Sunday, April 23, 2017

Contaminating Evidence THREE

Parts ONE and TWO can be found here for those who haven't followed the discussion so far:

Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html

Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html

I have received enquiries asking for references how to test a damaged SIM card is working or not? This is not a case of simply sticking the damaged SIM cards into a SIM reader and using software to see what content is returned from various data files.

Lab Managers, Section Leaders and Examiners need to define the aims and objectives for testing damaged SIM cards. This should be on the basis of the Test A Damaged SIM Card SOP. The use of general statements in these discussions are not aimed to tell you what to do or how to write your examination processes and procedures. It offers, hopefully, helpful suggestions on basic materials needed to develop and evolve SOP. The following materials could serve as a foundation template with which to prepare and guide the preparation of headings and descriptions; themselves used to define how tests should be conducted.

Avoiding a discussion about how to top and tail a SOP document, nor discuss the merits of aims and ambitions, Do's and Don't (so to speak) and so on, the focus will highlight the relevance of "interface". The first question to ask is who's interface? There are a few to deal with when examining a damaged SIM card:

1) The hardware interface of the damaged SIM card
2) The software interface of the damaged SIM card
3) The probes of hardware of the examining tool
4) The software of the examining tool

Because there are many internal communications entities on a SIM card it can be thought of in terms as having it own mini-network. Here is an image of communications network where at certain points interception is required to deal with e.g. cyber attacks.




We can see network elements as being defined as entities of the network and we need to get to those entities to discover what is inside (content). We therefore require defining the object identifiers for 'path-to-content', so perhaps creating an identifier tree that illustrates the reference points of interest can help you do that?

Unlike a full communications network, which it is not realistic to attempt to obtain an image compared to a device; the SIM card's mini-network in a device can be imaged. Identifying elements and entities in the SIM card's mini-network examiners can look to the following standards:

ISO/IEC 7816-1
GSM 11.11; 11.12; 11.14; 11.17; 11.18
3GPP 31.120;31.121
ETSI TS.102230

To illustrate how the standards can be used to create a standard operating procedure (SOP) in the photo below I have identified physical, electrical, electronic and logical elements to be considered by combing the details taking the test reference identifiers in GSM 11.17 and overlaid them to GSM 11.11 reference points.  These are known as the SIM test groups.



Germane and relevant is the interface processes and procedures chosen have a 'forensic' requirement that the device's content should not be altered by our actions (so to speak). "Human Intervention and Tools (HIT) need to demonstrate that their interaction with the device does not change any data. All tests carried out using an examination tool should also be carried out on the basis of understanding any limitations of the tool."

So when it comes to testing the damaged SIM card we have background knowledge, but does that mean we have to create new software utilities and hardware for testing to see if the card can be imaged using a SIM card reading software? There is a huge range of physical hardware readers out there that are compliant with the Standard's physical, etc. interface requirements. To support that proposition examiners can use hardware such as SCR331 etc. Moreover, there is the utility PC/SC diagnostic tool. I chose this utility because it was available back in 2002-2003 and a popular tool for testing GSM SIM cards.

The purpose of using a test utility on the damaged SIM card is that you do not want to run a fully blown image process on the damaged card because you do not know the extent of the damage inside to its micro-computer electronic circuits (do you think that should be stated in your SOP?). PC/SC diagnostic tool enables testing only the boot-up of the card and to return its ATR (answer-to-reset) and other system parameters.  As the test does not penetrate the Master File (MF) and elementary files (EF) the tool only works with the shell and wont read and return content such as the EFICCID or EFIMSI and so on.

When conducting a test read of the damaged card the results returned will need to be saved. PC/SC diagnostic tool provides for saving the test report. Identifying the name of the report is optional, but when training it is perhaps a good idea to get into the practice of identifying the report from the SIM Serial Number (SSN) recorded on the face of the card. In the photo below I have simply used filename ICCID so as not to identify a test card or a case exhibit.



The initial report that is saved will be a plaintext .txt file. To prevent loss or alteration of that file convert the .txt file to a working document (.pdf).


Examiners essentially need to be aware how the test tool works. It writes APDU (application protocol data unit) - the communications unit between the SIM card reader and the SIM card. The APDU are set out in the Standards.

When preparing your damaged SIM card SOP some key information to have considered and confirmed are:

a) Does the tool permanently write to the card?
b) If so, and working at the shell, where would that be discovered, if at all?
c) Can a write blocker be used?
d) What can be learned from the ATR and parameters?    

