Monday, October 31, 2011

Cybercrime, really it's ICT Crime by any other name

Cybercrime, really it's ICT Crime by any other name

Information Commununication Technology (ICT) Crime carried out using a combination of analogue and/or digital technologies is a term used post substantive or inchoate offence. The combination of ICT technologies are in the range of wireless, telecommunications, computing, electronics, and extending to electricty.  Forensically and evidentially speaking it makes sense to use ICT Crime as an identifier, primarily as a fundamental element in forensic examination is the requirement to precisely identify the "thing" used and evidentially one can hardly define to a Court of Law eg a mobile phone merely as an ICT or cyber object.

Cybercrime advocates believe cybercrime is the correct term and in use swallows up every other technology identifier ( Crime_in_which_ICT_plays_a_role_is_known_as_cybercrime ).  Of course, defining technologies because of identical crimes committed on different continents is more of a management event-level labelling terminology to simplify the position but technically speaking it dumbs-down the identity of the technology and/or the complexity of the technologies involved in a crime where cybercrime replaces the name of the technology itself.
Insofar as the title cybercrime conjures up psychological undertones of an undefined contagion threat, as an identifier it falls short of the requirement to 'precisely identify' too; thus there is still more to come in the renewed enthusiasm to use cybercrime as an overarching title for any type of technology crime. I say renewed because in late 1990s and early 2000 cybercrime did the rounds back then and as most of you know it has only been in recent years that cybercrime is being put to widespread reuse.

Using cyber in a title is not new, either. In 1973, 'Cyberstride' was developed by Chile. The author Kevin Cahill in his book "Trade Wars The High-Technology Scandal of the 1980s" made reference to it [page 132]:

"[Salvador] Allende had commissioned a very bright UK computer scientist called Stafford Beer to build him a computer system which would display, in a systematic way, all the major high aggregate flows in the Chilean economy.  The object of Allende's experiment, which resulted in an economic control room in which all the raw facts could be displayed on a huge screen and made subject to 'what if?' and other analysis, was to identify bottlenecks in the existing structures and policy options for the future."   

The relevance of referring to Cyberstride is the first obvious point that 'cyber' as an identifier is in use with computing in 1970s, but as a term it remained a subset identifier under the main title "High Technology". Furthermore, cyberspace in technology terms was, and still is, a subset identifier used under the main titles computing and the Internet. The types of mobile/smart telephones and other technologies used today weren't around then (1973), but in fairness to cybercrime smart phones can today connect to the internet and thus are capable of DDoS, spreading virus and capturing identity etc.

Significantly, the discussion here and the vast discussions in material available by way of the Internet, the term 'cybercrime' has been impossible to use without the absolute necessity to reference the underlying technologies behind a particular technological attack or crime. A current example of technology identity used for cybercrime is reported on the BBC news today and on the BBC online news service: GCHQ chief reports 'disturbing' cyber attacks on UK  .

Cybercrime as a label for management and surveillance clearly has an economic element behind it and may well provide useful intelligence in some technological quarters. Additionally, it may provide an aftermath response to crime uses or attempts by the studying of 'events' on control and communications in complex electronic systems (cybernetics). What is inescapable in using cybercrime as an identity, for it to succeed it is unavoidable that it can do no more in the absence of specifying a particular technology used to conduct an event. To this extent, at least, we should not give up on our day jobs (just yet) and  only refer to cybercrime as the only identifier to be used; continuing to identify a particular technology is paramount and the science behind it.     

More background discussion:

Monday, October 24, 2011

Shake your profile

Shake your profile

Some may have seen the adverts on television where the film director on set shouts "action" and then, suddenly his phone starts to ring. He flips the phone onto its screen-face and the phone stops ringing. Motion sensors since 2009 have becoming one of the features on smart phones and devices, and a new release from Micromax Mobile X395 is another example where motion sensors (once switched ON) are included as a feature of this dual-SIM phone, but in this case allows the user to switch between one of the SIMs installed in this dual-SIM handset.


