Monday, May 05, 2014

New Book - RFPS (Radio Frequency Propagation Survey)

Joe Hoy from Forensic Analytics joins us this month at Cell Site Analysis blog to outline the purpose and content for his forthcoming book regarding  RFPS (Radio Frequency Propagation Survey).

What is your background, Joe?
"I am a telecoms engineer and trainer with 27 years of industry experience. For the last 17 years I have concentrated on telecoms training, specialising in cellular technologies particularly, for the past few years, 4G LTE.

"I have also worked extensively as a forensic cell site analyst and expert witness, contributing to many high-profile cases for either the prosecution or the defence. I’ve undertaken the work of the RFPS surveyor, capturing measurements of cellular coverage at crime scenes and other locations and have also provided extensive training for cell site analysts and RFPS engineers.

What is your current employment?
 "I now run a company called Forensic Analytics, we develop and supply software tools, such as our CSAS (Cell Site Analysis Suite) tool, to police forces and cell site analysis companies to aid them in processing call data records and RF survey results and also help them to effectively analyse, query, visualise and present that data. Traditionally, cell site analysis and their attendant forensic radio surveys were undertaken by external cell site experts, but there has been a growing trend, in the UK but also elsewhere, for law enforcement agencies to reduce the cost of forensic cell site investigations by taking some or all of the survey work ‘in house’.

Who are the potnetial readers of your book and why? 
"Many police forces now employ their own radio surveyors who undertake radio surveys for them – although there are many experienced radio engineers included in this set, in many cases the people being employed to perform these tasks are investigators and do not come from a cellular radio engineering background. Their understanding of the background of the role can therefore be somewhat limited and their technical understanding of the operation of the networks they are surveying may benefit from additional enhancement.

"In light of this, I have been asked by John Wiley Sons, the technical book publisher, to write a book that outlines the theory and practice related to the RFPS (Radio Frequency Propagation Survey) discipline within the field of cell site analysis.

Can you provide CSA blog readers with a brief outline of the content of the book
 "The first half of the book provides a reasonably simple but nonetheless detailed overview of radio theory, of basic cellular network principles and concepts and of the operation of cellular networks. The radio theory section provides an introduction to basic radio theory and offers simple explanations of the mathematical concepts that underlie radio measurements scales such as dB and dBm. The network types section is mainly focused on 3GPP network types – GSM, UMTS and LTE – but also provides an overview of the operation of other network types, such as 3GPP2 cdmaOne/CDMA2000/EV-DO, Chinese TD-SCDMA, WMIAX, WiFi, iDEN, TETRA and others.

"One of the main aims of the first half of the book is to introduce new surveyors to enough fundamental concepts to enable them to understand the meaning and significance of the measurements they will capture during surveys. It also provides details of the specific types of measurement that are captured for each network type and gives an idea of the typical range of values to be expected.

"The second half of the book focuses on forensic radio surveys; the various types of survey, the techniques employed for each survey type, the considerations and potential problems that can be encountered when surveying different types of network.

"This book is intended to be used as both a text book and as an aide memoire handbook by forensic radio survey engineers, particularly those working for official police agencies. It is not intended to act as a detailed technical reference for cell site experts or others who already understand these topics.

Which markets would benefit from your book?
"There is a growing market for cell site analysis in general. The UK has largely pioneered this area of forensic activity and has an experienced and mature market but the market in other parts of the world is still developing. Many countries use cell site techniques but base their conclusions purely on the proximity of a cell to a significant location. This isn’t ‘proof’ in an empirical sense and this type of cell site evidence is subject to challenge and dismissal in court. As cell site markets and techniques mature in other countries there will be a need for proper RFPS evidence and therefore, I hope, a growing market for the information provided in this book.

When will your book be available and how do readers get hold of a copy?
 "The book is due to be published by Wiley in the Autumn, but for further details please contact me at For details of our CSAS tool go to"

Sunday, May 04, 2014

iPhone factory reset bars access to revevlation

It has been known for sometime there is no general release that can handle the deleted encrypted data on iPhone 4s onwards.  The latest article in the The Register ( ) rehearses discussion the forensic community has already had about deleted keys and deleted encrypted data. The factory reset point merely reconfirms another method how a user can select an iPhone process to cause the data to no longer be available for access by the user.

These are just my own observations but I would find it highly surprising if the 'clever department' at Apple had not prepared for the day when National Security walks through the door with a grade 'X-level' warrant to decrypt, no matter the state of the smartphone. Germane and relevant to this type of discussion is that 'keys' are not so randomly generated that Apple couldn't predetermine access-doors or decryption methods based upon the smartphones IMEI, manufacturing batch, core processor, chip/s, board layout, country of supply and iOS etc being one side of the coin **. We are of course all being induced into talking about the other side of that same coin, the iPhone encrypted data made inert such that the data having no inherent power of action, motion, resistance or having little or no ability to react.

Fig.1 Example of a hacker's study for accessing an iPhone memory chip 

History has shown that due to necessity or hacking revelation can always be possible. Such an example of gaining access where the manufacturer failed to correct a security flaw inspite of being advised about it is not new ( ). Maybe a solution isn't too far off whether introduced by the manufacturer (vertical revenue stream) or another source divulges a method to reveal. However, we do need to be clear though where we stand. Forensics provides a particular 'defined approach' to examine and analyse a 'thing'. The process and procedures applied to the examination and analysis of a 'thing' takes into account various paths of enquiry including the producer/manufacturer spec of the thing; any inter/national and industry standards and legal requirements applicable to it; any academic and non-academic studies and materials that may be applicable; the skill, knowledge and experience of the individual involved with the examination and analysis. What we don't do or shouldn't do during the forensics process and procedures is 'hack' in the way hacking is commonly understood to be carried out or reverse engineer. The reason for that is by hacking/reverse engineering a thing a potential pitfall that arises is that the individual may cause or induce an event to occur on or in e.g. a smartphone that would have been impossible or unknown to the user of the smartphone and potentially create a suggestion of culpability that wasn't or didn't exist previously (add/loss data etc).

** Update 09/05/2014

"These Guidelines are provided for use by law enforcement or other government entities in the U.S. when seeking information from Apple Inc. (“Apple”) about users of Apple’s products and services, or from Apple devices. Apple will update these Guidelines as necessary. This version was released on May 7th, 2014."

" I. Extracting Data from Passcode Locked iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.   Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

The data extraction process can only be performed at Apple’s Cupertino, CA headquarters for devices that are in good working order. For Apple to assist in this process, the language outlined below must be included in a search warrant, and the search warrant must include the serial or IMEI number of the device. For more information on locating the IMEI and serial number of an iOS device, refer to

Please make sure that the name of the judge on the search warrant is printed clearly and legibly in order for the paperwork to be completed."