Friday, March 27, 2015

Last SIM Details

Has anyone else run any tests using LSD.exe free tool?

This program is from

The concept behind this tool is very good and it is a great credit to the authors to allow free distribution of LSD.exe.

Screen dump for LSD.exe v1.2.0 - Samsung D500 flash file

- HELP About
- Able to parse .bin and .pm data files.
 - Regex customiser allows you to define country and network parameters to eliminate false positives
 - Generic network search allows you to search for all Mobile Network Codes (MNC), however using this method may bring back more false positives
 - Advanced view provides the user with all IMSI matches and offsets within the data file
 - The summary view counts recurrences of IMSIs in order to display unique values

 -Limited testing has been performed on live data. Please verify your results
 This program was designed and developed by Jason Nicolaou and Daniel Roe.

There are in fact three Option tests that can be can be applied and not two as offered by the menu:

 1. Make no option selection at all
 2. Generic search
 3. Samsung mode

All return search data depending upon the flash file being read.

The authors have explicitly stated the limitations of the program. I emailed and left messages at the authors website but have not received any replies.

 IMSI UK prefix *9 = (T) telecommunications / 234 = MCC United Kingdom / MNC = xxx
 *This is different from TE.118 prefix 89 in use as Mobile Industry Identifier (MII) ISO/IEC 7812-1

The program's GUI search window, above, returns (along with other details) values e.g.

Offset: 3962356 IMSI: MCC/MNC/Subscriber detail = 234919011221080

HxD (used for examination of the raw flash file), below, the offset identifies

e.g. reverse nibble: 29 43 19 09 11 22 01 08

Screen dump for HxD.exe - Samsung D500 flash file

LSD.exe searches the flash file and performs translation. The translation (top of page) was obtained using Option: Generic search.

LSD.exe returns the MNC as "unknown" - verified.
LSD.exe returns known MNC also - verified

From flash file library stocks selection was made using two old Samsung models D500 and D600 to see if LSD.exe would work with older flash files. LSD.exe did work and false-positives were obtained as the authors point out.

LSD.exe also revealed that when comparisons were made between D500 and D600 there were repetition of identical IMSIs found in both D500/D600 one example being (which I have anonymised):

 - 2341007xxxxxxxx

The fact the D500 flash file and the D600 flash file were apparently not connected in any way introduced the proposition are the results positive-positive or false-positive.

Furthermore, if positive-positive are correct then the authors statement that the tool should be used for intelligence purposes lives up to that expectation.

Sunday, March 22, 2015

CSA Wi-Fi Testing

As modern smartphones (3G/4G) have the detectors to access multiple wireless technologies,  Wi-Fi coverage analysis extends the range of cell site analysis (CSA) radio measurements to be identified at site for location-based tests. See previous discussion

ITU 150th Anniversary (1865-2015)

The 150 ITU 1865 2015 logo is copyright to the International Telecommunications Union
and reproduced with kind permission

This May 2015 the International Telecommunications Union reaches its 150 Anniversary, .

So what has happened in the world between 1865-2015? I thought I would highlight some events that usually go under the radar:

- football clubs established at that time :
- some cyclists have been pedalling for a really long time :
- as well as a bygone era in railway :
- Nokia started out as a wood pulp mill :

For more well known events just search the world wide web (www).

The ITU plays an important global role producing technical reports, recommendations and guidance on telecommunications, cellular and satellite, to name just a few technology sectors. That influence should never be underestimated. Indeed, the work of the ITU impacts on mobile forensics and cybercrime too. I have recorded a few trewmte blogs as examples.

International Telecommunications Union and CSA

CSA - Site Survey Method 2

CSA - Site Survey Method 2/ITU

Cybercrime: procedures, deterrent and investigation

It seems to me fitting that since I have gained so much knowledge and understanding from the work of the ITU that to pay tribute to them is to invite readers to visit their website celebrating the 150 anniversary of this phenomenal and great institution known as the International Telecommunications Union:

Thursday, March 19, 2015

Emotion Icons

From a recent discussion about knowledge/skills and experience and operators of forensics tools having a range of training, contributors comments varied as to exactly where the demarcation line lay regarding 'competence'. That is how far should an examiner go to valid the extracted and harvested data from a mobile phone. Bits and Bytes levels, carving out etc. brought some responses suggesting these were not seen as paramount to know, which seemed to me to suggest, at any rate, reliance on the forensic tool to get it right.

