Tuesday, November 24, 2009

TimeTable - UK MTEB Mobile Forensics Conference 2009

Conference Timetable
.
25/11/09
.
REGISTRATION: 8.45am
.
Conference Opens: 9.15am
.
Speaker 1: 9.30am - 10.00am
Greg Smith TrewMTE
Looking at the way forward
.
Speaker 2: 10.00am - 10.50am
Peter Jones Zentek Forensics
Issues and Difficulties of a Mobile Phone Practitioner
.
Tea/Coffee 10.50am - 11.00am
.
Speaker 3: 11.00am - 11.50am
Adam Gersch Barrister 23 Essex Street
s129 CJA2003 and Obtaining Evidence
.
Speaker 4: 12.00 - 12.50pm
Barrister
.
Lunch 1.00pm -2.00pm
.
Speaker 5: 2.00pm - 2.50pm
Mike Dickinson XRY MicroSystemation
(ex-Detective Inspector Hampshire)
Issues when dealing with Seizure Procedure
.
Speaker 6: 3.00pm - 3.50pm
Greg Smith TrewMTE
Mobiles as Dangerous Weapons
.
Tea/Coffee 4.00pm - 4.50am
.
Speaker 7: 5.00pm - 5.30pm
Peter Jones Zentek Forensics
Summary points for the first day's events
.
26/11/09
.
Conference Opens: 8.45am
.
Speaker 8: 9.00am - 9.50am
Vinny Parmar Digital Evidence Examiner
Mobile Telephone Examination Best Practice Model
.
Speaker 9: 10.00am - 10.50am
Jan Collie DigitalDetective
How to Investigate Evidence
.
Tea/Coffee 10.50am - 11.00am
.
Speaker 11: 11.00am - 11.50am
Samantha Raincock SRC
Call Records and Mobile Data Correlations
.
Speaker 12: 12.00 - 12.50pm
Roger Wilkins FMS
Cell Site Analysis Methodology
.
Lunch 1.00pm - 2.00pm
.
Speaker 13: 2.00pm - 2.50pm
Terry Wise Independent Expert
RIPA, CPIA, DPA etc
.
Speaker 14: 3.00pm - 3.50pm
David Sullivan Specialist Recuitment
Mobile Forensics Recruitment
.
Tea/Coffee 4.00pm - 4.50am
.
Speaker 15: 5.00pm - 5.30pm
Greg Smith TrewMTE/ Peter Jones Zentek Forensics
Summary points for the second day's events
.
26/11/09
.
Break Out Training Sessions (BOTS)
.
Morning Sessions
.
BOTS1 - 11.00am to 12.50pm
Mike Dickinson
Mobile Handset Device Examination and Hex Dumping
.
BOTS2 - 11.00am to 12.50pm
Amir Bashir Digital Evidence Examiner
Mobile Telephone Examination Techniques
.
Afternoon Sessions
.
BOTS3 - 2.00pm to 3.50pm
Sean Desmond Anite Nemo Handy
Radio Testing and Cell Site Analysis
.
BOTS4 - 2.00pm to 3.50pm
Samantha Raincock SRC
Call Records and Mobile Data Correlations

Friday, November 20, 2009

Chipping, flashing, jailbreaking

Chipping, flashing, jailbreaking
.
Past discussion here and at Forensic Focus have highlighted that when examining mobile phones avoid causing damage etc to them and about ownership of seized mobile phones.
.
A seized mobile phone remains the property of the owner until the owner is found guilty (then particular legal mechanisms come into play) or the owner has conducted certain activity or until an Order has been made to permenantly confiscate and dispose of the item.
.

I note the issues of those who might say but when we are IMEI checking on the street, confiscating and desposing of mobile phones is not a problem, that is not a blanket legal approach to be applied to everything but to deal with specific matters.
.

A further example of the police confirming they do not own seized goods and they may have to be returned to their rightful owner can be seen below.
.
http://www.policeprofessional.com/news.aspx?id=9537
"In an interview with The Register, Deputy Assistant Commissioner Janet Williams said work was being done to try to resolve the problem............problematic to people waiting for property to be returned."
.

The same applies to returning mobile phones. If you damage or break the mobile phone or alter it to make it irrepairably or lose/delete important data (say an email that constitutes a contract and may lead to economic loss) - these matters can be proceeded against in tort and/or contract law apart from other matters.

