Tuesday, October 30, 2012

A Hacker's Guide: iOS6 Kernel Security

A Hacker's Guide: iOS6 Kernel Security

The recent release of iOS6 has introduced improved security by strengthening the Kernel. This presentation demonstrates that, on the face of it, jailbreaking strategies appear to have been one of the prime targets. This could impact severely on data extraction and harvesting techniques and some of the reading devices out there used by examiners to gather and produce evidence.

Download here: A Hacker's Guide: iOS6 Kernel Security 

Updated 31/10/12
Having posted the link to the above Hacker's Guide presentation I thought, perhaps wrongly, but I thought it anyway, that maybe the forensic community might have something to say on the subject. Perhaps to illustrate conflicts or contradictions in the marketplace, such as:

(a) the findings of the authors in that presentation compared with manufacturers out there that confirm their readers do work with iOS6 e.g.

- Oxygen Forensic Software http://www.forensicfocus.com/News/article/sid=1951/?
- UFED, XRY http://www.forensicfocus.com/Forums/viewtopic/t=9717/?

(b) how many have actually examined an iOS6 device and which reader was most useful?

(c) with an ever growing list of hacker presentations that expose exploits, vulnerabilities etc how many of those are used by the current iOS reading tools to extract and harvest data?

or maybe

(d) whether the published hacker exploits and perceived issues do not impact on the examiner community or the hacker presentations have no value at all?



As Orange/T-Mobile has launched Everything Everywhere (EE) 4G/LTE ahead of the other major UK MNO players I took a web-stroll over to their website to look at their coverage checker.


Improving the coverage checker maps
I made several post code area searches to familiarise myself how coverage is presented. It isn't up to much at this stage. Too much vague generality, whereas customers, I think, would much prefer to see a single cell coverage map for each BTS/NodeB/eNode (or Mast, so to speak) identifying signal strength (defined by colours) coverage every 100-metres (small cell) or 500-metres (macro-cell) or in the alternative coverage including coloured signal strength upto the equal power boundary.   

Skyfall, MI5 and MI6
During my search I looked at various locations and, as I have recently been to see the latest Bond 007 Film, 'Skyfall' ('excellent' is my rating), I wondered what MI5 and MI6 coverage would be like? A quick web search for the addresses and enter post code to EE's website and here is coverage to MI5 HQ:

Naturally, they get excellent coverage.

Monday, October 29, 2012

Mobile Examination HW / SW Considerations Pt3

Mobile Examination HW / SW Considerations Pt3

The links to previous discussions are at the foot of this article. In Part 2 reference was made to six chips plus memory and how small scales integration in mobile phones was evolving, and even more quickly from year 2000 onwards. Today, we rarely see the term small scale integration used as it is all about interconnection (e.g. high density interconnection (HDI) etc) and embedded ICs. Moreover, such advancements have not been limited to working with 'um' sizes but also envolving from 2D packaging to 3D packaging.

Looking at the changes mentioned in Part 2 and the presentation by National Semiconductors illustrated six chips as separate entities. An important step forward with Fine Line Interconnection and embedded ICs was shown in year 2000 arising from a GE development called 'Embedded Chip Build-Up' (ECBU). Using materials from 1998 GE demonstrated ECBU's capability could bring scale and reformation to 'packaging' chips and enhance integrated technology for PCB manufacturing. Why is this relevant? GE's development shows how six chips are capable of inclusion in an embebbed module:

Peeling back the cover, six chips in an assembly can be revealed:

This type of GE assembly is not the only 'package'. Another notable one, below, is Freescale's Redistribution Chip Package (RCP) radio-in-a-package (2006) using four chips in an assembly with an embedded module.

So from the original six separate chips illustrated in Part 2 we see how manufacturing development, scale, and integration have migrated to chips-in-a-chip packaging. Of course, as examiners, and for the purposes of forensic discovery, how are we to approach examination of PCBs and chips used in the latest smartphone's such as iPhone, Samsung, Nokia, Android, SonyEricsson etc? 

As a start a useful guide to chip usage can be found at hardware evaluation websites, such as UBM TechInsights. The latter produce a useful overview of component identification following a mobile phone 'teardown'. 

Germane and relevant to this discussion primer is which of the iPhone chips shown in the above images are single chips and which are embedded modules containing more than one chip? If we do not understand what is inside an embedded chip how do we know whether we are missing where memory may reside?

When the term memory is referred to it does not mean memory solely relevant to data that an examiner may extract and harvest, such as 'text messages', 'phonebook' or 'internet links' etc. Mobile forensics requires and in numerous instances demands that the examiner not only know software/data memory locations but equally hardware memory locations, too.

Mobile Examination HW / SW Considerations Pt1 - http://www.trewmte.blogspot.co.uk/2012/10/mobile-examination-hw-sw-considerations.html
Mobile Examination HW / SW Considerations Pt2 - http://trewmte.blogspot.co.uk/2012/10/mobile-examination-hw-sw-considerations_15.html
GE - http://www.ge.com
Freescale - http://www.freescale.com/
UBM TechInsight - http://www.teardown.com/

Sunday, October 28, 2012

LTE, Test Trials and Cell Site Analysis

LTE, Test Trials and Cell Site Analysis

There are some strange views floating around that cell site analysis is highly difficult or impossible now we have moved from GSM and 3G on to LTE, with it being so new that there is uncertainty.  I can imagine that LTE may cause speculation because LTE hasn't been sufficiently rolled out in the UK and it may appear there is no mature facts or figures upon which to rely. But, infact, there are facts and figures that have been generated in refining the LTE system for roll out and, of course, that knowledge benefits cell site analysis.

Back in 2009 mobile operator Telefonica O2 started conducting LTE test trials in Slough Berkshire UK. Throughput data quantification, radio test measurements, surveys, etc created a plethora of statistical information which O2 used in planning its LTE network.  

Those tests included a variety of known components required for analysis, which can be seen in the 'Key' legend.

Consideration of LTE requires tests to be conducted not only with a static analysis and assessment approach but also distance and velocity analysis and assessment approach, too. That is apart from the environmental considerations. For CSA that means drive tests alone are not good enough; nor using passive radio test measurement devices could fulfil the requirements of an analysis and assessment approach to comprehend an LTE service at a particular location. TrewMTE blog readers may recall I gave a helpful tip about looking at data and location here: Data Usage in Cell Site Analysis - http://trewmte.blogspot.co.uk/2012/08/data-usage-in-cell-site-analysis.html.

Of course, consideration of the particapting RF transceiver elements present the same requirement for cell site analysis to understand the arrangements at the base station for LTE as it did for GSM/3G.

TrewMTE blog readers may also recall that I set out a series of discussions about Cell Site Identification presented as primers:

Mini Course in Cell Site Identification (Pt1)

Mini Course in Cell Site Identification (Pt2)

Mini Course in Cell Site Identification (Pt3.s1)

I have completed the last primers in the series above and was going to publish them, having given readers sufficient time to go away and research/study the earlier parts. However, this matter needed airing first, due to misconceptions that are floating about out there. I shall publish the other primers later on.

Do remember, I have used the term 'cell site' to capture readers' imaginations to immediately link readers' thoughts towards cell site analysis (CSA). However, cell site can be used to mean e.g. a GSM cell site, a 3G NodeB or a LTE eNode. 

To leave the user device out of any analysis would be to precide over an incomplete investigation. Readers will note in Cell Site Identification Part 1 an illustration was given linking devices and components that are required for consideration when investigating/researching during CSA. The MS (handset/SIM) forms part of the investigation. O2 LTE test trials equally identified two devices used for their tests.

The experienced investigator will immediately see that the devices in the image above, used during test trials, do not of themselves fit immediately with the common scenarios of mobile phone usage and cell site analysis. However, as is known it is only fairly recently that LTE enabled smartphones have been launched. An LTE investigative approach to considering a particular device used in a particular case requires identification of handsets, dongles and server devices. Moreover, identification of devices that switch between transmission technologies is also a must.

