Friday, April 27, 2012

Data and Time Stamps

Data and Time Stamps

An important issue to bear in mind when dealing with any analogue or digital device that contain a 'clock', for the production of a 'date and time stamp', is whether the clock's inaccuracy might not disbar evidence when considering the operation of the device and content found stored on/in a device.

McKeown was convicted of drink-driving following a Lion intoximeter breathalyser test. It was found that the date and time stamp was erroneous when compared to the material time of the breath test. On Appeal their Lordships identified that the fact that the date and time stamp was erroneous would not of itself prevent the 'machine' to still carry out an effective breathalyser test (DPP v McKeown [1997] 1 WLR 295).

Such cases provide useful material to research whether:

1) The ruling, could it be applicable to mobile/smartphones to carry out an effective process or recording where the clock is inaccurate?

2) What impact that might have regarding the admissibility of the content in files stored/residing on mobile/smartphones (or indeed tablets etc) could still be seen as unaffected due to an erroneous clock?

3) Could a clock's inaccurate date and time stamp allow content to be altered or amended before being presented for admissibility?

There are many layers of investigation involved in each of the narratives above, and there are other questions that haven't been raised.  Some food for thought, yes, but also a reminder that extracting and harvesting data  from a digital device is only a fraction of the work involved when dealing with mobile telephone evidence.

Sunday, April 22, 2012

Mini Course in Cell Site Identification (Pt3.s2)

Mini Course in Cell Site Identification (Pt3.s2)

Links to previous discussions in these Mini Course modules:

Mini Course in Cell Site Identification (Pt3.s1)
http://www.trewmte.blogspot.co.uk/2012/01/mini-course-in-cell-site-identification.html

Mini Course in Cell Site Identification (Pt2)
http://trewmte.blogspot.com/2011/12/mini-course-in-cell-site-identification_31.html

Mini Course in Cell Site Identification (Pt1)
http://trewmte.blogspot.com/2011/12/mini-course-in-cell-site-identification.html

In this module the discussion follows on, for section 3.2, identifying further locations where research material maybe obtained to assist cell site identitifcation (CSI). Previously in Pt3 s1 the observations identified where information can be obtained from a local authority or council planning department. The 'reality' of such information being existence and available to any enquiror occurs due to statutory provisions and public employees employed to provide such information and provide such identification that is accessible because of the charges made within national and local taxes. Presumably this might be the same situation in other countries.

Regulator
In the UK we have the 'communications' (previously known as the 'telecommunications') regulator called OFCOM (Office of Communications). It is the duty, accordng to EU directive, UK statute and regulation that the regulator provides accessible information that is current and up-to-date. One of the tools that an examiner will use is OFCOM's sitefinder service. There is a caveat to the information available from this service, which states (http://www.sitefinder.ofcom.org.uk/):

"Sitefinder was set up as a result of recommendations of the Stewart Report in 2000. It is a voluntary scheme under which mobile network operators make information available on the location and operating characteristics of individual base stations, so that people who wish to inform themselves about this can do so.

"Ofcom hosts the Sitefinder tool on behalf of Government, which can be searched for the location and details of mobile phone base station sites around specific locations. The data within Sitefinder is owned by the mobile network operators, who supply it on a voluntary basis. A request made under the Freedom of Information Act 2000, for Ofcom to make available the information contained within Sitefinder, is subject to an ongoing legal process. Meanwhile, the mobile network operators (except Everything Everywhere) continue to provide voluntary updates which are made every 3 months or so.

The Sitefinder tool therefore remains available and reasonably current (except for Everything Everywhere sites); meanwhile Ofcom will not release the underlying database pending the outcome of the legal process.

Ofcom cannot accept liability for any inaccuracies or omissions in the data provided within Sitefinder, or its currency."

The OFCOM service does provide useful information about cell sites and an examiner would be quite foolish to ignore it, but as equally foolish to believe this is the only source of information, independent from actual enquiries to the mobile network operator and so on.  By way of illustration, I was able to show that information from the local council identified that historcially a base station (cell site) had moved from its original installation (relevant to a particular investigation), which was not revealed by using the OFCOM service. This revelation is further support for an examiner being not only being aware but, equally, being astute.

Examples of the discovery process from the OFCOM sitefinder website is a glimpse at the density of cell sites in a given area:

The relevance of  density of cell site was discussed here -  http://trewmte.blogspot.co.uk/2008/06/gsm-mast-installations-density.html

Moreover, the sitefinder site also provdes details that have been registered by an operator about a particular mast:


Mobile Network Operator
However, the discovery process doesn't stop there but additionally investigation to a particular mobile network operator's website and searching for coverage in a particular geographical area is as equally important to have performed that task. For this reason I have for quite sometime provided links to UK mobile network operators' websites so that examiners can make investigative searches of a particular operator's site regarding coverage relevant for a particular geographical area.



International Marketplace
It is also relevant to be aware that mobile communications also includes 'Roaming' calls and discovery in other countries. The narrative in the aforementioned would largely be wasted without some reference sources and below I have listed a few website in order to bring an international understanding to this discussion:

US cell sites
http://www.cellreception.com/

Austria

http://www.senderkataster.at/

France
http://www.cartoradio.fr/netenmap.php?cmd=zoomfull

Malta
https://www.mca.org.mt

Netherlands
http://www.antennebureau.nl/

Sweden PTT
http://www.pts.se/en-gb/Radio/

GSMA Roaming and Coverage Maps
And for coverage aspects relevant to roaming an examiner can also visit the GSMA website to see what can be revealed about cell site identification and its coverage before conducting site surveys etc:

http://maps.mobileworldlive.com/

In this module it hasn't provided the definitive elements cell site identification (CSI), but it does provide observations for examiners to explore the options about details about a cell site (Mast) and also coverage from it. This may also reveal where the latter can provide important material, such as to define aspects about coverage, which may not have been revealed in documents / information presented by the other side.

