods', single and both party 'consent', 'collateral intrusion', damage etc etc.
.
As there are numerous articles that have been written in examination terms about the methods to recover deleted data, forensics and evidence equally demands to learn of the problems with using certain methods to comprehend whether these methods should be used in the first place and how reliable they are? For instance, rarely do reports record what faults they found in the methodology, the problems occurred, the time the method takes etc etc.Looking at problems associated with damage and damage avoidance when discuss methodology:
.
SIM Cards
Can we learn anything from damage SIM Cards? Let's take the issue of acid etching used on an ICC card to get at the microprocessor inside (eg method used due to the contact legs having been broken; normal boot up of the ICC isn't possible) in order to read the SIM. This process is not quick and certainly is not suited to production run (bang it on bang it out, style of thinking). The microprocessor may be exposed to ESD, poor handling or something else. If this happens the examiner may not get any data but also it prevents anyone else being able to examine the SIM independently.
.
Handset Flash Chips
Issues of damage can arise when dealing with removing and replacing flash memory chips on mobile telephone circuit boards. De-soldering and re-balling are not easy, no matter how a report presents the subject as easy. It is a skilled artform that takes time and patience to acquire the routine to perfect re-balling, for example. What happens when the examiner breaks a flash chip contact pin when physically lifting the chip off the board because de-soldering wasn't performed correctly? Alternatively, poor re-balling technique can lead to dry-joints or a loose contact pin in the grid-array that might cause intermittent faults.
.
Whilst talking about flash memory chip removal, ask the question why is it necessary to remove the chip in the first place? Are the deleted data really necessary? Many of you may be familiar with the term JTAG points on a mobile phone. Many of you may be aware that using the JTAG points may alter data in RAM and at the Flash Translation Layer (FTL) where some implement automated data-maintenance operations, such as wear-leveling etc, that can be activated. Thus removing the chip is meant to assist avoid that happening. Okay, so now the chip has been removed (and leaving aside the issues of actually interrogating the chip, imaging and harvesting data) the chip needs to be re-balled (replaced) at the end of the examination. How do you know that the mobile phone will work properly again having replaced the chip? Switching ON the mobile telephone to check if it works? Hang on, that cannot be right? The chip was removed in the first place to avoid altering data etc. By the same token, a mobile telephone cannot be handed back to its owner in a disassembled or damaged state because not every suspect is sent to court or found guilty.
.
Apart from the above issues, is the technique of recovery of deleted data absolutely necessary for every case and how might that be handled?
.
Is there a mass market for deleted data as evidence?
Many years ago I worked in the type approvals of telecommunication equipment marketplace, whilst my fledging career into forensics and evidence was still beginning. As a type approvals consultant, I visited with my clients factories in the UK and the Far East and learned a tremendous amount about equipment production and repairing of devices. De-soldering and re-balling I learned use resources that are time-greedy and specialist equipment handling surface-mounted technology was needed where large quantities of device components needed to be removed and replaced on the board. It also required removing the PCBs out of their casings (screws etc) and disconnection of leads from LEDs/LCDs etc, which required a human workforce.
.
To run the same operation for seized mobile telephones as evidence would be difficult, time consuming and costly. Outsourcing the work overseas to get cheap human labour could be fraught with problems. Not least of which it could be tantamount to allowing evidence to leave a country, potentially to a country not governed by the laws etc of the country where the evidence had been seized, only to find loss of jurisdiction and/or no way of tracing how the evidence has been handled or what treatment it has received whilst overseas.Outsourcing overseas has other problems, as well, as it can to lead to job losses and not job creation in the country where the evidence was seized and costs paid to outsourcers overseas impacts by not benefiting the home economy overall, due to finances flowing away from the country and not circulating in it. Another side impact is brain-drain of knowledge, because home-grown talent would obviously find less work and move elsewhere or go and learn new skills and drop the old skill. Also countries that outsourced tended to find they are held to ransom down the line as no knowledge and skill remained in the home country.
.
The above is obviously a macro view applied to a micro practise limited to recovering deleted data from evidence by removing flash memory chips. Macro methodology for removing chips and harvesting deleted data wouldn't appear to be sustainable because only a small amount of work is undertaken that relates to deleted data evidence, apart from the issue that a safe forensic method for deleted data recovery acquired on a production line assembly might be hard to achieve. From a UK perspective there should be really no need for every case to have every handset's flash chip removed to recover deleted data or the need for outsourcing overseas or deleted data recovery production line assemblies.
.
Observations
Quite often when examination and methodology are discussed the above issues are rarely included in those discussions. That may be because it may be some do not see them as important, a work-around has already been achieved, the issues are not known or some may not see them as relevant at all. I do see the above issues as relevant and needing to be aired and discussed, as they highlight that associated with extracting and harvesting deleted data there are numerous pitfalls that can occur and proportionality in using this recovery method and the use of deleted data anyway hasn't been fully justified.
.
On another occasion it would be useful also to discuss the value of deleted data and its accuracy and relevance.