Saturday, December 29, 2012

Quarter of a Million

Quarter of a Million

Given the vast numbers using the internet finding trewmte.blogspot must seem like trying to find a grain of sand on a beach or winning the national lottery, yet I am very pleased to see the content at my blog has now been read by over a quarter of million viewers in just over six years.

It really is gratifying to see from the early days in later 1980s when it was possible to count on two hands the number of examiners involved the profession up to today where there are thousands of people involved in this branch of forensic science and mobile phone examination, generally, that the viewers of this blog are a testament to the growth in our profession.

Thanks to everyone who has taken time to drop in and see my observations and reporting on mobile phone forensics, evidence, data discovery and commentary about the technological changes that have and are taking place.

Sunday, December 16, 2012


ForensicMobex has moved to MTEB LinkedIn Group as a subgroup:

Stakeholder Information
Mission Statement: Expert discussion group relating to the examination of and/or evidence from mobile/smart phones, PDAs/IPODs/IPADs/USB, SIM/USIM and other storage devices. The use of logical or physical procedures; the relevation of harvested data; use programs and other tools; interpretation of data.

Mission Aims & Objectives of this group: to improve communications between experts, assist diagnostic approach and build issues of professional interest, as well as improving knowledge skills and awareness.

This group is at all times company, make/model, OS, tool, platform and app neutral. You, the Stakeholder, warrants to MTEB, MTEB ForensicMobex SIG and the owner of the group that you undertake to indemnify MTEB, MTEB ForensicMobex SIG and the owner of the group regarding the distribution and use of material where it holds copyright invested in it.

By joining this group each member becomes a stakeholder in the group and agrees to regular active participation, which is monitored regularly. A stakeholder who fails to contribute meaningful content such as knowledge and/or experiences, identify research papers (with links) and/or materials/tools identification etc then membership will be suspended. This policy has been agreed to ensure fairness to all contributor members.

*We do NOT accept impersonal anonymous IDs, recruiters and HR people
*We do NOT accept students unless they demonstrate prior skills and experience
*We do NOT accept those with less than 5 connections to other LinkedIn members.

If your Profile doesn't immediately convince us that you have the skills and experience outlined we will NOT admit you.

Listing a job title or role, owning or managing a business or one of its departments in your Profile is not enough to join. We want to know that you have the skills and experience to fit in with one of the best expert groups on LinkedIn.

Please make sure your profile is up to date before applying for membership.

Tuesday, December 11, 2012

A European Focused Mobile Consumer Survey

A European Focused Mobile Consumer Survey

Informa Telecom and Media have published the results of their Smartphone Usage and Behaviour Survey 2012 conducting the survey in four european countries UK, Spain, Germany and the Netherlands .

The results for the UK identified the brand of mobile phone owned in particular age groups.

The responses to the survey confirm that the smartphone market in the UK is segmented and therefore mobile operators attempting to forecast device usage and data/services activity may require enabling customers the selection and choice of a range of platforms to sink their teeth into optimising any consumer initiative to enable the growth of smartphones to continue.

For examiners the survey illustrates that predominantly the smartphones to be examined fall into a fairly small category, which could be quite useful for forecasting future examinations and, in particular, the expenditure on tools etc.

Blackberry Enterprise Solutions

BB Manuals and Guides

For me, at any rate, using this link probably leads to the best way to get instant access (that is at a glance, click the link) to manuals and guides specific to versions of Blackberry Enterprise Solutions -

There is also further BB support links to various manuals and help here: and for the Blackberry knowledge base here:

Monday, November 26, 2012

US Handset Serial Number Databases

US Handset Serial Number Databases

US operators maintain their own stolen and blacklisted cellphone databases. As of the 31st October 2012 the GSM operators AT&T and T-Mobile began sharing their databases. CDMA operators Verizon and Sprint have taken the decision to merge their databases but that will not be complete until November 2013, so we are told.

The said objective of these initiatives are to improve track and trace. As an example, GSM uses a 56-bit decimal digit s/n, whereas CDMA uses a 56-bit hexadecimal digitals s/n. However, in the US there are variations of s/ns to consider.

