Friday, August 30, 2013

Lawful Interception - Cloud/Virtual Services

Lawful Interception - Cloud/Virtual Services

As more and more people move to mobile/wireless devices to access virtual services so mobile forensics is having to expand its boundaries too in order to cope with cloud/virtual servcies. Many people misunderstand mobile forensics and see its role limited to arguments on good practice and methodology (extract and harvest data from mobile/smart phones). This narrow view is completely wrong but has arisen as mobile forensics is being labelled in some quarters as a sub-category of e.g. computer forensics in criminal proceeding. However, mobile forensics encompasses a wide area and on principals of science fact that computer forensics can operate:

- criminal investigation
- civil investigation
- contract and commerical ventures
- consultancy
- education
- public services/national security     

In civil cases there is the investigation process, for example, of requiring examination of the mobile/smart phone as the conduit between confidential information being jettisoned to a secret file in the Cloud, because there is no trail of bread crumb data evidence on the PC/laptop. Radio signals are not part of computer forensics, unless we all ursurp the laws of physics and rename, for instance, radio signals as computer signals just to be able to lock mobile forensics to computer forensics; it would be just absurd. The investigatory elements requires knowing whether the device is capable of working with HSPA etc as opposed to suggesting full blown data streaming occurs on basic GSM transmission technology. In other words the investigator must be realistic in his/her approach. That equally means understand cell site analysis so that the investigator knowns to understand the advantages of, for instance, MIMO in the wireless arena and the base station set up for that purpose.

Mobile Cloud usage is on the increase and therefore public servcies/national security will equally require to understand any loopholes that exist. Mobile forensics provided for consultancy or in education again requires obtaining facts and understanding processes and procedures as indeed does contract and commercial ventures that require accuracy in description and terms for technology usage.  

It is upon that basis this blog discussion introduces Lawful Interception - Cloud/Virtual Services so that whilst law enforcement and national security would seem the obvious target audience, it doesn't take that much effort to realise how all the other categories in which mobile forensics operates equally benefit from knowing the subject matter.

I am not able to provide masses of info or say too much on this issue but I thought trewmte blog readers might be interested in several informative documents about the subject matter. You may even appreciate the irony of making the downloads for these documents via Dropbox.


As a primer this is a very helpful document:

ETSI TR 102 997 V1.1.1 (2010-04)
Initial analysis of standardization requirements for Cloud services

The present document describes standardisation requirements for cloud services. It is based on the outcome of the ETSI TC GRID Workshop, "Grids, Clouds and Service Infrastructures", 2 and 3 December 2009. This event brought together key stakeholders of the grid, cloud and telecommunication domains to review state of the art and current trends. Needs for standardisation, with a particular focus on the emerging area of cloud computing and services, were discussed. The present document introduces and expands on the conclusions reached. This is not an exhaustive survey and is intended to serve as the basis for future work.


A useful guide to the mechanisms needed to enable eWarrants to function in the global marketplace.

ETSI TR 103 690 V1.1.1 (2012-02) Lawful Interception (LI); eWarrant Interface

The present document presents a high-level description of an interface mechanism - the eWarrant Interface - for receipt of requests for measures producing real-time or stored information by an issuing authority possessing lawful authorization to initiate such a request. The eWarrant Interface is a generic, extensible interface intended to be fully compatible with all existing kinds of requests for these purposes - as well as support future ones, including local
requirements and languages or character sets. The eWarrant Interface is not intended to replace existing implementation-specific mechanisms found, for example, in the Retained Data Handover Interface.

The present document describes an electronic interface. Annex B describes work flow for an eWarrant in different jurisdictions and a means for discovering related information. Annex C describes how this interface may be adapted and made interoperable for manual and legacy techniques. The present document provides a high-level description of the interface mechanism. It defines basic principles of interoperability, and provides recommendations for the types of data that are delivered. It provides a recommendation on the choice of data modelling languages, but the present document does not give a normative structure for the delivery of eWarrant messages. It is envisaged that a later Technical Specification will add the required details for a full implementation.


Here is the draft standard being worked on that will eventually be the agreed standardised approach to interception for Cloud and Virtual Services that occurs trans-border.

