Sunday, September 30, 2012

Kenya bans counterfeit mobiles being used

Kenya bans counterfeit mobiles being used

"Kenya is set to switch off all uncertified mobile phones in the country by the end of September in an effort to curb security threats and halt the illegal trade of counterfeit phones....." according to

The ban that is targetted towards mobile phones that do not have programmed an assigned IMEI could take huge resources to police. Confiscating handsets sold by traders is unlikely to achieve the intended results, which suggests the mobile network operators may be required to instruct handsets to transmit their IMEIs at registration or OACSU prior to calls/texts being sent or received. This effort being made by Kenya is probably welcome news to genuine brand-name manufacturers fed up with counterfeits eroding the marketplace.

Moreover, visitors using counterfeit mobile phones roaming on Kenya's mobile networks may well be caught up in the ban, too, due to the difficulty of using mobile phones, whilst attempting to make roaming calls, because the handsets may be uncertified. Most holiday-makers might not know to check to see if their handset is certified before travelling to the country.

It is assumed that the CCK have already planned beyond the stage of blocking handsets without IMEIs and detecting and blocking handsets programmed with cloned/false IMEIs in order to mask counterfeit devices.

Sunday, September 23, 2012

JTAG Tutorial

JTAG Tutorial 

Certain mobile phones have no other access capability other than a test interface to allow for debugging and memory analysis capability other than to use JTAG (Joint Test Action Group) standard: IEEE 1149.1 : 1990 Standard Test Access Port and Boundary-Scan Architecture. IEEE 1149.1 : 2001 is available here:   

There are various reading materials available by way of the internet that help an examiner understand the way in which JTAG can be used:

What is JTAG?
Overview of the JTAG architecture and the new technology trends that make using JTAG essential for dramatically reducing development and production costs. The article also describes the various uses of JTAG and the tools available today for supporting JTAG technology.

Additional material:

Other materials that may interest:

Saturday, September 22, 2012

Threats and Forcing SMS delay

Following my article France Car Shootings and Mobile Evidence an investigator, previously working with a well-known cellular and fixed network manufacturer, confirmed to me the results of an internal forensics investigation which he conducted.

An employee had made threats to a Director. The employee had been found to use a 'prepaid sim' card to send theat messages but added a delay period for the sent messages of 2-hours. The employee then switched OFF the handset and inserted the company SIM card into the same handset which had previously held the prepaid SIM that had sent the threat messages. The handset with the company SIM card in it was then switched ON; the employee claimed not to have been responsible for the threats sent from a different IMSI (SIM card).  The intention of the employee was to mask any connection with the threats. However, tracing the IMSIs of the prepaid SIM card and the company SIM card found both to have been operating in the same handset (IMEI). Such trace capability can be made from enquiries of network databases such as BTS, HLR etc. Moreover with high levels of text messaging that are sent and received whilst roaming there is trace capability that can be made by interrogating CAMEL.

There is also useful data that can be obtained for linking with cell site analysis (CSA), which is a bonus although there appears to be some confusion occuring in the US at the moment as to the value of CSA evidence and how the material may be applied on a case by case basis. I am not convinced that licenced operators with highly developed as they are in the US cellular networks simply could not/would not sufficient call record/cell data available to know what is happening when an MS has been active in their networks, about the arrangement at a particular mast (cell tower) as used by an MS, the configuration of the radio network operating at the time an MS has been used and so on.

Monday, September 17, 2012

France Car Shootings and Mobile Evidence

France Car Shootings and Mobile Evidence

It is well known by now that the team investigating the shootings in the French Alps discovered two mobile phones: The following has nothing to do with the French authorities investigation and does not seek to speculate on what might be. However the case is very useful in that it provides a useful example to apply a conceptual method to seeking out evidence originally discussed in my thread back in January 2009:

The diagrams below illustrate one method of taking a crime scene event and postulating the possibilities of mobile phone evidence and mobile events that might occur prior to and after e.g. a murder. Yes, it is quite possible that activity on a victim's switched ON mobile phone may still occur after the victim's death. This is in addition to evidence that can accrue when it is switched OFF.  

To assist the investigation to make it a more managable task for this case scenario discussion the investigator/examiner can separate, but without severing the links, the case into four stages:

 i) possible evidence before and leading upto the crime
 ii) possible evidence at the approximate time of (a)shooting, (b)death
iii) possible evidence when attending the scene of crime
 iv) possible evidence that might still be collated post scene of crime 

The depth and breadth of mobile evidence has substantially increased given the evolving and fast developmental pace of mobile technology and services. To try and discuss all of them would over-complicate this discussion, so the discussion will consider the diagram below and highlight possible mobile evidence and events iv).

The previous 2009 discussion (link given above) needs to be read to understand the diagram below, after which an examiner/investigator then begin to recognise where possible post crime mobile evidence might be generated/occur and create a check list of those possibilities.   