The engine for these changes is driven by the FCC initiative -

To accommodate this and other cellphone/cellular changes I have altered my CDMA training material and GSM training material. As consequence these changes will also have an impact on WCDMA and LTE, either on a national level or international level. These training materials have also changed, too.

Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn

Thursday, November 22, 2012

EU Cybercrime (aka real name ICT ecrime)

EU Cybercrime (aka real name ICT ecrime)

Setting up the the criminal legal framework:

Judicial cooperation in criminal matters: combating attacks against information systems

3.30.06 Information and communication technologies
3.30.25 International information networks and society, internet
7.40.04 Judicial cooperation in criminal matters

Having a common European ICT eCrime Judicial protocol must equally rely on a common European Prosecution able to deal with ICT eCrime to assets:

The establishment of the European Public Prosecutor's Office (EPPO) is envisaged in Article 86 TFEU. The EPPO would be responsible for investigating, prosecuting and bringing to justice those who damage assets managed by or on behalf of the EU.  The European Council may adopt a decision extending the powers of the EPPO to include serious crime having a cross-border dimension.

Tuesday, November 20, 2012

Mobile Flash Data Erasure

Mobile Flash Data Erasure

Secure your smartphone and tablet

                                                  Photo courtesy of Blancco

The growth in smart phones naturally means consumers will see even more utilities and tools similiar to those found on PCs, laptops and notebooks etc. A trend that is growing in relation to cleansing of personal details and company information stored logically and physically is called mobile flash data erasure (MFDE).

Service erasure
A group called promote "Tabernus also provides erasure solutions for Mobile Phones, USB, SSD (solid state devices) & other types of Flash removable memory and may other data holding devices too!"

Software erasure
Of course, there is a comparison for mobile phone flash erasure available from

The above examples are in addition to hardware encryption:

Device specific denied data access
Hardware Encryption: The iPhone 3GS and later, and all iPads, support built-in hardware encryption. All user data can be automatically encrypted in hardware at all times. This is used primarily for wiping the device rather than to stop attacks. Erasing the entire flash storage would be slow, so instead wiping works by destroying the encryption key, which instantly makes all user data inaccessible (Securosis).

And flash memory management:

Flash Memory Management Systems
Wear leveling ( ) as well routines used in garbage collection solutions ( and ) can lead to potential loss due to overwriting existing deleted data.

From an examiner's point of view, MFDE is most likely to have a huge impact on deleted data recovery (DDR) from flash chips. The methodology and science behind Chip Off and JTAG is currently used for recovery of deleted data from a  range of mobile devices. Overwriting 0101010101 (zeros and ones) or null values over particular areas or the entire area of the flash memory may make Chip Off and JTAG redundant in certain types of investigations and cases in the future.

Sunday, November 11, 2012

iPhone Secret Folder

iPhone Secret Folder

Opening the taps on this one could prove useful:

iPhone Screenshot 1

 iPhone Screenshot 2

Thursday, November 08, 2012

Mobile Weapons and Seizure Procedure

Mobile Weapons and Seizure Procedure

The MTEB (Mobile Telephone Examination Board) is preparing the Eighth Edition of Section 4 Mobile Telephone Seizure Procedure (Mobile Weapons) and will update on new items and handling procedures for them.  

There has been a slow but persistent level in mobile/smart phones being adapted for use as some form of weapon.

Back in 2008 trewmte.blogspot reported about the mobile phone that fires bullets. The story of this wasn't new, by any means, but was highlighted to illustrate the variety and exposure of devcies that those involved in seizure procedure and mobile phone examiners can come into contact. 