Draft ETSI DTR 101 567 V0.1.0 (2012-05) Lawful Interception (LI); Cloud/Virtual Services (CLI)
The present document provides an overview on requests for handover and delivery of real-time information associated with cloud/virtual services. The report identifies Lawful Interception needs and requirements in the converged cloud/virtual service environment, the challenges and obstacles of complying with those requirements, what implementations can be achieved under existing ETSI LI standards, and what new work may be required to achieve needed Lawful Interception capabilities. Cloud Services in whichever forms they take (Infrastructure, Software, Platform or combinations of these) are often trans border in nature and the information required to maintain Lawful Interception (LI) capability or sufficient coverage for LI support may vary in different countries, or within platforms of different security assurance levels. This work aims to ensure capabilities can be maintained while allowing business to utilise the advantages and innovations of Cloud Services and was undertaken cooperatively with relevant cloud security technical bodies.

Thursday, August 29, 2013

Mobile Forensics Diplomas

Following on from the article Forensic Erosion ( ) the MTEB Diplomas fill the gap between a time limited (expiration) certificate and a Degree course. You may not have seen it but I did produce six MTEB Diploma options and posted it here - . Moreover, it could help Universities focus their approach to producing Mobile Forensics Degrees with applicants holding a Diploma using it for credits towards the Degree.

The excellent feature of a possessing a Diploma is that it continues to have a value as representation of a person's knowledge, skills and experience similar to a BSc/MSc/PhD. Certificates (e.g. product training certificates) are useful but unless you purchase training year in year out for that same product, which the product can undergo regular changes, waving a five or ten year old certificate may be considered as to its relevance to the evidence or work of a person has been involved.

When a Diploma is undertaken it enables the student to demonstrate current knowledge, skills and experience whilst defining future objectives such as processes and procedures desired to be achieved or occurring in the current marketplace.

A Diploma does not require the student to develop a "new" or "unique" design, process or proposition previously undiscovered (unlike BSc, MSc or PhD trial and error) but demonstration of the student's existing knowledge and how to deploy those skillsets and experience with what works and only express where the subject sees marketplace events or targets to be achieved.

Diplomas are considerably less expensive than BSc, MSc and PhD as they are of a shorter study/submission period, thus present current knowledge, skills and experience to be known sooner and recognised (put to work) in current markets, without limitation of an expiration date associated with a product Certificate at one end of the scale or outdated by the time final semester (BSc/MSc/PhD) is achieved at the other end of the scale.

A Diploma module e.g. * Diploma for ME and UE Technology Examination - Mobile Telephone Diploma Core CMSU3 - enables a candidate to consider mobile/smart phone examination as a specific subject or consider the ME/UE in connection with/to:

* Foundation/Research Skills and/or
* QA and Evidence Handling and/or
* association with SIM and USIM Technology Examination and/or
* Call Records and Network Records Analysis and/or
* Cell Site Analysis

Thus permutation options for submission of a Diploma report may include the expression of ME and UE Technology Examination in isolation or include one or more of the above subjects.

The latest MTEB Diploma Modules Guide is MTEdipl 2.2 ( )

Friday, August 23, 2013

Operational Audit Check (OAC) is part of Cell Site Analaysis (CSA)

Cell Tower Fire 

There is a news aticle on about a mast (US cell tower) that caught figure during an install/maintenance work ( The article provides us with a useful reminder when conducting cell site analysis (CSA) to remember to conduct an operational audit check (OAC) and request confirmation that the target mast and the density of support radio coverage masts in the immediate area were all operational at the material time. This should be requested as soon as practicalable to do so.

Invariably, an event (e.g. a serious crime) requires instant action and requires, if relevant, knowing the cell coverage at the scene of crime (SoC) and the coverage in surrounding areas (e.g. identifying potential get away routes). It could impact the investigation if an OAC is not conducted regarding the density of surrounding masts and it later comes to light a mast was out of commission for a period and other masts in trh surrounding area had their coverage increased.