Orange and Vodka - mixing mobile networks (shaken, not stirred) -

Examination Techniques3: Blackberry Bold -

Diplomas: Mobile Telephone Evidence (MTEdipl) -

Sunday, October 21, 2012

Originals and Copies. Britain and Smartphone Manufacturing

Originals and Copies. Britain and Smartphone Manufacturing

A recent post at Global Sources discussed the Chinese smartphone manufacturing competition and the design, technical and feature competitiveness of home-grown brands in comparison to Apple's iPhone and Samsung.

Chart image courtesy of Global Sources

It is possible to read the data in chart as signalling a dynamic chinese marketplace presenting its wares to the World that can compete not only locally but at the international level. It is equally possible to read the data that Andoid has driven that evolution or that Western skillsets brought to China to exploit low costs has actually turned the 'student' into a 'master', such that the original 'master' is being forced to step aside and be replaced. To draw a different analogy, but with similar outcomes, was noted by Dr Carroll Quigley in his book Tradegy and Hope a history of the world in our time (1965).  Quigley identifies the Age of Expansion by defining four common expansion factors that re-occur throughout history: (i) of population, (ii) of geographic area, (iii) of production, and (iv) of knowledge.

Furthermore, Quigley equally notes that expansion ebbs and flows by noting that expansion occurs through trade-offs between centres (cores) of expansion and peripheries. The use of circles within circles provides the mental image the author wants the mind to imagine to understand where the core is located and where the periphery can be found. His use of analogy helps the reader to understand that development (production/knowledge) occuring at the core eventually reaches the periphery. At the periphery the incoming development is received and subjected to localised influences. 

Fast fowarding from that 1965 commentary to today's manufacturing and placed in context with the above data in the chart, it can be seen that the Chinese have taken western developments and are enjoying expansion from the harvest (production/knowledge) brought to their door whilst the Western core is shrinking. Problematical with expansion ebbs and flows is the change that occurs and the ability to keep up with changes. Those changes have created problems regarding visual identity (mirroring), hardware functionality (imitation) and software (reproduction). Whilst Android OS may not have a problem with reproduction, given the widescale use of it in single country block manufacturing, eventually it would be cheaper for Chinese manufacturers to agree their own smartphone OS and use that to rival Apple, Google, Microsoft, Nokia, etc etc.

Subtle change can be seen by the shift towards differentiation between local manufactures product. As Global Sources comments "Most large suppliers combine the Android OS with proprietary UI, widgets and mobile applications for differentiation." Eventually, and it is not far off, that differentiation will impact on Android. As Nokia and other European manufacturing was caught cat-napping when the Americas hit the stage with two big band anthem songs called the 'iPhone' and 'Android', which endeared them to the World, so Chinese manufacturing is heading, at a fast rate, for the pinnacle. Granted we don't know the OS name, but it really isn't about the name but what the OS will do that will create challenges Western manufacturing has not yet fully understood, even less are they ready for it.

However, in a quirk of fate just as China is starting to reach the peak, scientific technological breakthroughs that will impact on hardware means that there is no one dominant force in the World that has yet to or will control solely those breakthroughs. This is where Britiain should demonstrate it is leading with a/the British lionheart approach to industrialisation as opposed to 'I have a hug here with your name on it'. Britain must learn the lessons from throwing away (as it did in the 1970s - 2000s) the national treasure of quality manufacturing: - read up on the loss of British Steel, the confusion of the early Airbus project and the mistakes with British Chrysler.    

PM Cameron and the British Government may be learning from these changes. The Government should have by now a blueprint for re-industrialisation for manufacturing in Britain. Rather than being dominated by people 'crying into their soup' about manufacturing pollution, perhaps set out the vision where a manufacturing industrial revolution in the UK can take place and explain where all these "green" policies are leading Britain? Answer the question is 'Britain is being artificially held back in manufacturing after billions of pounds of taxes have been spent on so-called non-pollutants to show our "green" credentials that have been and are paraded around the globe? Also, ask the British people to recall any significant programme for British industrialisation and manufacturing and then note the deafening silence? There is also curiousity why only a handful of entrepreneurs are working to get Britain out of the dulldrums.