Over time the trewmte.blogspot has highlighted other weapons, such as Stun Guns:

But mobile/smart phones that propel objects or inflict severe shock are not the only adaptations out there. Take for instance the age old weapon of a knife adapted for use with a mobile phone ( seized 2005):

And now in 2012 we now have another weapon that uses an adapted iPhone case which the manufacturers purport can be used for personal protection to spray pepper in the eyes:

The above are by no means the end of mobile/smart phones adapted for some form of weapons. We only know too well how mobile phones have been rigged to set off incendiary devices etc, which the MTEB labels IMD (improvised mobile devices):  


Yes the photos above all present disburbing images, but not for sensational purposes. Thankfully, it is not common for those involved with seizing items and examiners to come into contact with adapted and improvised devices like these on a regular basis. We still need to be aware and have a proposed handling procedure in place to deal with them though. That is on the basis that mobile/smart phone seizure and examination happens globally. The trewmte.blogspot is not simply local to the UK but deals with international matters and therefore articles like this are not only for UK consumption but for other countries that are involved in and employ seizure and examination procedures.

Lastly, and of specific relavance to seizure and examination procedure, it is priority to deal with mobile/smart phone weapon/s as opposed to figuring out what a person may have intended to do with it/them; figuring out is a thought process that can come later on. Why? One very good reason, the person who is seizing an adapted device (e.g. iPhone case above) and accidently sprays pepper into his/her face because s/he had no prior knowledge about the adapted device is clearly a priority. It is immaterial that the owner of such a device may have had genuine reasons (attacker pepper spray) for having such a device. Apart from mal-intention and recklessness of IMDs etc, for the majority of persons seizing or examining the device they wouldn't be the intended target and are nothing more than innocent bystanders.

Tuesday, November 06, 2012

Age UK introduces mobile for elderly

Age UK introduces mobile for elderly

Evidential examiners may not expect to find our elderly senior citizens getting into bother and doing things they really ought not. If one or two do decide to go off the rails and grow old disgracefully they might decide they want to use simplified smartphone technology to contact their posse.  Age UK and CyCell have got together to produce Age UK My Phone. Reviewed by the website says it is "a very easy to use mobile phone that is lightweight and credit-card sized weighing only 40 grams, and sports only 8 buttons that can be customised to contact the users loved ones with one press, whilst answering the handset is as simple as pressing a single answer button."

So if you want to see one of these new mobiles then get along to one of the 200 Age UK shops located throughout England. Apparently, the smartphone cost £55, has a range of flexible 30-day rolling price plans, and comes in eleven colours. No need to hunt for the phonebook as all the contact names can be found on the main screen. I could see other uses for this new smartphone, too. Perhaps parents may get one for their child, giving the child limited mobile access to contact home or friends and raise money for Age UK at the same time. A bonus could also be for the younger generation to be introduced to the excellent work of charities for the elderly, such as Age UK, by visiting their shops.

The Age UK My phone appears to be part of a growing market manufacturing trend internationally creating smartphone user-friendly interfaces for senior citizens, which is highlihted in this later CNET article Design of the times the secret to creating cell phones for seniors

Tuesday, October 30, 2012

A Hacker's Guide: iOS6 Kernel Security

A Hacker's Guide: iOS6 Kernel Security

The recent release of iOS6 has introduced improved security by strengthening the Kernel. This presentation demonstrates that, on the face of it, jailbreaking strategies appear to have been one of the prime targets. This could impact severely on data extraction and harvesting techniques and some of the reading devices out there used by examiners to gather and produce evidence.

Download here: A Hacker's Guide: iOS6 Kernel Security 

Updated 31/10/12
Having posted the link to the above Hacker's Guide presentation I thought, perhaps wrongly, but I thought it anyway, that maybe the forensic community might have something to say on the subject. Perhaps to illustrate conflicts or contradictions in the marketplace, such as:

(a) the findings of the authors in that presentation compared with manufacturers out there that confirm their readers do work with iOS6 e.g.

- Oxygen Forensic Software

(b) how many have actually examined an iOS6 device and which reader was most useful?

(c) with an ever growing list of hacker presentations that expose exploits, vulnerabilities etc how many of those are used by the current iOS reading tools to extract and harvest data?

or maybe

(d) whether the published hacker exploits and perceived issues do not impact on the examiner community or the hacker presentations have no value at all?



