Sunday, July 28, 2013

Forensic Erosion

The BBC website identifies a report by MPs that presents findings that many see as the chaotic forensic landscape in Britain today:

But there are other issues needing to be addressed, too.

In some ways the situation reminds me when I responded back in 2005, along with many others I should add, to a public consultation document on legal aid and engagement of consultants and experts in the UK. There is only so much that one can put into a document with the natural expectation that further questions would be asked of the author about its content in order to undestand the minutiae operating behind any opinion or solutions put forward. The solution I put forward was to remodel and reduce or remove regional distortion with respect to the expert fees and the forensics landscape.

Specific Skillset Education (SSE)
As many of you will know I have never pretended to come from an academic background, and despite many attempts by some to insult me due to their own fears that non-academics can know considerably more, I took their hostile approach and made positive of their negative approach by calling for academic qualifications in the area of forensics with which I am concerned - Germane and relevant then why, with the explosive growth and use of mobile communications, after four years there still no standalone academic qualifications in mobile forensics and evidence? There are some academic forensics courses that placed this important area into one-off mini-module to another degree course but it has been and still is plainly obvious that could never meet the standard automatically expected from proper academic skillsets qualifications that were and are needed. The current situation raises the notion that a person need not be academically qualified to intellectualise this subject, but would still require huge knowledge, skillsets and experience to get through. However, concerns about ready-made tools have given rise to what the professional community has called and is calling 'push button forensics' ( ) that implants the notion qualifications are not necessary. Alternatively, it is also noted Universities simply may not possess the knowledge, skillsets and experience to impart what is needed to students. What is needed is specific skillset education (SSE) to avoid jack of all trades, master of none.

Possible Solution
Perhaps the House of Commons Science and Technology Committee could look at giving support to people (like me and others) and allow us together with Parliament to create qualifications directly linked to a Prize Degree coming from the House of Commons Science and Technology Committee enabling citizens of this country to re-connect with Parliament. This would create a cushion. In other words, people want more out of Parliament and not just to feel but actually enjoy the experience Parliament serves all areas. Having a Parliamentary Commitee qualification can help do that.

Of course, my observations maybe seen as a novel idea but it would actually fill the gaps being left open by Universities that are unable to deal with a fast changing society and technology revolution and where people with long term knowledge, skill and experience are not working as University lecturers.         

Tuesday, July 23, 2013

New SIM Card Exploit

On the 19th July I posted about knowing exploits on and understanding originality and genuineness of a handset and (U)SIM Card.

Karsten Nohl on the 22nd July released details of an exploit for older type (no specifics as yet) SIM Cards using DES security. The exploit revealed a returned 'error code that contained the device's cryptographic signature, a 56-bit private key. It was then possible to decrypt the key using common cracking techniques.'

Importantly, the article goes on to identify possible exploits that may be caused when in possession of a decrypted key.

What isn't clear is whether the exploit leads to the creation of a cloned SIM Card that is operating live in the same network at the same time and whether the network detection techniques fail to pick that up?  That means not just detect (VLR/HLR) but take decisive action such as call tear down, blocking and suspending IMSI subscriber etc. 


For some background research materials specific to GSM SIM regarding Java servers and updating SIM OTA:
GSM 11.11
GSM 11.13 (Java Applets)
GSM 11.14 STK

Friday, July 19, 2013

Android DDMS Vulnerability

Android DDMS Vulnerability

A suggested in-memory patch solution to the DDMS vulnerability is reported in this article:

The article states "The flaw is located in an Android component known as the Dalvik Debug Monitor Service (or DDMS), the virtual machine that runs software on Android devices. The vulnerability affects almost all Android devices in use, could allow a malicious actor to modify a legitimate, signed Android application without affecting the application’s cryptographic signature. That would prevent Android from noticing the changes when the application is installed."

So to prevent any new threat occuring ReKey can help you do this. However, what is the solution where threat already existed on the Android phone prior to the in-memory patch being installed? Are there any known affects (exploits that add or alter data or cause call events etc)? Could those 'affects' impact on the weight given to evidence extracted and harvested from a particular smart phone?

How relevant is the above to device examination?   Computer forensic examiners spend hours and days sifting through data and studing how a program installs, executes and stores activity generated by use of a program. Smart phones are now highly complex radio communication and electronic devices running a multitude of internal operating programs, user access programs fashioned to the device, interfaces to connect to other devcies and, all importantly, programs to communicate using radio transmission/receiver technologies GSM, W/CDMA, LTE, Wi-Fi, Bluetooth/IRDA, RFID/NFC.

In the early days of mobile phone examination the SIM Card was the focus of attention as little occurred by way of the handset itself. Evolved feature handsets have transformed mobile phones to smart phones and processes of acquiring data have largely become mechanical with plug-in tools pumping out data in production line fashion. Invariably examiners cannot rely simply one one tool but require a toolbag of tools. These tools in themselves are still not enough as the art and skill of interpretation as to the cause and effect and meaning of data are not present in the tools. Sure, tools may show e.g. a (static/active) graph of internet activity of a smart phone once data has been harvested from it but does the tool confirm whether the smart phone automated that process or whether it involved human intervention to cause the intenet activity?

Evolved, too, has the (U)SIM. Which means understanding of what is actually stored on it and applications that run from it, the (U)SIM, cannot be ignored when it comes to automated processes and human intervention.

Image - SIM Toolkits (STKs): Proactive SIM enables and allows a SIM to issue commands and action responses and thus may be susceptable to generating events in a manner and form that needs to be understood (see: GSM11.14).

The DDMS vulnerability reminds us that over-reliance on a tool simply to extract and harvest data and then present the data in a eye-pleasing format is not enough. Understanding the program/s and apps on a smart phone and in a USIM, its genuineness and originality, how data and records are caused to be generated and the interpretation of the records and data is now where we are at. Production line (bang it on, bang it out) recordings of only call activity, phonebooks, texts, IM messages, graphics, internet etc is fast becoming an incomplete methodology for smart phone and USIM examination.