Industrialisation, and to use that in context with smartphones as one example of a manufacturing stream that Britain can and should be capable of performing, could be adopted in manufacturing areas to see Britain mass produce smartphones and the components to go with them:

- new ultra fine silicon
- smartphone design and casing
- new electronic production technqiues
- a British labelled operating system (OS) -
- etc

In this day and age it does seem inconceivable as to why Britain is not noted for being a mobile phone manufacturing base to a level that is noted for other countries that come to mind when the spoken brand names are heard: Nokia, Ericsson, Alcatel, Apple and Samsung etc.

Monday, October 15, 2012

Mobile Examination HW / SW Considerations Pt2

Mobile Examination HW / SW Considerations Pt2

The design of memory allocation and chips in telephones may not follow a prescribed standard. However, memory is an important aspect for communications devices and an example of one telephone memory allocation in 1983 was given in Mobile Examination HW / SW Considerations Pt1 - http://www.trewmte.blogspot.co.uk/2012/10/mobile-examination-hw-sw-considerations.html.

Our interest, of course, is in mobile devices and their memory. Developments have moved us along in technology terms where we have passed through the analogue mobile phone era and into the digital era. It could be laborious for readers to be treated to a discussion about analogue mobile memory given its expiration and therefore we need to fast forward to 1996 to glimpse at memory and chipsets for GSM mobile phones.  Detail from a presentation at Handset '97 Technology Conference by National Semiconductors usefully illustrates memory allocation and chips, as shown in the image below.  

Perhaps of interest is the reference to six chips plus memory. Memory as we may commonly understand it to be can be both EEPROM and Flash. There other memory types but I don't want to stray from the discussion topic as reference to other types of memory would add nothing at this stage. We understand from Mobile Examination HW / SW Considerations Pt1 that E2PROM can be a memory of choice for electronic telephones. We see memory in use back in 1996 as observed by National Semiconductors for GSM using EEPROM and Flash. The relevance of how they were used and what went in them is of historical fact which we need not focus on that. The purpose of the observations in the National Semiconductor 1997 presentation concerned how improvements in silicon technology was enabling the possibility for even smaller scale manufacturing and to forecast how small scale integration would impact on memory and chips for future digital GSM mobile phones (see image below)

The future foreseen by National Semiconductors was the reduction in the number of chips used in mobile phones. Memory sources EEPROM and Flash are still integral requiremengts but remain separate memory allocation; and of course RAM can now be referred to. It was not shown in the earlier material above.

In the decade that followed year 2000 and up-to-date more changes and smaller scale integration has occurred. This will be considered in the next discussion so that the topic can progress towards the objective about considerations relevant to hardware and software and revelation about areas of memory that haven't been fully investigated or explored yet.

Sunday, October 14, 2012

To Clone or NOT to Clone?

To Clone or NOT to Clone?

The purpose of this article is to reiterate the issues surrounding the best practice model of the forensic examination/data harvesting of mobile telephones and the isolation of radio signals. It’s not the intention of the author to critique any persons/methods or vendors of products/services but merely to highlight the issues which are still apparent today considering such methods have been adopted for well over ten years in the field of mobile phone forensics and which in the opinion of the author are yet to be addressed to a satisfactory level.

Best practice advocates the need to isolate the target device from any communication signal in order to prevent changes in existing live/deleted recoverable data. Bearing this in mind the most common practice is to utilise U/SIM cloning tools and to replicate a working copy of the target U/SIM or in some cases creating a working U/SIM for those target devices where the original U/SIM is not available. The majority or most commonly adopted tools/applications for such a method will only permit the examiner to copy the minimal data required to allow successful boot which are the ICCID and IMSI in the main with the addition of other parameters such as the MNC. Although it may be regarded as best practice in the main it’s not without issue. From experience and review/re-examination of cold and live cases the same problems are encountered yet not addressed to a satisfactory level.