If the test results obtained are good this detail can be used in the decision-making process whether or not to create a cloned test card. Remember to enter a caveat in the SOP and to the client that internal damage cannot be seen and therefore any image extracted thereafter might only be on a one-shot basis.

Remember: photographs and well documented contemporaneous notes are essential here. Make the effort to record details so that you don't have to struggle trying to remember what the device was like or what you did.

Thursday, April 20, 2017

Contaminating Evidence TWO

The goal of these essay discussions is to provide responses to the potential proposition that could arise in the theoretical question.  Part One can be found here: http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html


“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”
The question raises “what could the affects be...?” The follow essay discussion will endeavour to capture some hopefully useful points for readers. It is not exhaustive list but intended to be illustrative of what may happen.

Removing the SIM card and handset from the evidence and exhibit bag, the examiner, following anti-static procedures, should normally inspect the SIM card first for any signs of damage.

 
In this case, the photo shows sustained visible damage to the outer SIM contact pads; as consequence this could mean damage to internal components and connections? It is not unknown for suspects to try and damage their cards with external power sources to make access to SIM memory impossible.
 
Inserting a faulty SIM card into a handset may have an adverse effect on the handset’s SIM controller circuit with respect to the sensitive EMI filter. If the handset has a bad reaction to the inserted SIM card it could be the case the exhibit SIM card caused contamination damage by causing the EMI filter to breakdown, preventing the handset reading this and any other SIM cards until repaired.   
This is good example of a case where photographic records and contemporaneous note taking is very important. The decision not to use this damaged SIM card with the exhibit handset at all would be wise. The SIM card would need to be tested to see if any data can be recovered from it using an external SIM reading software. There may be a chance to create a clone test card from it.
 
The examiner should be following the correct Laboratory SOPs which may direct him/her to make a clone test card from the exhibit SIM card. This clone test card ‘might be used’, subject to approval from the investigating officer, to be inserted into the exhibit handset. This is in cases where extracting and harvesting data in an image file (e.g. .bin or raw file) following the removal of the memory chip or using JTAG points on the handset’s printed circuit board (PCB) are not options available to the examiner.
As mentioned in Contaminating Evidence ONE feedback received from queries raised by the Lab Manager to the client regarding seizure procedure, chain of custody and any other examination/s should hopefully confirm one way or other whether there is any connection between the handset and SIM card. If there is, and subject to authorisation, the examiner might use the cloned test card in the handset.
In the alternative, for whatever reason, should the examiner insert the exhibit SIM card into the exhibit handset this action requires an understanding of the following:
(i)                  handset processes and procedures during power off?
(ii)                inserted SIM card processes and procedures during handset power down?
(iii)               events happening at power on for handset and SIM card?
Depending on make/model of handset, its profiling and initialising processes, on power this can potentially affect data held on the SIM card and data held in the internal memory of the handset.
SIM cards follow a fairly, precise procedure for boot-up until the SIM Toolkit stack initialises and then depending upon make/model of handset dynamic changes can occur with allocated, but not activated services in EFSST. If the SIM card is not connected with the handset then exchanges causing data changes take place between the SIM card and handset. This is, by all means, not the only potential data changes that can occur with SIM cards and analysis should be considered for the following:
(iv)               EFHPLMN (Home PLMN - check for update timer)
(v)                EFLOCI (Location Information)
(vi)               EFBCCH (Broadcast Control Channel)
(vii)             EFKc (GSM Ciphering key Kc)
(viii)           EFKcGPRS (GPRS Ciphering key KcGPRS)
(ix)               Check DF ProSe
(x)                 EFCPBCCH (CPBCCH Information)
(xi)               EFPSLOCI (Packet Switched location information)
(xii)             EFNETPAR (Network Parameters)
(xiii)            EFOPLMNwACT (Operator controlled PLMN selector with Access Technology)
(xiv)            Proactive SIM
(xv)             EFSST (SIM Service Table)
(xvi)            And so on
Also of interest is what is happening to the handset data due to internal functions? For instance, inserting a SIM card that has not been previously used with the handset can block access to phonebooks, messages and so on due to internal security policies. Moreover, when powering on a handset the examiner has no clue whether the handset user as set a policy ‘auto-delete’ messages, which may be triggered.
 