Media GIF Photo Courtesy of Micromax Mobile X395 (c)

Examiners should be aware that this java (according to its spec) smart phone requires manual examination to determine other user-defined SIM settings and Motion Sensor settings, apart from SIM1/SIM2 profiles -

Menu>SIM Manager:
- Dual SIM Settings- Set the dual settings as per your requirement
- Default SIM Selection- Choose the default SIM slot to be used

Menu > Settings > Motion Sensor Settings:
- An incoming call can be put on silent mode by simply turning it upside down

Some previous discussions at my blog about dual-SIMs or devices that may provide some useful observations about examining dual-SIM devices:


Research on 'tilt' and 'three axis way' motion sensors:


Sunday, October 02, 2011



There are many ways you may wish to approach examining a SIM Card elementary file (EF) and to the university students that wrote and asked for some ideas here are some observations. I would recommend, assuming you have access to SIM reading tools, that it is useful to target a particular EF in the GSM standard GSM11.11. Importantly, as there have been numerous versions and revisions of GSM11.11 it is an essential task to check the various versions and revisions taking account of any changes to the technical requirements for the EF: for instance

a) access conditions
b) content
c) coding
d) etc

To illustrate some of the points raised by this blog discussion I have selected the SIM forbidden list found in elementary file (EF) FPLMN (Forbidden PLMNs) 7F20:6F7B (7F21:6F7B). PLMNs MCC/MNC populated in this EF are those that the MS shall not camp on and provide a location update. 

ETS GSM11.11 v4.21.1 December 1999
GSM 11.11 v8.14.0 June 2007

Of course, when reading the conditions laid out in the standards it is also essential to appreciate the conditions under which a PLMN (MCC/MNC) may be updated into this EF. Trial test conditions should relate to 'automatic' update and update caused by 'manual' selection of a Forbidden PLMN. These are not simple tasks as one might imagine. There is the radio environment to consider? Which PLMNs are forbidden? Is roaming required? The coding of the data? ....and so on. So for an elementary file that largely gets overlooked during examination and ignored in evidence, an analysis of exactly the tasks this EF performs in the SIM module is quite surprising when considering its impact on the MS. That is from the perspective that its evidence could be considered when placing an MS within an PLMN's radio coverage and the follow on potential inference of a geographical location. EF-FPLMN adds an intriguing prospects to be considered, beyond handset and SIM analysis, and that is it can be used in cell site analysis and call record analysis, too.

Extracted and Harvested Data
It is inescapable, thus unavoidable, that validating data that has been extracted and harvested cannot be performed based upon using one tool. Moreover, tools vary in the way they present harvested data and will require the examiner to pay particular attention to ensure the output data (although presented in various arrangements) should be identical. If parity isn't possible then analysis of the tools should be undertaken. It is worth mentioning at this juncture, so as to avoid unduly raising concerns, many tools once released into the marketplace do not allow users to update the product. Changes to SIM techncial specifications or new services or new/change to operators may simply not be included in a tool. 

SIMSpy Trace file Output (Text file)

Other tools present data in varying layouts within the program:

SIM Explorer



USIM Detective

In conclusion, students asked for some observations and I hope the above may help. Care should be taken when reading the binary not to corrupt content in the EF; to consider the use of reverse-nibble; writing scripts; APDU/PDU and so on, in addition to the automatic and manual tests to be conducted. Moreover, any discovery could also extend to the use of EF-FPLMN to cell site analysis and call record analysis.

Saturday, October 01, 2011

DoJ CSP Data Retention Periods For LE

DoJ CSP Data Retention Periods For LE

A secret memo dated August 2010 released by the Department of Justice produced to advise law enforcement regarding the communications data retention periods has been reported (full story) by arstechnica: "secret memo reveals which telecoms store your data the longest"

DoJ memo quick download: Retention Periods of Major Cellular Service Providers (PDF)