There are several vendors of such products and in the main they are adequate to a degree however some vendors of such products do not appear to continue with the product development cycle of such functions as one would expect. We see improvements and development with the core functions of mobile phone forensic applications and that is most welcomed however the basic fundamental process in this case cloning of the target U/SIM are left behind. Thus how is it possible to continue or improve upon a best practice model if the basic fundamental requirements are not addressed?

Examples where failings have been noted are listed below:

1. Misrepresentation of acquired/harvested data:
Quite often through examination it has been noted certain data types are not translated or presented in the correct format. For example contact names may be missing as they are contained within the ADN of the U/SIM card and due to the cloning system have not been transferred through which in turn is replicated to other data sets such as SMS and call list.

2. Inaccessible data
Situations have been encountered where data is not available via the GUI of the target device thus the possibility of missing or non-examination of data exists. An example of this was encountered whilst examining a BlackBerry Bold device where the BBM application was not available without the use of the original target U/SIM, the reason being that the application or some functions were tied to the SIM Application Toolkit.

The above examples are just the tip of the iceberg and in the opinion of the author there are certainly more issues encountered in the use of U/SIM cloning systems when examining mobile telephones and/or devices which utilise the use of U/SIM cards.

So how can we overcome such issues and improve upon the best practice model? One solution is total radio isolation and the use of the original target U/SIM i.e. faraday enclosures/rooms. Unfortunately this option is not a satisfactory way forward due to cost, health & safety issues, practicality and when dealing with volume work.

For a more practical and sustainable solution the author would suggest that the vendors of such products/services review their product development cycle, obtain and work with the necessary feedback from seasoned practitioners with a view to providing far more robust products/services which at best eliminate U/SIM cloning issues or which offers the examiner more flexibility as to the cloning parameters required or at least work towards providing bulletins of known issues and possible solutions for identified issues.

Author: Vinny Parmar
Digital Forensic Practitioner
Accredited MTEB Mobile Phone Trainer

Mobile Examination HW / SW Considerations Pt1

Mobile Examination HW / SW Considerations Pt1

Mobile phone forensics requires a level of examiner capability to conduct the examination. The key word 'capability', when analysis is made of what is involved in it, reveals that conducting data acquisition by simply connecting a data reader tool to the target device (mobile phone) today we have significantly moved on from early examination techniques.

The knowledge, skills and experience from my early days telecomms background still serves me well today. When I first started in telecomms type approvals (the procedural path to bringing a telecomms product up to the technical and legal requirements to permit it to connected to the PSTN) the technical standards were important. The technical standards, such as, BS6301 electrical safety, BS6305 network connection, BS6317 apparatus connection and BS6789 apparatus functional features etc provided the grounding to understand what was necessary to succeed. Those standards didn't control how the manufacturer designed to meet each standard's strictures, merely they required to reveal what the product did at the point of, generally speaking, safety, input/output, device specific requirements and functionality and how it met the parameters laid down.

Interestly, designing memory in a device, although seen today as a reference to data storage (ephemeral, tarried or permanent), and thus introduces the notion and prospects of evidence, back then memory was seen as a consumer-friendly feature to create a pyschological attachment between the user and the owned device. Coming from a white goods/brown goods background I had to acquire an understanding/knowledge of not merely the telecomms standards but also the approaches used by manufacturers to meet telecomms standards. Back in 1983 one of the first books I read was Radio Shack "Understanding Telephone Electronics". Electronics, by the way, covered a wide technology design range categorisation including, as a subset of it, computer and computation. Note also that microcomputer was often used in earlier days, to describe manufacturing size and purpose, in comparison today whereas the term 'micro' 'electronic', and 'computer' and used in the term microelectronic computer to describe e.g. a SIM/USIM Card. We also use the term 'smart card' today, as well, but that requires, for discussion at another time, as to what is intended to be communicated by the term 'smart'.