As Orange/T-Mobile has launched Everything Everywhere (EE) 4G/LTE ahead of the other major UK MNO players I took a web-stroll over to their website to look at their coverage checker.

Improving the coverage checker maps
I made several post code area searches to familiarise myself how coverage is presented. It isn't up to much at this stage. Too much vague generality, whereas customers, I think, would much prefer to see a single cell coverage map for each BTS/NodeB/eNode (or Mast, so to speak) identifying signal strength (defined by colours) coverage every 100-metres (small cell) or 500-metres (macro-cell) or in the alternative coverage including coloured signal strength upto the equal power boundary.   

Skyfall, MI5 and MI6
During my search I looked at various locations and, as I have recently been to see the latest Bond 007 Film, 'Skyfall' ('excellent' is my rating), I wondered what MI5 and MI6 coverage would be like? A quick web search for the addresses and enter post code to EE's website and here is coverage to MI5 HQ:

Naturally, they get excellent coverage.

Monday, October 29, 2012

Mobile Examination HW / SW Considerations Pt3

Mobile Examination HW / SW Considerations Pt3

The links to previous discussions are at the foot of this article. In Part 2 reference was made to six chips plus memory and how small scales integration in mobile phones was evolving, and even more quickly from year 2000 onwards. Today, we rarely see the term small scale integration used as it is all about interconnection (e.g. high density interconnection (HDI) etc) and embedded ICs. Moreover, such advancements have not been limited to working with 'um' sizes but also envolving from 2D packaging to 3D packaging.

Looking at the changes mentioned in Part 2 and the presentation by National Semiconductors illustrated six chips as separate entities. An important step forward with Fine Line Interconnection and embedded ICs was shown in year 2000 arising from a GE development called 'Embedded Chip Build-Up' (ECBU). Using materials from 1998 GE demonstrated ECBU's capability could bring scale and reformation to 'packaging' chips and enhance integrated technology for PCB manufacturing. Why is this relevant? GE's development shows how six chips are capable of inclusion in an embebbed module:

Peeling back the cover, six chips in an assembly can be revealed:

This type of GE assembly is not the only 'package'. Another notable one, below, is Freescale's Redistribution Chip Package (RCP) radio-in-a-package (2006) using four chips in an assembly with an embedded module.

So from the original six separate chips illustrated in Part 2 we see how manufacturing development, scale, and integration have migrated to chips-in-a-chip packaging. Of course, as examiners, and for the purposes of forensic discovery, how are we to approach examination of PCBs and chips used in the latest smartphone's such as iPhone, Samsung, Nokia, Android, SonyEricsson etc? 

As a start a useful guide to chip usage can be found at hardware evaluation websites, such as UBM TechInsights. The latter produce a useful overview of component identification following a mobile phone 'teardown'. 

Germane and relevant to this discussion primer is which of the iPhone chips shown in the above images are single chips and which are embedded modules containing more than one chip? If we do not understand what is inside an embedded chip how do we know whether we are missing where memory may reside?

When the term memory is referred to it does not mean memory solely relevant to data that an examiner may extract and harvest, such as 'text messages', 'phonebook' or 'internet links' etc. Mobile forensics requires and in numerous instances demands that the examiner not only know software/data memory locations but equally hardware memory locations, too.

Mobile Examination HW / SW Considerations Pt1 -
Mobile Examination HW / SW Considerations Pt2 -
GE -
Freescale -
UBM TechInsight -

Sunday, October 28, 2012

LTE, Test Trials and Cell Site Analysis

LTE, Test Trials and Cell Site Analysis

There are some strange views floating around that cell site analysis is highly difficult or impossible now we have moved from GSM and 3G on to LTE, with it being so new that there is uncertainty.  I can imagine that LTE may cause speculation because LTE hasn't been sufficiently rolled out in the UK and it may appear there is no mature facts or figures upon which to rely. But, infact, there are facts and figures that have been generated in refining the LTE system for roll out and, of course, that knowledge benefits cell site analysis.

Back in 2009 mobile operator Telefonica O2 started conducting LTE test trials in Slough Berkshire UK. Throughput data quantification, radio test measurements, surveys, etc created a plethora of statistical information which O2 used in planning its LTE network.  

Those tests included a variety of known components required for analysis, which can be seen in the 'Key' legend.

Consideration of LTE requires tests to be conducted not only with a static analysis and assessment approach but also distance and velocity analysis and assessment approach, too. That is apart from the environmental considerations. For CSA that means drive tests alone are not good enough; nor using passive radio test measurement devices could fulfil the requirements of an analysis and assessment approach to comprehend an LTE service at a particular location. TrewMTE blog readers may recall I gave a helpful tip about looking at data and location here: Data Usage in Cell Site Analysis -

Of course, consideration of the particapting RF transceiver elements present the same requirement for cell site analysis to understand the arrangements at the base station for LTE as it did for GSM/3G.

TrewMTE blog readers may also recall that I set out a series of discussions about Cell Site Identification presented as primers:

Mini Course in Cell Site Identification (Pt1)

Mini Course in Cell Site Identification (Pt2)

Mini Course in Cell Site Identification (Pt3.s1)

I have completed the last primers in the series above and was going to publish them, having given readers sufficient time to go away and research/study the earlier parts. However, this matter needed airing first, due to misconceptions that are floating about out there. I shall publish the other primers later on.

Do remember, I have used the term 'cell site' to capture readers' imaginations to immediately link readers' thoughts towards cell site analysis (CSA). However, cell site can be used to mean e.g. a GSM cell site, a 3G NodeB or a LTE eNode. 

To leave the user device out of any analysis would be to precide over an incomplete investigation. Readers will note in Cell Site Identification Part 1 an illustration was given linking devices and components that are required for consideration when investigating/researching during CSA. The MS (handset/SIM) forms part of the investigation. O2 LTE test trials equally identified two devices used for their tests.

The experienced investigator will immediately see that the devices in the image above, used during test trials, do not of themselves fit immediately with the common scenarios of mobile phone usage and cell site analysis. However, as is known it is only fairly recently that LTE enabled smartphones have been launched. An LTE investigative approach to considering a particular device used in a particular case requires identification of handsets, dongles and server devices. Moreover, identification of devices that switch between transmission technologies is also a must.

Orange and Vodka - mixing mobile networks (shaken, not stirred) -

Examination Techniques3: Blackberry Bold -

Diplomas: Mobile Telephone Evidence (MTEdipl) -

Sunday, October 21, 2012

Originals and Copies. Britain and Smartphone Manufacturing

Originals and Copies. Britain and Smartphone Manufacturing

A recent post at Global Sources discussed the Chinese smartphone manufacturing competition and the design, technical and feature competitiveness of home-grown brands in comparison to Apple's iPhone and Samsung.

Chart image courtesy of Global Sources

It is possible to read the data in chart as signalling a dynamic chinese marketplace presenting its wares to the World that can compete not only locally but at the international level. It is equally possible to read the data that Andoid has driven that evolution or that Western skillsets brought to China to exploit low costs has actually turned the 'student' into a 'master', such that the original 'master' is being forced to step aside and be replaced. To draw a different analogy, but with similar outcomes, was noted by Dr Carroll Quigley in his book Tradegy and Hope a history of the world in our time (1965).  Quigley identifies the Age of Expansion by defining four common expansion factors that re-occur throughout history: (i) of population, (ii) of geographic area, (iii) of production, and (iv) of knowledge.

Furthermore, Quigley equally notes that expansion ebbs and flows by noting that expansion occurs through trade-offs between centres (cores) of expansion and peripheries. The use of circles within circles provides the mental image the author wants the mind to imagine to understand where the core is located and where the periphery can be found. His use of analogy helps the reader to understand that development (production/knowledge) occuring at the core eventually reaches the periphery. At the periphery the incoming development is received and subjected to localised influences. 