As a refresher, readers of this mini course in cell site identification may recall at the very off I set out factors that impact on propagation from a mast and an interpretation of the possible function and responsibility of a mast and thus the natural and obligatory requirement for an exmainer to discover as much about the cell site (mast) as possible. The relevant parts produced thus far have intended to show that even before the examiner peruses call records / mast details obtained for a particular case, the examiner cannot simply take those details on face value and must make strenuous effects to understand that cell site identification is not merely about a cell ID, LAC, postocde, NGR, etc but additionally information about defined coverage that should assist the examiner prepare for site surveys etc. Furthermore, to assess the information provided by the other side to identify or isolate omissions in it/them which, once revealed, may provide an entirely different fact or influence about the evidence the other side had failed to present.

Saturday, April 21, 2012

Evidence interpretation

Evidence interpretation

"The problem with SMS messages today is that one cannot tell which texts are truthful." 
William Ewart Gladstone (1809-1898)

Sunday, April 15, 2012

Examination Techniques8: Simple Experiments2

Examination Techniques8: Simple Experiments2

Continuing the discussion to offer suggestions on ways to generate test methodologies in order that down the line it might be possible to create validation and verification processes, practices and procedures for mobile phone examination (device under test (DUT)). 

Assuming that an examiner is satisfied as to when s/he is using the appropriate tool that it will extract and harvest data from the make/model (DUT) under examination, there will still be the prior query what exactly is this tool communicating to the DUT? For instance, considering logical data as opposed to physical data, does the tool intended for use provide an "output log" that contains the communications (commands) sent to the DUT (e.g. APDU or AT+ etc etc) so that the examiner:

- can corroborate what is being instructed to the DUT when that tool is applied to it?
- comprehend are the responses (data) received from the DUT to be expected or are the data incomplete?
- Should the data be incomplete, is that because the commands are incorrect in their instructions which data are to be extracted or is it because the handset has not stored any further data other than that data returned in response to the command sent?

The objective of this simple experiment is to observe the content of any harvested logical data so that when dealing with physical (deleted) data recovery an examiner can start to build a template, from known logical data samplings, in order to apprehend some understanding of any deleted data that has been recovered as to what maybe there and what maybe missing.

Previous discussions relevant to this topic:
Examination Techniques6: Simple Experiments - http://trewmte.blogspot.co.uk/2012/03/examination-techniques6-simple.html

Examination Techniques5: Validation and Verification - http://trewmte.blogspot.co.uk/2012/03/examination-techniques5-validation-and.html

External links:
http://www.forensicfocus.com/Forums/viewtopic/t=8879/

Saturday, April 14, 2012

Examination Techniques7: Bluetooth Headset

Examination Techniques7: Bluetooth Headset
Examiners may find it useful to be reminded to obtain a copy the bluetooth headset (DUT) user guide prior to examination.  There are numerous reasons and some of these observations may prove fruitable.

1. A common headset feature that can be enabled for a particular headset is pairing with a primary device and a secondary device. This can mean a particular headset working with two mobile phones (at the same time???), or other devices such as laptops, PCs and PDAs.

2. As the identity of a headset is broadcast and then maybe associated to a target handset and/or another device (and not normally the other way around) understanding the identities in the bluetooth broadcast, is relevant, as is the bluetooth standard used by the headset can be equally as important.

3. Powering on a headset (DUT) can also reveal on certain makes/models the remaining battery level. Some headsets e.g. HM1200 require the examiner to press and HOLD the talk button and the volume button at the time forcing the headset to respond using a sequence of LED 5 flashes in a particular colour to identify the level (as a percentage) of charge remaining in the battery.

The above points are so often over looked in evidence, but can produce important facts or inferences about evidence that maybe relevant to a case.

An additional point, not connected with the user guide. If an examiner intends to perform a chip-off examination then a word of caution. The lettering/digits printed for chip identitification on some of the memory chips are so small an examiner may need a microscope (e.g. with software in order to display image results on a computer screen ).

Sunday, April 01, 2012

Cyclists Laws Require Registration

Cyclists Laws Require Registration

Unconfirmed reports, writes Loof Prila, are that Lord Raleigh the Minister for Cycling may announce shortly new laws to introduce a registration system for all cyclists in the UK with an age limit starting from 10 years of age upwards, following lengthy research with Police, Local Councils and various Cycling Organisations.

The new laws will require cyclists to carry insurance and wear a Florescent Sash displaying the cyclists registration number on the front and back of an approved Sash. A Department for Cyclists will be set up at the DVLA and cyclists will pay an unconfirmed initial registration fee believed to be set at £45 per annum for each cycle registered by a user, with an annual cycle safety test to be carried out for a sum of £25.00 at approved MOT Test Centres, in addition to a cycling proficiency test to be carried out at the same time as the safety test, it is rumoured.

The new laws are thought to come into force on the 1st April.

Blinking Ice Cream Sandwich (ICS)

Blinking Ice Cream Sandwich (ICS)

Security issue concerns raised about Samsung's 'Face Unlock' has received a boost in the new OS upgrade release of ICS as it is reported to contain an additional security feature requiring the user to 'blink', in addition to existing security already in place, according to global.samsungtomorrow. So for those who thought using a photo of the user for 'Face Unlock' now could require, additionally, a moving image of the user blinking. Whether that requires the genuine user to blink naturally or forced blinking is unclear. Certainly something else to consider when dealing with a DUT with ICS OS during mobile phone examination.