A couple of observations I raised were these:

Some examples of required technical competence

(c) Good example of checking the tool's output can be seen when cross-checking the output on the physical mobile handset device. Take the standard Smart Messaging which can contain images. The tool extracts and the output is harvested. The image shown by the tool is not always the same as shown on the mobile phone. Why? Proprietary applications that reside on the handset are not the same as on the tool? A smart messaging image can be interpreted differently by another make/model of handsets? Or did the tech / examiner incorrectly perform the extract and harvesting properly? So where would blame lay in a situation like this?

I have added an example for a Phillips Savvy mobile phone 1999 (from 15 years ago) when it was known makes/models handle emotion icons (emoticons) differently.

 (d) Remaining with SMS text you may know about 7-bit, 8-bit and 16-bit encoding for SMS text messages. But how about variations such as Fernschreiber 5-bit encoding that can be used in SMS PDU mode allowing one single message to contain 244 characters. A user may send one text but with 7-bit encoding (244 characters) but the mobile phone sends this as a GSM concatenated text message e.g. in say 2 messages (concatenation of messages can be up to max: 255 messages). Does the tech / examiner immediately mistake the 5-bit 244 character message as a concatenated message?

I choose these observations because they highlight how deceptive recovered data can be when viewed through the GUI of the tool used to extract and harvest data. Viewing recovered data can be a trompe l'oiel (a lie to the eye) if as examiners we merely accept on the face of it what the tool tells us. Additionally, a tool cannot encompass all a mobile's features or its interpretation libraries associated with particular data.

The emotion icons discussion interested me because on first blush emoticons may be perceived as simple smiley faces and different Unicode characters etc. However, with Emotion Icons and Emoji widely in use on mobile devices Emoji can also e.g. be used for encrypting messages; which takes these icons into a completely different ball park when it comes to evidence. Another example for the potential for mistaken identity about the meaning of the data.

Appeal case - Boardman - phone evidence/cell site

The serving of evidence and arbitrarily what should be served or should be not served is highlighted in this Appeal case. It is noted the Appeal Court dealt with issues surrounding making burdensome requests for evidence from the police. I suspect the comments of the Appeal Court could be misconstrued meaning there is a potential for further hearings as to relevance of evidence. The Appeal Court indicates it is an abuse for the defence to get the police to do their work. Also, too much weight was being placed on the issue as to the police not supplying the evidence in the format received from the operators (in .xls(x) format as opposed to served .pdf) being used as an element in dismissing a case.

The problem with Appeal cases like this is that whilst they are excellent in giving guidance on how to go forward they do not establish what the police should be doing in relation as to what evidence to obtain in the first place. If the police simply obtain call records and cell details and do no more what weight can be given to this?

Looking at other issues

(a) If the police decide on minimal evidence (e.g. cell details) then is it the position that the police or the prosecution (for that matter) are waiting on the defence to conduct cell site analysis including radio test measurements at points of interest, thus doing the work for the police/prosecution?

(b) If the police conduct cell site radio test measurements is there a requirement to find out (i) the operational performance of the cell site/s at the material time/s to compare with conducted investigatory tests, which happen after the alleged offence has been committed, or is it the case (ii) that the defence cannot ask for justification as to the validation of any tests as to whether the police/prosecution have made the appropriate enquiries to the operator/s concerned regarding operational performance of particular cell sites?

These are just some of the many questions that arise.

Cell site analysis is important not only from a criminal investigations aspect but at national security level as well. The value as a useful investigation tool is not one sided, but can become that way if the science approach, technical understanding and evidential pillars are randomly chosen.