In some cases, it may not be possible at short notice to draught-in coverage from other masts and a radio black spot may occur. This, too, is in important to anticipate and be considered when analysing call records, road networks and the density of masts (thus coverage) upon the landscape. Moreover, if the out of commission mast is at a central location of a road network or town/city, consider also the base stations delivering small cell/micro cell coverage. Many of these base stations have their antennas tilted. There are two types of tilt commonly available: electrical and mechanical. Electrical tilt enables the network to remotely alter the tilt angle of the antennas. Mechanical tilt requires an engineer to visit site and mechanically alter the antenna tilt. Here again, not considering these points could mean an investigation can include arriving at erroneous conclusions that may be uncovered later on.

My experience of performing OAC for particular cases can vary from the experience of others. I am not able to say why information I have found was available was not accessible to other experts/investigators. It seems to me that an illustration of the information that supports the above comments I made should be demonstrated. I have hidden some cell site/mast details from the data served in a particular case, that of site name, address and NGR, as this relevation is not necessary to specifically identity the cell site/mast details in that particular case. However, it is assumed that site name, address and NGR are standard details that form part of the request of the information sought from a particular operator.

Below is further reading material I hope you will find helpful, which I have produced here at the blog in the past, and that the events/actions mentioned in them might provide further support or clarity to you about the issues discussed above or during an investigation.

LTE, Test Trials and Cell Site Analysis

CSA - R&TTE Directive

GSM Mast Installations (Density)

Basic Terrain Plot, GPS & CSA

CSA: From Ockham's (Occam's) Razor to Checking Masts

Cell Site Analysis (CSA) Images

Cell Site Analysis (CSA) Images Part 2

Cell Site Analysis (CSA) Images

Mobile Phones and Fringe Coverage

Evolving Cell Site Analysis (CSA)

Mini Course in Cell Site Identification (Pt3.s2)

Mini Course in Cell Site Identification (Pt3.s1)

Mini Course in Cell Site Identification (Pt2)

Mini Course in Cell Site Identification (Pt1)

Sunday, August 11, 2013

Windows Phone Online App Builder

It is not easy to encourage people to start programming, largely because it presents itself  as a daunting task to learning a new set of rules relevant to a particular vocabulary, syntax, etc in order that an app or utility can work with a particular existing program or operating system. The problem also exists knowing where to get started without being overwhelmed with the cost of buying programming tools, maybe upgrading the computer on which the app will be produced and then have the skillset and techniques to know how to design the app itself.

Getting started can be much easier than might be thought at first instance. Microsoft Windows Phone App Store website ( ) has made available online a simple way to create an app online which will allow the user to work with different templates and then te site automates the production of source code that can be updated should improvements to the app design/layout/content become necessary. The app can be loaded to a particular windows phone for trial testing.

 Image courtesy of Microsoft Windows App Store

Well done Microsoft, this is a great idea. Whilst other mobile OS app builders have their own solutions, this online solution is unique for Windows Phone. Have a go and see for yourself.

I do forecast that the whole programming environment will under-go a further revolution whereby the tools for programming and emulator testing will all be free in the future to encourage app building and commissioning. Back in 2007 I wrote a prediction regarding handset owners should be allowed to profile their own mobiles "Alternatively, the likes of Nokia, Motorola, SonyEricsson, Samsung etc could create mobile 'phones with the appropriate GSM/GPRS/WCDMA/WiFi wireless operating systems on them and allow the general public to profile their handsets with the application features (download) they not only like, but actually want."

Tuesday, August 06, 2013

RIPA 2000 s1(3)

The contents of this site, and communications between this site and its users, are protected by database right, copyright, confidentiality and the right not to be intercepted conferred by section 1(3) of the Regulation of Investigatory Powers Act 2000. The use of those contents and communications by Internet Service Providers or others to profile or classify users of this site for advertising or other purposes is strictly forbidden.

Regulation of Investigatory Powers Act 2000
1. Unlawful interception.
(3)Any interception of a communication which is carried out at any place in the United Kingdom by, or with the express or implied consent of, a person having the right to control the operation or the use of a private telecommunication system shall be actionable at the suit or instance of the sender or recipient, or intended recipient, of the communication if it is without lawful authority and is either—
(a)an interception of that communication in the course of its transmission by means of that private system; or
(b)an interception of that communication in the course of its transmission, by means of a public telecommunication system, to or from apparatus comprised in that private telecommunication system.