There is also some debate where a handset is switched ON but within a radio-damping field or chamber to prevent connection to the network what happens to data under these circumstances?  The thought that all radio context details is lost on power down may have security requirements but what is retained in the handset is largely left down to the handset manufacturers. Of interest, some UEs having stored some NAS (mobility management) information e.g., old security context, GUTI, IMSI, timer values etc. may still be stored for assist quick speed to link to network as opposed to drawing stored data from the SIM card. This may occur where the user selects Flight Mode and suspends all radio activity, again depending upon make/model of handset. Inserting a SIM card not used in the handset previously, the handset initialisation procedure will call the data from EFNETPAR file and record that into temporary memory. That information wasn’t there previously; that may be considered contamination.
 
SUMMARY TWO
Due to so much activity that is invisible to the examiner when handsets are switched ON with a SIM card inserted requires the examiner (using strict Laboratory SOPS) to follow the SOPS procedures and NOT insert the exhibit SIM card into the exhibit handset using subjective guesswork.
 

 

Contaminating Evidence ONE

The theoretical question highlighted below was originally posted on a forum to provide work material for students. Recently the same question was resurrected again by a student seeking a response to the question for a test paper?

“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”

As there had been no response at the forum to provide possible answers to the question above I thought I would discuss issues that could arise.

My first doubt with the question, having read it, is that it could lead to an impression that tick sheet (multiple-choice) responses would be sufficient to answer the question. In my view that would be wrong, because unless the multiple-choice options had been meticulously researched and condensed to a single accurate word, it is possible the person passing the test could believe his/her knowledge was sufficient to handle evidence when in fact that may not be so.
I formed the opinion that this question is better suited to an essay-style response to flesh-out possibilities the question raises and identify the knowledge possessed by the person taking the test. Such a test may produce a failure in knowledge, but not failure of the person taking the test; trial and error enhances the experience of the person who then has an opportunity to research the areas of failure.
PREAMBLE
The question raises potential material concerns about the way the item has been ‘seized’ and, so to speak, ‘bagged’ (evidence/exhibit bag). The competency and skillsets of those involved in the seizure may come under scrutiny. The SIO (senior investigating officer) or SO (senior officer) may need to look at the scheduling of the investigating and seizing team despatched to site: Scene of Crime (SoC), Warrant to Search, etc. Who was the seizing officer? What training have they received? Does s/he understand the principles of avoiding contamination and/or cross-contamination?  What if the seizure occurred due to stop and search? Would the rules be different then?  No, the rules of seizure wouldn’t be different merely the understanding of the person conducting the seizure how to implement them.
So, what might be the concerns? The question omits to identify
(a)    comments in the seizure log, contemporaneous witness statement and/or photographs of found items at site?
(b)    whether the handset has SIM/s (don’t forget dual-SIM handsets) already inserted?
(c)     whether the handset battery is connected or loose in the bag?
(d)    if the is battery still connected is the handset switched ON/OFF when seized?
(e)    if switched ON, what network ICONs etc., were visible?
(f)      did the seizing officer switch ON/OFF the handset or was the handset allowed to drain the battery’s charge naturally?
(g)    if the battery is loose in bag, did the seizing officer remove battery or was it found that way?
(h)    if battery removed from handset does it reveal the SIM slot/s are empty or in use in the battery well?
(i)    does the handset have a SIM slot on the side of the handset and is the SIM slot gate open or closed?
At this stage in the discussion you may think the above questions are enough? Well they are not. The evidence/exhibit bag should not be opened by the examiner and further considerations on the mind of the examiner might be to ascertain if possible whether an immediate link can be seen between the handset and loose SIM card in the evidence/exhibit bag?
(j)    logo on handset and SIM card; is there a connection?
(k)     SIM Serial Number (SSN); check out mobile operator ID?
(l)    SIM form factor; size 1FF, 2FF, 3FF, 4FF or ID-1, plug-in size, micro-card, nano-card?
(m)    make/model of handset; which SIM form factor does it use?
(n)      if battery is loose in bag; is the battery even associated with the handset?
Yet a further potential point to raise is whether the Lab Manager or Section Leader immediately grasp the significance of the contents in evidence/exhibit bag?
(o)    at goods-inwards point of delivery?
(p)    was the person delivering the evidence able to provide supporting details?
(q)      if not, have enquiries be made to the client for supporting details?
(r)      has the evidence/exhibit bag just been handed over to the examiner to get on with it?
The chain of custody (from hand-to-hand) also requires discussion in this essay, which started out looking where seizure began through to delivery to the examiner. Examiners may find there is an elliptical procedure needed to be adhered to where initial seizure is faultless and alteration has occurred down the line.
Prior to receipt of the evidence/exhibit bag and its contents it is quite possible the exhibits themselves have been previously examined. This is in case of being subjected to the analysis of:
(s)    fingerprinting
(t)      DNA
(u)  drugs
(v)    GSR
Could it be the case (during these process (s)-(v)) the items that were separately seized have accidently now been co-located in the same evidence/exhibit bag? Problematical where evidence has been cross-contaminated is that it may cause a miscarriage to any effective results obtained during examination processes and procedures. Moreover, it might give weight to a confession through false belief the items belonged together. That may happen long before any test of admissibility of the evidence begins.
Lastly, an examiner should check in-house Standard Operating Procedures (SOPs), such as:
(w)    Any Laboratory General and Standard SOPS
(x)    Any General Guidance on Mobile Phone Examination SOPS
(y)    SIMLESS HANDSET Examination SOPS
(z)     Any other consideration SOPS
 