Fast fowarding from that 1965 commentary to today's manufacturing and placed in context with the above data in the chart, it can be seen that the Chinese have taken western developments and are enjoying expansion from the harvest (production/knowledge) brought to their door whilst the Western core is shrinking. Problematical with expansion ebbs and flows is the change that occurs and the ability to keep up with changes. Those changes have created problems regarding visual identity (mirroring), hardware functionality (imitation) and software (reproduction). Whilst Android OS may not have a problem with reproduction, given the widescale use of it in single country block manufacturing, eventually it would be cheaper for Chinese manufacturers to agree their own smartphone OS and use that to rival Apple, Google, Microsoft, Nokia, etc etc.

Subtle change can be seen by the shift towards differentiation between local manufactures product. As Global Sources comments "Most large suppliers combine the Android OS with proprietary UI, widgets and mobile applications for differentiation." Eventually, and it is not far off, that differentiation will impact on Android. As Nokia and other European manufacturing was caught cat-napping when the Americas hit the stage with two big band anthem songs called the 'iPhone' and 'Android', which endeared them to the World, so Chinese manufacturing is heading, at a fast rate, for the pinnacle. Granted we don't know the OS name, but it really isn't about the name but what the OS will do that will create challenges Western manufacturing has not yet fully understood, even less are they ready for it.

However, in a quirk of fate just as China is starting to reach the peak, scientific technological breakthroughs that will impact on hardware means that there is no one dominant force in the World that has yet to or will control solely those breakthroughs. This is where Britiain should demonstrate it is leading with a/the British lionheart approach to industrialisation as opposed to 'I have a hug here with your name on it'. Britain must learn the lessons from throwing away (as it did in the 1970s - 2000s) the national treasure of quality manufacturing: - read up on the loss of British Steel, the confusion of the early Airbus project and the mistakes with British Chrysler.    

PM Cameron and the British Government may be learning from these changes. The Government should have by now a blueprint for re-industrialisation for manufacturing in Britain. Rather than being dominated by people 'crying into their soup' about manufacturing pollution, perhaps set out the vision where a manufacturing industrial revolution in the UK can take place and explain where all these "green" policies are leading Britain? Answer the question is 'Britain is being artificially held back in manufacturing after billions of pounds of taxes have been spent on so-called non-pollutants to show our "green" credentials that have been and are paraded around the globe? Also, ask the British people to recall any significant programme for British industrialisation and manufacturing and then note the deafening silence? There is also curiousity why only a handful of entrepreneurs are working to get Britain out of the dulldrums.

Industrialisation, and to use that in context with smartphones as one example of a manufacturing stream that Britain can and should be capable of performing, could be adopted in manufacturing areas to see Britain mass produce smartphones and the components to go with them:

- new ultra fine silicon
- smartphone design and casing
- new electronic production technqiues
- a British labelled operating system (OS) -
- etc

In this day and age it does seem inconceivable as to why Britain is not noted for being a mobile phone manufacturing base to a level that is noted for other countries that come to mind when the spoken brand names are heard: Nokia, Ericsson, Alcatel, Apple and Samsung etc.

Monday, October 15, 2012

Mobile Examination HW / SW Considerations Pt2

Mobile Examination HW / SW Considerations Pt2

The design of memory allocation and chips in telephones may not follow a prescribed standard. However, memory is an important aspect for communications devices and an example of one telephone memory allocation in 1983 was given in Mobile Examination HW / SW Considerations Pt1 -

Our interest, of course, is in mobile devices and their memory. Developments have moved us along in technology terms where we have passed through the analogue mobile phone era and into the digital era. It could be laborious for readers to be treated to a discussion about analogue mobile memory given its expiration and therefore we need to fast forward to 1996 to glimpse at memory and chipsets for GSM mobile phones.  Detail from a presentation at Handset '97 Technology Conference by National Semiconductors usefully illustrates memory allocation and chips, as shown in the image below.  

