Monday, June 27, 2011

iCloud MobileMe Quota Storage

iCloud MobileMe Quota Storage

As with most things in the digital world and examining evidence, it is essential for an examiner to understand the way in which a product or service works and the options that brings, as opposed to only considering the stored data that is discovered upon initial examination.

There has been alot of discussions in the forensic community about iCloud and its impact on off-device storage access and examination. Interesting to note then that MobileMe storage quotas are in place, as recently observed:

If the user only wants to keep to the 5GB limit and doesn't delete data and the devcie storage is equally full, is newer data automatically deleted or stored elsewhere? I only raise the point because with increased data flowing in and out of mobile phones, this could impact on data connected to one issue being spread across several storage locations. 

Monday, June 06, 2011

D-Day 6th June

D-Day 6th June

I mentioned today's important date to a number of people. Quite a few had forgotten the date and mainly the younger generation didn't know about events that took place on this date back in 1944.

For anyone who may have missed it or might want to know more, here are some links providing the historical background.

British Legion Remembrance d-day-65
Wikipedia Normandy Landings
Britannica DDay
Remembrance D-Day.html
Lifeformation D-Day


Friday, June 03, 2011

Update on Forensic Webblog Posts

Update on Forensic Webblog Posts

Cell Site Analysis
Radio Survey Field Notes
CSA Training Explanatory Diagram
iOS 4.3.3 deletion of Location Cache
Requesting Cell Site Data

Forensic Mobile Examination
Handset Examination in 1995
sn0wbreeze unthethering Windows iPhones
Symbian OS v9.4, Series 60 rel. 5

Examination and Evidence from SIM and USIM Cards
Answer To Reset (ATR)
Blackberry Forensic Analysis

Billing & Call Detail Record Analysis
Vodafone CDR data
Mobile Evidence CDR/Billing Course
Call Detail Record (CDR) GSM Mobile Telephone Call


Mobile Telephone Blogs Approved Access Only

I have endeavoured to be free with sharing knowledge and information over many years through my blogs, but given the changing economy, UK and global events and advancements in forensics, the nature of the technical content, new developments and examination techniques and legal information will only be accessible to approved law enforcement personnel, security specialists and authorised individuals. The following blogs are now approved access only:

Cell Site Analysis

Forensic examination and evidence from SIM an USIM

Forensic examination and evidence from Mobile and Smart Phones

Forensic analysis of Billing and CDR Records

Mobile Telephone Evidence ( will of course remain an open.

The criteria for authorised access to blogs:

a) Law Enforcement
b) Security Services (MI5, MI6, CID, SB, FBI....)
b1) Security Specialists - a proveable record in security for
networks, digital forensics, handsets, SIM, CDR etc
c) Authorised individuals

Thursday, June 02, 2011

Radio Survey Field Notes

Radio Survey Field Notes

The CSA Training Explanatory Diagram illustrated (previous thread) some of the codes identified in the broadcast radio identities. At this stage the examiner/expert might want to get an early indicator of what this information could mean when attributed to other knowledge, previously acquired, about the target location of interest where radio test measurements are scheduled to be conducted.   

Of course, if you have a keen eye you will note the document is not acquainted with complete pre-profiled cell site details. These details are excluded for a reason, which I shall come onto later. For now it is useful to analyse the Explanatory Diagram content and cross-reference it with the Radio Survey Field Notes.

Some questions:

- What sort of  information do you think can be taken for granted that need not be included into the Field Notes that is in the Explanatory Notes?
- What identities are absence by their omission from the Field Notes that are in the Explanatory Diagram?
- Do you think those identities should be in the field notes?

The purpose of pushing these points is that often evidence is omitted and examiners/experts will certainly need that information to hand when preparing for their opinion, writing a report and giving evidence.  

Wednesday, June 01, 2011

CSA Training Explanatory Diagram

CSA Training Explanatory Diagram

Given the huge range of knowledge and information needed for Cell Site Analysis (CSA) I have spent a considable amount of time creating many training sheets for the courses. The explanatory diagram below represents just some basic information acquired from radio tests and the meaning of the codes shown in the test screens.
This training document forms part of the procedure of a step-by-step guide in a long, long line of steps an trainee examiner will undertake and aids the trainee grasp the basics. Later the trainee will be shown additional information that isn't shown in the above diagram to extend knowledge and understanding.

Soon the examiner will come to realise that when I started out in an early thread in this blog identifying the elements in the GSM Radio DNA Bracelet I had a reason for doing that.  The data displayed in the screens (like the ones above) occur as a consequence of being assigned to one or more of the logical channels identified in the GSM Radio DNA Bracelet delivered by the physical channels of the radio system.