SUMMARY ONE
This essay discussion has been an exercise into possible implications arising from the conditions set out in a proposed theoretical question.
It may not be immediately obvious but prior to delving into examinations based upon ‘if’ or ‘if not’ scenarios establishing the seizure procedure and chain of custody are safe to rely on (at first instance) might be necessary? This might require checking
(#1) seizure and bagging
(#2) transport and quarantine
(#3) previous examinations
(#4) goods inwards to testing laboratory
Such an approach could be underpinned by establishing principles stated in the Laboratory’s SOPS and escalated for consideration to management prior to opening the evidence/exhibit bag and commencing any inspection and examination of the items inside.
This essay discussion is not complete because a second analysis and summary is required to deal with the potential implications of inserting the loose SIM card into the handset inside the evidence/exhibit bag. This is dealt with in Contaminated Evidence TWO which can be found here: http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
 

 
 
 

Friday, April 14, 2017

Cyber-teaching: bite-size learning No:5



Advanced Threat Analytics (ATA) may sound quite off-putting if your organisation is a small-to-medium sized enterprise (SME). What does ATA do? Microsoft latest playbook (2017) creates a simulation learning environment where IT administrators for servers and computers can train and gain experience in searching for clues where attack (infiltration) to a network/s has occurred. Take it that it offers a primer allowing admins to play around and gain experience to find artefacts (entry points, failed privileges ...etc.).

Microsoft ATA Playbook defines this FREE publication as "This article will walk through the credential theft attack techniques by using readily available research tools on the Internet.  At each point of the attack we will show how Microsoft’s  Advanced Threat Analytics (ATA) helps IT organizations gain visibility into these post-infiltration activities happening in their environments.

What SMEs should appreciate at first instance is that it hasn't cost anything to find out. More importantly, with this enhanced knowledge it may assist when IT departs to investigate, but understanding and analysing post-infiltration techniques might still requires securing evidence in a sound manner; cyber investigation is just one aspect, forensic acquisition of evidence showing cyber attack is another.

Advanced Threat Analytics Attack Simulation Playbook 2017

Terms and Conditions of Use:
https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38

Sunday, April 09, 2017

Digital Evidence ISO/IEC 27037 -v- ISO/IEC 17025

Could ISO/IEC 27037:2012 be the better option for handling and obtaining digital forensic evidence?




ISO/IEC 27037:2012-10 (E)
Information technology - Security techniques - Guidelines for identification,
collection, acquisition and preservation of digital evidence


