Thursday, April 20, 2017

Contaminating Evidence TWO

The goal of these essay discussions is to provide responses to the potential proposition that could arise in the theoretical question.  Part One can be found here:

“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”
The question raises “what could the affects be...?” The follow essay discussion will endeavour to capture some hopefully useful points for readers. It is not exhaustive list but intended to be illustrative of what may happen.

Removing the SIM card and handset from the evidence and exhibit bag, the examiner, following anti-static procedures, should normally inspect the SIM card first for any signs of damage.

In this case, the photo shows sustained visible damage to the outer SIM contact pads; as consequence this could mean damage to internal components and connections? It is not unknown for suspects to try and damage their cards with external power sources to make access to SIM memory impossible.
Inserting a faulty SIM card into a handset may have an adverse effect on the handset’s SIM controller circuit with respect to the sensitive EMI filter. If the handset has a bad reaction to the inserted SIM card it could be the case the exhibit SIM card caused contamination damage by causing the EMI filter to breakdown, preventing the handset reading this and any other SIM cards until repaired.   
This is good example of a case where photographic records and contemporaneous note taking is very important. The decision not to use this damaged SIM card with the exhibit handset at all would be wise. The SIM card would need to be tested to see if any data can be recovered from it using an external SIM reading software. There may be a chance to create a clone test card from it.
The examiner should be following the correct Laboratory SOPs which may direct him/her to make a clone test card from the exhibit SIM card. This clone test card ‘might be used’, subject to approval from the investigating officer, to be inserted into the exhibit handset. This is in cases where extracting and harvesting data in an image file (e.g. .bin or raw file) following the removal of the memory chip or using JTAG points on the handset’s printed circuit board (PCB) are not options available to the examiner.
As mentioned in Contaminating Evidence ONE feedback received from queries raised by the Lab Manager to the client regarding seizure procedure, chain of custody and any other examination/s should hopefully confirm one way or other whether there is any connection between the handset and SIM card. If there is, and subject to authorisation, the examiner might use the cloned test card in the handset.
In the alternative, for whatever reason, should the examiner insert the exhibit SIM card into the exhibit handset this action requires an understanding of the following:
(i)                  handset processes and procedures during power off?
(ii)                inserted SIM card processes and procedures during handset power down?
(iii)               events happening at power on for handset and SIM card?
Depending on make/model of handset, its profiling and initialising processes, on power this can potentially affect data held on the SIM card and data held in the internal memory of the handset.
SIM cards follow a fairly, precise procedure for boot-up until the SIM Toolkit stack initialises and then depending upon make/model of handset dynamic changes can occur with allocated, but not activated services in EFSST. If the SIM card is not connected with the handset then exchanges causing data changes take place between the SIM card and handset. This is, by all means, not the only potential data changes that can occur with SIM cards and analysis should be considered for the following:
(iv)               EFHPLMN (Home PLMN - check for update timer)
(v)                EFLOCI (Location Information)
(vi)               EFBCCH (Broadcast Control Channel)
(vii)             EFKc (GSM Ciphering key Kc)
(viii)           EFKcGPRS (GPRS Ciphering key KcGPRS)
(ix)               Check DF ProSe
(x)                 EFCPBCCH (CPBCCH Information)
(xi)               EFPSLOCI (Packet Switched location information)
(xii)             EFNETPAR (Network Parameters)
(xiii)            EFOPLMNwACT (Operator controlled PLMN selector with Access Technology)
(xiv)            Proactive SIM
(xv)             EFSST (SIM Service Table)
(xvi)            And so on
Also of interest is what is happening to the handset data due to internal functions? For instance, inserting a SIM card that has not been previously used with the handset can block access to phonebooks, messages and so on due to internal security policies. Moreover, when powering on a handset the examiner has no clue whether the handset user as set a policy ‘auto-delete’ messages, which may be triggered.
There is also some debate where a handset is switched ON but within a radio-damping field or chamber to prevent connection to the network what happens to data under these circumstances?  The thought that all radio context details is lost on power down may have security requirements but what is retained in the handset is largely left down to the handset manufacturers. Of interest, some UEs having stored some NAS (mobility management) information e.g., old security context, GUTI, IMSI, timer values etc. may still be stored for assist quick speed to link to network as opposed to drawing stored data from the SIM card. This may occur where the user selects Flight Mode and suspends all radio activity, again depending upon make/model of handset. Inserting a SIM card not used in the handset previously, the handset initialisation procedure will call the data from EFNETPAR file and record that into temporary memory. That information wasn’t there previously; that may be considered contamination.
Due to so much activity that is invisible to the examiner when handsets are switched ON with a SIM card inserted requires the examiner (using strict Laboratory SOPS) to follow the SOPS procedures and NOT insert the exhibit SIM card into the exhibit handset using subjective guesswork.


No comments: