Tuesday, March 23, 2010

Linux - out-of-memory (L-OOM)

Linux - out-of-memory (L-OOM)


Whilst researching on mobile phones using Linux OS I came across a report on guidelines for creating robust embedded systems (published in 2009). The report's discussion arrived at the topic out-of-memory (OOM) and perceived flaws with Linux overbooking the kernel. The report calls this 'OOM Killer'


The report noted:

"One Linux detractor says this about the feature:

"Linux on the other hand is seriously broken. It will by default answer "yes" to most requests for memory, in the hope that programs ask for more than they actually need. If the hope is fulfilled Linux can run more programs in the same memory, or can run a program that requires more virtual memory than is available. And if not then very bad things happen."



The report then goes on to record this gem of an analogy as to what might happen when Linux over commits.


"One comedian has described this feature of Linux as follows:

"An aircraft company discovered that it was cheaper to fly its planes with less fuel on board. The planes would be lighter and use less fuel and money was saved. On rare occasions however the amount of fuel was insufficient, and the plane would crash. This problem was solved by the engineers of the company by the development of a special OOF (out-of-fuel) mechanism. In emergency cases a passenger was selected and thrown out of the plane. (When necessary, the procedure was repeated.) A large body of theory was developed and many publications were devoted to the problem of properly selecting the victim to be ejected. Should the victim be chosen at random? Or should one choose the heaviest person? Or the oldest? Should passengers pay in order not to be ejected, so that the victim would be the poorest on board? And if for example the heaviest person was chosen, should there be a special exception in case that was the pilot? Should first class passengers be exempted? Now that the OOF mechanism existed, it would be activated every now and then, and eject passengers even when there was no fuel shortage. The engineers are still studying precisely how this malfunction is caused."

Friday, March 19, 2010

Seminar on GSM Standards

Seminar on GSM Standards
.
It is clear that associated with mobile phone examination to obtain evidence that examiners must read the GSM Standards to understand the data evidence and whether the devices used acquire the data. The concern amongst examiners still exists because there are so many Standards current and historical and each providing variations on obtaining evidence and interpretation that it is a daunting task to know where to start. Would it be worth having a one-day seminar in the UK to go through the GSM Standards. Standards can change 2-3 times a year and presenting the information at a seminar would assist in getting across important facts and guide through how to get to the appropriate information in them. I wont be charging for my time to prepare the presentation and present the findings.

.
So that delegates can attend free of charge I am also looking for:
.
1) Sponsor (to pay) for the Seminar room/hall
2) A location must be near to a central train station (not requiring loads of train changes)
3) Sponsor (to pay) for the teas/coffee and sandwiches etc
4) Exhibitors at the Seminar
.
Can you send some feedback whether you are interested in attending or sponsoring.

UPDATE: Seminar on GSM Standards

Objectives


Upon completion of the seminar, the participant should:


• Understand the GSM Standards development and legal references

• Be aware of GSM system standards relevant to the examination or investigation

• Have an awareness of GSM interfaces to comprehend symbiotic relationships for call/data tracing

• To know where to look to attribute identity conventions

• Know availability of standards

There are five presentation modules:

1) Introduction

2) GSM System Standards

3) GSM Specified Interfaces (10 + 1)

4) Identifier Conventions

5) Access to Standards

Monday, March 15, 2010

Mobile Phone outsourcing goes insourcing

Mobile Phone outsourcing goes insourcing

KENT NEWS: Sim card specialists will aid the technological tussle with crime following the formation of a new mobile phone unit at Kent Police.
.
Officers throughout the county can now access deleted text messages, photographs and more in-house, saving the force an estimated £1.5 million that would have been spent on payments to private companies over the next two years.

.
The unit was launched late last year and forms part of the existing digital forensics division, which is responsible for the examination of all computers, hard disk drives and digital storage devices.
.

[Texted from article snipped]

.
Last month Kent Police Authority – which oversees the running of Kent Police – revealed it will lose £20m in Government funding over the next few years and will be looking to make savings wherever possible.
.
However, it also awarded the force a budget for 2010-11 of £285m – an increase of £8m from the previous financial year.
.
http://www.yourthanet.co.uk/kent-news/Police-launch-new-high__tech-mobile-phone-unit-newsinkent33762.aspx?news=local&goback=.myg

Saturday, March 06, 2010

Google says PC will be irrelevant in 3 years

Google says PC will be irrelevant in 3 years

Interesting article in The Register
:



http://www.theregister.co.uk/2010/03/05/google_says_pc_will_be_irrelevant_in_three_years/



I can see where Google is coming from because I have similar thoughts about how mobile phones and SIM/USIM cards, as devices, are making significant inroads to provide functions and features traditionally provided by computers. This is another area that is forcing change on the work we do and why I believe we cannot afford to rest on any laurels we think we may have in our field of distinction and move as quickly as is reasonably practicable to do so to generate Certified/Validated tools.