Contents
Foreword .......................................................................................................................................................... v
Introduction ..................................................................................................................................................... vi
1 Scope ............................................................................................................................................... 1
2 Normative reference ....................................................................................................................... 1
3 Terms and definitions .................................................................................................................... 2
4 Abbreviated terms .......................................................................................................................... 4
5 Overview ......................................................................................................................................... 6
5.1 Context for collecting digital evidence ........................................................................................ 6
5.2 Principles of digital evidence........................................................................................................ 6
5.3 Requirements for digital evidence handling ............................................................................... 6
5.3.1 General ............................................................................................................................................ 6
5.3.2 Auditability ...................................................................................................................................... 7
5.3.3 Repeatability ................................................................................................................................... 7
5.3.4 Reproducibility ............................................................................................................................... 7
5.3.5 Justifiability .................................................................................................................................... 7
5.4 Digital evidence handling processes ........................................................................................... 8
5.4.1 Overview ......................................................................................................................................... 8
5.4.2 Identification ................................................................................................................................... 8
5.4.3 Collection ........................................................................................................................................ 9
5.4.4 Acquisition ...................................................................................................................................... 9
5.4.5 Preservation.................................................................................................................................. 10
6 Key components of identification, collection, acquisition and preservation of digital
evidence ........................................................................................................................................ 10
6.1 Chain of custody .......................................................................................................................... 10
6.2 Precautions at the site of incident.............................................................................................. 11
6.2.1 General .......................................................................................................................................... 11
6.2.2 Personnel ...................................................................................................................................... 11
6.2.3 Potential digital evidence ............................................................................................................ 12
6.3 Roles and responsibilities ........................................................................................................... 12
6.4 Competency .................................................................................................................................. 13
6.5 Use reasonable care .................................................................................................................... 13
6.6 Documentation ............................................................................................................................. 14
6.7 Briefing .......................................................................................................................................... 14
6.7.1 General .......................................................................................................................................... 14
6.7.2 Digital evidence specific ............................................................................................................. 14
6.7.3 Personnel specific ........................................................................................................................ 15
6.7.4 Real-time incidents ...................................................................................................................... 15
6.7.5 Other briefing information ........................................................................................................... 15
6.8 Prioritizing collection and acquisition ....................................................................................... 16
6.9 Preservation of potential digital evidence ................................................................................. 17
6.9.1 Overview ....................................................................................................................................... 17
6.9.2 Preserving potential digital evidence ......................................................................................... 17
6.9.3 Packaging digital devices and potential digital evidence ........................................................ 17
6.9.4 Transporting potential digital evidence ..................................................................................... 18
7 Instances of identification, collection, acquisition and preservation .................................... 19
7.1 Computers, peripheral devices and digital storage media ..................................................... 19
7.1.1 Identification ................................................................................................................................ 19
7.1.2 Collection ..................................................................................................................................... 21
7.1.3 Acquisition ................................................................................................................................... 25
7.1.4 Preservation ................................................................................................................................. 29
7.2 Networked devices ...................................................................................................................... 29
7.2.1 Identification ................................................................................................................................ 29
7.2.2 Collection, acquisition and preservation .................................................................................. 31
7.3 CCTV collection, acquisition and preservation ........................................................................ 33
Annex A (informative) DEFR core skills and competency description ................................................... 35
Annex B (informative) Minimum documentation requirements for evidence transfer .......................... 37
Bibliography .................................................................................................................................................. 38

Sunday, April 02, 2017

Crime: Base Station Monitoring and Regular Stress Tests

Photo courtesy of the Macau Post Daily

There is no shortage of police investigations, articles and reports into cellular technology being used for some sort of illegal purposes, and that is beyond the normal seizure of mobile devices in criminal proceedings. The recent prosecution of a construction worker, reported (10-03-2017) in the Macau Post Daily, running not one but two fake base stations, is such an example.

Whilst there is a huge effort to deal with Cybercrime attacks over networks, there is a growing emphasis suggesting that more attention could be focussed to actually dealing with physical devices creating the cyber activity behind the crime.

On the 22-03-2017 Information Age website reported Chinese cybercriminals sent Android malware via fake BTSs ( http://www.information-age.com/chinese-cybercriminals-use-fake-telecom-stations-spread-malware-123465203/ ). The report was also mentioned at a number of other websites ( http://thehackernews.com/2017/03/rogue-bts-android-malware.html ;  https://blog.knowbe4.com/chinese-hackers-use-fake-cellphone-tower-to-spread-android-banking-trojan and so on). Blog.knowbe4 added useful information content beyond Information Age's report that the malware was involved, but identifies the malware as attack called "Smishing"; a subject mentioned here at trewmte.blogspot.com previously back in 2015 ( Smishing Maybe Smashed, but Fake Tache Goes On  - http://trewmte.blogspot.co.uk/2015/04/smishing-maybe-smashed-but-fake-tache.html ).

It isn't clear from these reports as to what is actually meant by 'fake BTSs'? Are the attackers merely hacking the network exploiting (S3000688) MAP security and getting hold of authentication vectors to mount a false base station attack?; maybe this is a man-in-the-middle attack using a false mobile BTS? (3GPP TS 21.133); using mobile redirector techniques for Android smartphones opening the SMS text message link to download the '.apk'; or whether a false physical tower has been erected on land through which the attacks are made?   If the latter is correct, there is more involved with this than anonymously hiding in the background. For a false physical tower to happen either the attacker/s might 'hijack' equipment on an existing tower?; add new equipment to an existing tower?; or land-base a whole new tower? The latter is possibly the most improbable to happen without the attacker/s needing new landline connections, microwave, RF and electrical power facilities, cabinets, cabling, tower rig, antenna/TRXs, etc. etc., something that resembles a cellular tower in order to get a smartphone to use its rogue radio coverage.