Below are some selected pages discussing ways to create memory storage and access to it from that book which provides, in a nutshell, a useful exemplar how data retention could be created and managed within early electronic telephones. It is worth reading because a mobile phone examiner will see familiar issues that are addressed when considering a methodology for acquiring data from (mobile) devices.

Friday, October 12, 2012

PM Cameron needs new ideas

PM Cameron needs new ideas

The British Prime Minister, David Cameron, needs new ideas. If £30 million (just spending £2 million on a cyber centre is not the true cost) can be found for cybercrime, like finding loose change in a pocket, then things aren't as bad as we are all being led to believe. Indeed, if there is more public money being put into even more CCTV surveillance in this country then a clear picture is emerging that there is money, which, maybe, it might be accepted the money is being spent wisely, it is still being spent nonetheless.

Speaking on national television and radio, the PM espoused the virtuses of hardwork. Excellent! People are already working longer hours for less pay and much lower pay than the real value of their jobs. So they have already taken on board that principle before the PM said it. By way of illustration, a class of person, rapidly being turned into and treated like an underclass of person are those in their 60s and 70s with a wealth of knowledge and experience who are being ignored at shop-floor level. They have the guts and courage to still be working. Perhaps its the younger generational thing, but the older generation are without doubt an inspiration. I admire the woman of 67 I saw working at the supermarket customer desk at 7pm at night. The customer counter, by the way, is situated by the main doors so as the cold air rushes in it blasts her in the face and body. Seems to me she is doing her bit and I see many women and men of a similar age still soldiering on.  So there is harmony between the PM words and the factual practice of the hard work ethic by British workers. But that needs to be turned into tangible value we can all enjoy (and not merely enjoyed for people at a certain level) for that is the way distribution of wealth and value is supposed to work.

Much has been openly spoken on, and laughed at, by various sources having a hoot that British parliament and politics has been run like episodes from the comedy series Yes, Minister and Yes, Prime Minister. I wonder whether if equal attention has been paid to the rebuilding programmes e.g. introduced through the concept of the Kindergarten. Indeed, perhaps looking at working/worker & management participation backed by an industrial franchise. George Osbourne made a mistake recently when he referred to workers, management and the taxman all working together. The original idea is infact worker, management and 'government' (not a single department of it) working together.

By the way, some good news about mobile technology can be found in the latest World Bank Report - IC4D 2012: Maximizing Mobile




Tuesday, October 02, 2012

The rates of pay

The rates of pay

There is an old saying "never apologise for what you can earn"; quoted in the context relating to the provision of a legitimate service. The order of magnitude of chargeable fees have a ceiling, regarding the provision of expert / consultancy etc services in criminal cases (but ciivil cases too for that matter), as set down within the statutory instrument guidance rules set out currently in the UKSI 2011 No. 2065 LEGAL SERVICES COMMISSION, ENGLAND AND WALES The Criminal Defence Service (Funding) (Amendment) Order 2011. The SI identifies fees/fixed costs for various pay that a person may earn (hourly/fixed), which are shown below.

Before rushing into employment consider whether your unique skillsets are being best deployed and whether the tenure of the employment is going to last longer than 3-6 months? Check whether a company has a quick turnaround of staff. Afterall,you don't want to give up your value (knowledge and skills) within that short period, do you?  Moreover, you may wish to consider if, within the offered salary, you are being expected to pay for vehicle expenses, mobile phone expenditure and other expenses, whether the salary actually is at the value promoted vis-a-vis rolling personal expenditure.

It is being noted that erosion technqiues are being applied to employees salaries and wages where such expenditure is being obligated upon the employee and being used to prop up the business. It is one thing if the business is failing and it is "all hands to the helm", it is entirely another. though, when it is used to improve profits, thus payouts of dividends and commission schemes. Some may find the latter points perfectly reasonable and to others who aren't aware they may wish to re-look at employments offers and investigate what is the real bottonline.

With the above rates of pay presenting a guideline, are you being paid as the expert etc £90.00 per hour or £8.50 per hour?