Google says PC will be irrelevant in 3 years

Google says PC will be irrelevant in 3 years

Interesting article in The Register
:



http://www.theregister.co.uk/2010/03/05/google_says_pc_will_be_irrelevant_in_three_years/



I can see where Google is coming from because I have similar thoughts about how mobile phones and SIM/USIM cards, as devices, are making significant inroads to provide functions and features traditionally provided by computers. This is another area that is forcing change on the work we do and why I believe we cannot afford to rest on any laurels we think we may have in our field of distinction and move as quickly as is reasonably practicable to do so to generate Certified/Validated tools.

Monday, March 01, 2010

Mobile Phone is not a 'Closed Container' Part 2

Mobile Phone is not a 'Closed Container' Part 2

I mentioned in the thread
" Mobile Phone is not a 'Closed Container' " that there was more to this disucssion:

http://trewmte.blogspot.com/2010/02/mobile-phone-is-not-closed-container.html

When any digital exhibit produces evidence it is normally presented in a computer document format. The Courts looks at the defendant's behaviour in relation to the data shown in the record.

The categories said to underpin S129 Criminal Justuce Act 2003 are set out in Archibold 2010:

Computers

i) The first is where the computer has been used simply as a calculator to process information.

ii) The second category is information which the computer has been programmed to record.

iii) The third category is information recorded and processed by the computer which has been entered by a person, whether directly or indirectly. It is only information from a computer in this third category which is hearsay.


It is Category II (Cat 2) which it is being said that a mobile phone is a dumb terminal which when plugged in is instructed simply to print out, yet examination of the case law used to reference Cat2 does not support the actions of what happens when examinations are conducted on mobile phones.


Category III (Cat 3) is relevant as it covers the multitude of actions that occur from the time the mobile phone is first seized to the time, in the chain of custody, the mobile phone examiner completes his/her examination. Funnily enough it is the mobile phone examiner who is unfairly prejudiced here because it most cases any actions conducted on the mobile phone prior to reaching the moible phone examiner sets him/her up for a dished up fait accompli. That is because phones do not have a specific application creates an audit trail to record all activity of when, for instance, deletion takes place or the person causing that to happen.


Other instances:


- At the point of seizure - entering *#06# (technically that is asterisk* octothorp# 0 6 octothorp#). Then mistakenly pressing the go key with added or deleted entries to the phone memory call history.

- Using faraday bags for sitched on at seizure where the world and his wife can punch away on the keypad of the handset with no traceability and auditability of what has gone on. The exmainer simply cannot be sure where the data comes from.

- the pressing of speed dial keys the place entries in call history.

- opening unread text messages.


With the above examples in mind, what does the Statute set out:


129. Representations other than by a person

(1) Where a representation of any fact -

(a) is made otherwise than by a person, but

(b) depends for its accuracy on information supplied (directly or indirectly) by a person,

the representation is not admissible in criminal proceedings as evidence of the fact unless it is proved that the information was accurate.

(2) Subsection (1) does not affect the operation of the presumption that a mechanical device has been properly set or calibrated.


Mobile telephones are not simple mechnical devices and are not calibrated, after leaving the factory originating their maunfacture, and are not calibrated prior to securing data from them for evidence. When some much goes unchecked with the evidence and the chain of custody can prove quite difficult to establish, how can behaviour in relation to the data be established with proper and appropriate procedual paths in place? The current system is unnecessarily and unwarrantedly crude in its operation demonstrates the lack of necessary skillsets.

I should imagine those in quality assurance (QA) promoting the merits of ISO9000, ISO17020 and ISO17020 are hampered to a greater degree (and most likely apoplectic at this stage) finding out where the difficulties exist. Whilst these standards are excellent (and I do have respect for them) for identifying each stage-point that needs to be reached so that assessment can be conducted to confirm conformity, they have no application to generating the criteria to build each stage-point given the issues associated with Cat 3 S129 CJA2003, above.

There is a way forward though.