Thursday, November 19, 2009

Unlawful - Iphone Jailbreaking

Unlawful - Iphone Jailbreaking
.
The information below was reproduced from Sean Morrissey's website. It clearly has a significant impact how mobile telephone and computer examiners conduct examination and the methods they adopt to extract and harvest data.
.
iPhone Forensic Issues & Ethics
2. Jailbreaking the iPhone OS X. However, this method is not forensic and hasn’t been accepted in a court of law in the United States. In fact, this method violates US Copyright Laws:
.
§ 506 · Criminal Offenses
Criminal Infringement.— (1) In general.—Any person who willfully infringes a copyright shall be punished as provided under section 2319 of title 18
.
§ 2319. Criminal infringement of a copyright
Any person who violates section 506 (a) (relating to criminal offenses) of title 17 shall be punished as provided in subsections (b), (c), and (d) and such penalties shall be in addition to any other provisions of title 17 or any other law.
.
First offense 5 years, and every subsequent offense 10 years.
.
Scroll down to bottom of page:
From my own research, the UK has its own approach and legal remedies to deal with these matters. Some years back Nokia made a presentation to APIGS about IP and DRM over issues on infringement.

Tuesday, November 17, 2009

Eavesdropping on Bluetooth Headsets

Eavesdropping on Bluetooth Headsets
.
Make sure to change the Bluetooth pin setting from its default setting of 0000 to one you choose.
.

Monday, November 16, 2009

Googling Jurors

Googling Jurors
.
There is an interesting article by Ralph Losey online which is worth reading:
.
Jurors Rebel, Defy Judges, and Google Their Own Truth
.
http://ralphlosey.wordpress.com/2009/11/15/jurors-rebel-defy-judges-and-google-their-own-truth/

Solid State Drives will Ruin Forensics

Solid State Drives will Ruin Forensics

Part 5/5 presentation on YouTube from the series about Solid State Drives (SDD) -v- Hard Disc Drives (HDD) is worth viewing if you haven't seen it yet. At the same time you can catch up with the other parts if you have missed those too!

http://www.youtube.com/watch?v=2Xn-f7tmsOU&feature=youtube_gdata

Sunday, November 15, 2009

Iphone jailbreak hack

Iphone jailbreak hack
.
Just in case some are unaware.
.

http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/
.
and also at
.

http://www.theregister.co.uk/2009/11/11/iphone_hacking_tool/
.
Perhaps a point examiners may consider useful and that is what polices, practices and procedures do you have in place where:
.

a) you jailbreak and breach the digital signature of the handset to get inside?
b) the handset is already jailbroken (so to speak)?
c) the handset is already jailbroken and carries the hack code?