Using the 'C now' constant this could represent the position of the investigation in physical space, say where the two mobiles have been recovered but still at the scene of crime. Time is important, too, and therefore the investigator (hypothetically, of course, for this discussion) records a time one-hour after mobile phones recovered at the crime location. This is important for timeline because anything occurring before that time have one set of evidential/event values (prior to approximate time of death) and evidence/events occurring after have another set of evidential values (post approximate time of death). By way of illustrating the latter, the dead victim wont be operating the handset his/herself so that fact is important, but that doesn't exclude the possibility the victim, prior to death, having pre-programmed the handset to do something (e.g. send a birthday text, set an alarm and so on).  

The perpetrator/s fled the crime scene and therefore the time delay occuring between that and the discovered mobile phones could be minutes/hours/days. The race is on to catch up if the investigation is not to be caught up on the tide of diminishing returns. 

The use of text messaging is prolific and therefore knowing which material to discard and which is important evidence is not an easy task. Commonly, texting is perceived on the basis that a user:

- sends and receives texts
- known or unknown called/calling party  
- content based upon 'familiarity' of communicating parties

There is a whole host of investigative information that may need to be practically assessed as to possibility of text occuring on a mobile phone after a victim's death, such as:

- text generated by mobile phone as opposed to text generated on PC sent via the internet e.g: check the SMS header details:

Originating Address type: 91
Type of number: International
Numbering plan identifier: E.164
Originating Address: 44798021XXXX

and where you see 'Originating address' that does not contain the commonly understood mobile telephone number (E.164) but it contains an hex-decimal representation then it might indicate the message originated from the internet. Example

Originating Address type: 91
Type of number: International
Numbering plan identifier: E.164
Originating Address: 35fac2457c0be2008

To start with go back to basics (this is necessary due to the requirements of backward compatibility) and check out GSM standards GSM-0340; 0338, 0411, 0902 etc

- text maybe generated due to a set-calendar event e.g. check user profiling relevant to proactive SIM, STKs and handset calendar

- text may appear as an SMS but what if it is Wi-Fi direct data e.g. depending make/model of mobile phone check settings such as 'wireless and network'

What can happen when received test messages arrive later than the date the text was originated and sent? - - Local and roaming issues maybe relevant?

Check also SMS 'validity period' for sent text messages, thus messages can be held in 'escrow' by a network operator. See GSM 11.11; 3GPP 31102

Additional time values for 'Validity Period' can be found in GSM03.40

There can be other aspects of post-crime related mobile evidence activity on a victim's mobile phone, such as voicemail. Moreover, cell site analysis can have a role here too for a switched ON mobile phones and post-crime generated evidence.

Determining possible evidence and events on a mobile phone or mobile account,, for that matter, which may occur post-crime might be highly beneficial in death, kidnap or missing person cases. 

Sunday, September 02, 2012

Catching the IMSI Catchers

IMSI catcher catcher”—a device designed to snoop on the snoopers, 
sniffing out anyone operating an IMSI catcher in a given location.

Spying has been going on since one human wanted to know what another human was doing or saying. A common-sense expectation of modern Government is to limit or place a choke on how spying is conducted and, importantly, who can do it (spying, that is). Sadly, the warnings (loss of privacy, unlawful interception etc) to not allow 'pandora's box' [] to be opened rather than apply pro-active controls appears to be have ignored those warnings as some form of  'cry wolf ' [], particularly if those warnings had merit afterall. It comes as no surprise then to find a recent news report indicating spying devices such as IMSI grabbers/catchers now creating concern that such devices could be in use in the criminal community: [imsi_catchers_criminals_law_enforcement_using_high_tech_portable_devices_to_intercept_communications_.html]

The development of IMSI catchers is not a recent development. Indeed, in a number of long running court battles (that I have been following for some years) a recent 2012 Court of Appeal Patent decision concluded [] that shed light on the development of a particular IMSI Catcher. On the three cases they set out a history of development dates that uncover that this IMSI Catcher prototypes and the finished product appeared before (as a time reference) the Omagh Bombing of 1998.

IMSI grabbers/catchers present a huge potential for privacy rights abuses if one considers the pace at which mobile technology is causing redundancy of fixed landline phones and fixed PCs [] and unlawful interception at one end of the scale. At the other end of the scale IMSI grabbers/catchers could undermine serious crime investigations (where investigating officers might have their contact details tapped etc).

The fight back against invasion of privacy has taken amplified recently through the annoucement of a new development of a prototype that has been dubbed the "IMSI Catcher Catcher" [] as shown in the image above and that might provide the solid proof privacy campaigners seek to uncover. But this device could equally backfire if those investigating officers in the field are being tracked in the operation of IMSI Catching.

The above represents a tip of the iceberg material that is available through research about devices development for the express intent of obtaining subscriber identity and other personal information without the subscriber/user knowledge or consent where a man-in-the-middle attack has taken place [].