How can a mobile network operator deal with this? It largely depends how well the operator knows its own installation base and how regularly the operator OMC (operations and maintenance centre) and site visits are co-ordinated for stress testing. Those co-ordinated tests may need to take into account site inventory inspection across a wide range of components. For instance, has the operator sufficient information of Inventory of components for each site? One example being the Antenna Interface Standards Group (AISG), which has been around for many years, its members count amongst some of the leading global players in this arena ( http://www.aisg.org.uk/ ):

Membership of the Group at 1st May 2016

Ace Technologies Corp.
Kathrein Werke KG
Amphenol Antenna Solutions
KGP Tech Co. Ltd.
China Mobile
KMW Inc.
Comba Telecom Systems Int'l
Nokia
Commscope, Inc
NXP
Communications Components Inc.
Orange / France Telecom
Ericsson AB
Oriel Laboratories Ltd
Galtronics Corporation Ltd
Radio Design
Gammanu Inc
RFS Inc
Gemintek Corporation
RFM Wireless
Gemtek Technology Co. Ltd.
Rosenberger Asia Pacific Electronic Co. Ltd.
Guangzhou Sunrise Telecoms Equipment Co Ltd
SGC Technologies Inc
Heji Co Ltd.
Shenzhen Haina Telecom Equipment Co Ltd
Huawei Technologies Co Ltd
Shenzhen Tatfook Technology Co Ltd.
Innertron Inc
Sunsea Telecommunication Co Ltd.
Innova Telecommunication Co. Ltd.
Sunwoo Communication Co Ltd
Jiangsu YaXin Electronics, Science & Technology Co Ltd
Wuhan Hongxin Telecommunication Technologies Co. Ltd.
JMA Wireless LLC
Tongyu Communications Equipment Co Ltd
Kaelus Pty Ltd
Westell, Inc.
  
The following companies are members of the Ancillary Equipment Group
Amphenol-Tuchel GmbHRecodeal Interconnect System Co. Ltd.
Franz-Binder GmbHSam Woo Electroncs Co. Ltd.
Guangzhou Huafeng Qiwang Electronic                               Technology Co. Ltd.Syskim International
Lumberg Connect GmbH

Furthermore, the obvious site checks, such as, break-in to an external cabinet or site equipment room, checking CCTV and trip alarms should normally be examined against regular site visit logs and also time-to-site and time-at-site. Checking fault management, configuration management, performance management & Security Management ports and panels at site to see if they have not been tampered with to disguise normal operation is another consideration. There is a full range of security measures at site and network stress tests that can be performed.

Regulators may wish to assess the security breach with an operator and see if an industry-wide practice is involved selling equipment on the merits on merely the forecast of Total Cost of Ownership and Return On Investment as opposed to an assessment of the person/organisation buying equipment? Another assessment might be to considered reports of stolen equipment and marking of components etc.

It isn't difficult to imagine more cases like the above could occur but it doesn't mean it will; and doom and gloom is not the note this discussion is going to end. Think about all of the towers and base station installed around the world and the customer-base they serve. The mobile network operators provide an amazing service delivering trillions of calls, communications and other services annually. It is a testament to their predominantly well run mobile networks that they operate that the majority of users will not be talking in terms of throwing in the towel and ditching their mobiles tomorrow for landline telephones because of these crime reports.

Finally, India's state-owned quality control agency, Standardisation Testing & Quality Certification (STQC), has started ( http://economictimes.indiatimes.com/news/company/corporate-trends/india-to-start-screening-imported-telecom-gear-from-april-2017/articleshow/56054263.cms ) screening of all mobile network components, feature phones and smartphone under the requirements of National Security. This may pave the way for other countries without such a screen procedure to adopt a similar model.

Saturday, April 01, 2017

Monolith Recovery


Wow! The future of handling chip off exploration looks great with this new innovation tool to get at content in Flash memory microchips:

UFD (USB Flash Drive)
SD (Secure Digital Card)
CF (Compact Flash)
micro SD (micro Secure Digital Card)
MS (Memory Stick)
xD
Monolithic Flash Devices
MMC (Multi Media Card)
eMMC (embedded Multi Media Card)
VoiceRecorder (dictaphone)
iPhone (without hardware encryption)