Friday, November 13, 2009

Mobile Phones, Security, Economy and Employment

Mobile Phones, Security, Economy and Employment
.
An article in the Telegraph on the 6th November 2009 caught my eye, titled "Inventor of mobile phones says they have become 'too complicated" are the thoughts of Martin Cooper who was th lead engineer at Motorola and made the first mobile phone call in 1973.
.
.
Echos of how complicated mobile phones can be are common views heard from many users. However, we need to make the distinction that complicated doesn't mean they are "functionally unused". As usage and personal data populates many memory areas in mobiles it is because of that "functional use" it is so important to mobile telephone examination.
.
The places where user information proliferates are places in smart phones memory that are simply not being examined by practitioners as they are being led to place too much reliance upon the machinery (reading devices) where the output is being presented parrot fashion. The machinery does not contain the high level of competence necessary to cope with all the aspects associated mobile telephone evidence. Neither, for that matter, does the machinery examine all areas of memory. The current round up of forensic readers on the market simply surf certain quarters where certain information resides in memory. Data recovered can also vary dependent upon the machinery and the machinery recovering data from some makes, models and firmware versions. It is great having tools but they really do not supercede in any shape, manner or form the ability of the knowledge and skills needed by the practitioner.
.
The above are some issues that are influencing the need for a common mobile telephone forensics standard in the UK. Other factors that require change:
.
-No longer have unnecessary separated areas between law enforcement and the independent sector.
-No longer have poorly considered policies, practices and procedures regarding mobile telephone examination and evidence because they are not fully considered by all
-No longer have various public agencies promulgating confused and diametrically opposed procedures
.
Another reason why it is important to have a single common standard approach (and a second reason why I started the mobile forensics and evidence Pathfinder Approach) is the misrespresentation regarding the status of 'mobile phone'. Inspite of a hugh array of information about wireless, radio, radio signals and their role in the creation of a mobile phone, there still remains a persistence in the forensic and evidential system in indulging the notion that mobile phones are computers. That is rather ashame because whether it is done for cheap-labelling or getting bigger budgets (more than likely) it is largely unnecessarily and willful. Computer forensics in the area of data recovery from mobile phones has made an enormous contribution to our field. But after data recovery has been performed what else does computer forensics do for mobile phone wireless, radio, radio signals etc? Nothing. That is because computer forensics is not a discipline needed to embrace wireless; computing is rather a subset of wireless communications.
.
A mobile phone is a wireless device at first instance and designed for that purpose. It has a history, decades before the hybrid (computer) was created. Mobile phones allow for instantaneous radio telecommunications to place and to enable voice and data to be communicated. The device also allows for a memory area to record exchange of information. Overall this makes wireless devices useful to the user and gives them an appeal of user-friendliness.
.
Memory, code and data can be found in many systems and devices and code and data may be subjected to computation, but in their finite existence they are not a computer. These elements are storage, protocol and information. The only area where mobile telephones are connected with computer, per se, is that they have a CPU to enable computation. But mobile phones could operate without a CPU albeit currently the experience would no doubt not be too pleasureable, and in the future where the commonly understood CPU is dispensed with.
.
Yet a further reason why practitioners tacitly admit, through their conduct, that a mobile phone is a wireless device and not a computer is through the use of radio isolation (faraday rooms, tents or bags). Faraday rooms can cost £70K of tax payers money. So why would practitioners use radio isolation if the device under test was simply a computer? Moreover, how could cell site analysis be conducted if mobile telephones were simply a computer?
.
Moreover, wireless and mobile telephones have their own legalisation, directive, standards and guidelines - none of these designate them, technically or otherwise, as computers. Indeed there is a huge number of mobile telephone departments and labs in the public sector - none of them are labelled computer.
.
Two further reasons for a common standard created by all practitioners to underpin integrity:
.
- to give courts of law guarantee about the relability of mobile telephone evidence and opinion and to allow the legal system to it jobs as opposed to trying to hoodiwink the legal system or dictate to it; the current position is high% of evidence is being pushed through on the nod without any appropriate or independent assessment or scrutiny. This is occurring because many claiming themselves to be experts the basis for which is that they have had several mobile phones or owned mobile phones or visited forums or bought a piece of equipment that reads mobile phones. This area potentially opens the door to a huge range of appeal cases costing tax payers many millions of pounds which society can ill-afford given the economic pressures on the UK for the next 6 years.
.
- there is no single coherent standard for mobile telephone examination in the UK, despite the fact that up until 2003/4 Britain led the world in mobile telephone examination and evidence which was underpinned with alot of my work that begun the programme to help law enforcement understand the technological evidence with which they were dealing. When the public sector changes took place, experience was through out of the window in favour for opening pandora's box; anyone with relatively limited experience could give mobile evidence or had a desire to train others in mobile phone evidence, they could do so; Britain's international standing has been allowed to plummet and has been dropping further ever since. This is what awaits the Olympic Games in 2012 in this country and it is important to rectify this.
.
Lastly, I point out to Government Ministers looking at this matter, you will have seen the UK MTEB Mobile Forensics Conference 25th and 26th November 2009. The point of the Pathfinder Approach is to ensure Governement has the experience available to it, not simply from Law Enforcement, but from the independent sector where 90% of knowledge and skills are developed for mobile phone examination and evidence.
.
However, there is some disappointing news that many of the Constabularies are not even sending one representative to the Conference because we are told they have no money (even where everyone knows the Conference charge is extremely low and is a not-for-profits Conference). Also, that apparently it would impact for the attending person to justify how s/he will do their work to catch up after 2-days away from the office; this is on the basis that delegation of work doesn't exist. On the back of that, numerous outsources to those Constabulary not attending, have not signed up either. This is not a case of forcing them to attend, but it highlights the glaring obvious gaps across the UK and the regional educated pot-holed thinking in the country.
.
A list of delegates of those attending Conference and speakers supporting the Pathfinder Approach can be provided to Ministers. I can confirm there are some law enforcement and public agencies attending.
.
The Economy and Employment
Maybe the NAO and/or the Competition Commissioner might start to look and to see whether the way the forensic system is divvied up stilfes proper competition in the UK and impacts on town and urban regeneration to help develop small businesses, leading to employment. For instance, what is the point of a Constabulary throwing £1-million or more at one firm when a contract for 3 years @ £100,000.00p.a. to one small firm could enable eg one-person business to take on, say, one secretary and one assistance for 3 years:
.
- £50,000.00 Principal
- £27,0000 Secretary/Assistant
- £5,000.00 for equipment
- £1800.00 for compliance training and checking
- £16,200 for office rent/business rates/phone etc etc
.
Using the £1-million as the financial basis, multiply the above idea by 10 new small businesses, 20 people newly employed, rejuvernation of local funding to locals councils and suddenly spread across the country the grass roots of growth can start without the Governement having to increase current funding levels. Certainly, if I were offered a deal like this and with my understanding of the forensics arena I could have turned one of these businesses in two years providing employment for 10 people and in 3 years employ 25 people and teach other businesses how to do it as well. I have been in this business for over 20 years. The Police have never offered me a £1 million or £500K pa contract for that matter but still seek out my advice. So why can we not put my skills to help others.
.
To assist I have a plan that can keep those new businesses up to common standard for 3 years under their contracts. Also I have a team I have identified that along with myself could spear head this project to lift it off the ground.
.
How will this help Parliament. MPs from all parties can now go back to their constituencies and offer some hope of rejuvenation and employment.
.
Hmmm....I wonder if "Dragons' Den" might be interested in this.