Perhaps of interest is the reference to six chips plus memory. Memory as we may commonly understand it to be can be both EEPROM and Flash. There other memory types but I don't want to stray from the discussion topic as reference to other types of memory would add nothing at this stage. We understand from Mobile Examination HW / SW Considerations Pt1 that E2PROM can be a memory of choice for electronic telephones. We see memory in use back in 1996 as observed by National Semiconductors for GSM using EEPROM and Flash. The relevance of how they were used and what went in them is of historical fact which we need not focus on that. The purpose of the observations in the National Semiconductor 1997 presentation concerned how improvements in silicon technology was enabling the possibility for even smaller scale manufacturing and to forecast how small scale integration would impact on memory and chips for future digital GSM mobile phones (see image below)

The future foreseen by National Semiconductors was the reduction in the number of chips used in mobile phones. Memory sources EEPROM and Flash are still integral requiremengts but remain separate memory allocation; and of course RAM can now be referred to. It was not shown in the earlier material above.

In the decade that followed year 2000 and up-to-date more changes and smaller scale integration has occurred. This will be considered in the next discussion so that the topic can progress towards the objective about considerations relevant to hardware and software and revelation about areas of memory that haven't been fully investigated or explored yet.

Sunday, October 14, 2012

To Clone or NOT to Clone?

To Clone or NOT to Clone?

The purpose of this article is to reiterate the issues surrounding the best practice model of the forensic examination/data harvesting of mobile telephones and the isolation of radio signals. It’s not the intention of the author to critique any persons/methods or vendors of products/services but merely to highlight the issues which are still apparent today considering such methods have been adopted for well over ten years in the field of mobile phone forensics and which in the opinion of the author are yet to be addressed to a satisfactory level.

Best practice advocates the need to isolate the target device from any communication signal in order to prevent changes in existing live/deleted recoverable data. Bearing this in mind the most common practice is to utilise U/SIM cloning tools and to replicate a working copy of the target U/SIM or in some cases creating a working U/SIM for those target devices where the original U/SIM is not available. The majority or most commonly adopted tools/applications for such a method will only permit the examiner to copy the minimal data required to allow successful boot which are the ICCID and IMSI in the main with the addition of other parameters such as the MNC. Although it may be regarded as best practice in the main it’s not without issue. From experience and review/re-examination of cold and live cases the same problems are encountered yet not addressed to a satisfactory level.

There are several vendors of such products and in the main they are adequate to a degree however some vendors of such products do not appear to continue with the product development cycle of such functions as one would expect. We see improvements and development with the core functions of mobile phone forensic applications and that is most welcomed however the basic fundamental process in this case cloning of the target U/SIM are left behind. Thus how is it possible to continue or improve upon a best practice model if the basic fundamental requirements are not addressed?

Examples where failings have been noted are listed below:

1. Misrepresentation of acquired/harvested data:
Quite often through examination it has been noted certain data types are not translated or presented in the correct format. For example contact names may be missing as they are contained within the ADN of the U/SIM card and due to the cloning system have not been transferred through which in turn is replicated to other data sets such as SMS and call list.

2. Inaccessible data
Situations have been encountered where data is not available via the GUI of the target device thus the possibility of missing or non-examination of data exists. An example of this was encountered whilst examining a BlackBerry Bold device where the BBM application was not available without the use of the original target U/SIM, the reason being that the application or some functions were tied to the SIM Application Toolkit.

The above examples are just the tip of the iceberg and in the opinion of the author there are certainly more issues encountered in the use of U/SIM cloning systems when examining mobile telephones and/or devices which utilise the use of U/SIM cards.

So how can we overcome such issues and improve upon the best practice model? One solution is total radio isolation and the use of the original target U/SIM i.e. faraday enclosures/rooms. Unfortunately this option is not a satisfactory way forward due to cost, health & safety issues, practicality and when dealing with volume work.

For a more practical and sustainable solution the author would suggest that the vendors of such products/services review their product development cycle, obtain and work with the necessary feedback from seasoned practitioners with a view to providing far more robust products/services which at best eliminate U/SIM cloning issues or which offers the examiner more flexibility as to the cloning parameters required or at least work towards providing bulletins of known issues and possible solutions for identified issues.

Author: Vinny Parmar
Digital Forensic Practitioner
Accredited MTEB Mobile Phone Trainer