Wednesday, November 04, 2009

3G Dongle CSA sample measurements

3G Dongle CSA sample measurements
.
Since the UK MTEB Mobile Forensics Conference 2009 is being held in Dorking, a short drive from Box Hill Point (an area of outstanding natural beauty that is situated in the National Trust Park) I thought I would go out and conduct some 3G radio test measurements. I was interested to comprehend, given the terrain and forest area, the quality and type of coverage was like along the road from Box Hill Point. I viewed the operator coverage maps for this area and found that the operators offered fringe coverage in the area.
.
I recorded sample measurments for the Orange mobile network as their Mast in Dorking is approximately 3.5Km from Box Hill. The screen prints of the measurements are set out below. The sample measurements were taken over a 45-minutes period.
.
Image 1:
illustrates the route driven from Dorking to Box Hill (a) to (b) and
(b) was the approximate location point for tests.
.

Image 2:
illustrates the OFCOM basestation database details for the
Orange Mast (3G) at Dorking High Street dteected at Box Hill location (b)
.
Image 3:
illustrates the terrain path from Dorking to Box Hill (a) to (b) and
(b) was the approximate location point for tests. Box Hill is 687-metres above sea level

. Image 4:
illustrates the mobile network operator, signal strength (RSSI), registration to
Circuit Switched (CS) and/or Packet Switched (PS) and which registration is
attached. Note from all the images below the variations in RSSI, the registrations
and to the network attachments
.
Image 5
.

Image 6
.
Image 7
.

Image 8
.
Image 9
.

Image 10
.

Image 11
.
Image 12
.

Image 13
.
Image 14
.

Image 15
.
Image 16
.

More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

Sunday, November 01, 2009

Obama mobile phone aid programme

Obama mobile phone aid programme
.

.
Nicknamed "Obama phones" (after the President of the United States) it would appear that a US initiative to provide free mobile phones in an aid programme to benefit those who are determined to have income-eligibility status. Some critics have suggested that it means providing "welfare drug dealers cell phones". That being the case, it would hardly look credible in a criminal court of law to find the Welfare State enabled a defendant to go "tooled up", so to speak.
.
However, there could be elements of Mr Obama's programme that could usefully be used in Britain, perhaps to generate, for instance, a programme to help vulnerable people.
.
To see more about the US programme look here:
.
.
How to QualifyThe process to qualify for Lifeline Service depends on the State you live in. In general, you may qualify if...
.
1. You already participate in other State or Federal assistance program such as Federal Public Housing Assistance, Food Stamps and Medicaid.
.
OR
.
2. Your total household income is at or below 135% of the poverty guidelines set by your State and/or the Federal Government.
.
AND
.
3. No one in your household currently receives Lifeline Service through another phone carrier.
.
4. You have a valid United States Postal Address. In order for us to ship you your free phone you must live at a residence that can receive mail from the US Post Office. Sorry, but P.O. Boxes cannot be accepted.
.
In addition to meeting the guidelines above you will also be required to provide proof of your participation in an assistance program, or proof of your income level.
.
Lifeline Benefits
.
Lifeline Assistance is part of a program that was created by the government to provide discounted or free telephone service to income-eligible consumers. To help bring you this important benefit, SafeLink Wireless is proud to offer Lifeline Service. Through our Lifeline Service you will receive FREE cellular service, a FREE cell phone, and FREE Minutes every month! SafeLink Wireless Service does not cost anything – there are no contracts, no recurring fees and no monthly charges.
.
Any Minutes you do not use will roll-over. Features such as caller ID, call waiting and voicemail are all also included with your service. If you need additional Minutes, you can buy TracFone Airtime Cards at any TracFone retailer Walmart, Walgreens, Family Dollar, etc). SafeLink Airtime Cards will be available soon.
.
Your exact benefits, including the number of free Minutes you will receive, depend on the state you live in. Please enter your ZIP code to get the details for your state.