Secrets and Evidence of Older Mobiles

It is good to learn that the Nokia 3310 may make a return, albeit with an Android operating system. The nostalgia for these types of mobile phones has clearly not been lost. What it might suggest is that consumers still want a mobile telephone to remain a mobile telephone and to look like one.

The older mobile phones I have in mind though are the ones that are still used in examinations, investigations and research. Since there is nostalgic sentiment in the air I thought you might be interested in some examples of older mobile phones from my lab toolkit.

Now these old buzzards are used for basic GSM telephony services. There isn't a universal SIM that will work with these as some from my collection operate with a 5-volt SIM and so on. Importantly they are used due to the fact they have an external antenna and extendable external antenna. In some investigation instances RSSI will show network detection and a small amount of RF power whereas mobiles/smartphones with embedded antennas show Emergency Calls Only.

You might recall I have written numerous articles on radio surveys and two that may seem appropriate to this discussion are:

CSA: Mobile Phones and Fringe Coverage
http://trewmte.blogspot.co.uk/2010/06/csa-mobile-phones-and-fringe-coverage.html

GSM Radio Test Measurements
http://trewmte.blogspot.co.uk/2010/06/gsm-radio-test-measurements.html

The next selection of mobiles/smartphones each provide different radio characteristics due to the manufacturer's selection of RF chipset and functionality.

My five beauties, as I call them, are my Nokia 3210s. Great phones and they still operate perfectly well today. You can also see in the photo that all bar one mobile have embedded antenna. Some are mobile phones and some are smartphones. Combined they offer the ability for RF surveys and testing voice telephony, data downloads, instant messaging etc. The common laptop application Network Monitor (NMonitor/NetMonitor) still provides good feedback when connected to the Nokia 3210 (nmon activated). Blackberry requires a bit of setting up with applications such as MagicBerry, BBHTool, etc., and creating JAD-files (depending on what you want to achieve). Now with the Samsung models GT-I8160 and GT-I9100 both are used with 2G and 3G networks and illustrates the point that two models of smartphone from the same manufacturer display didn't RF survey details.

Now I wont bore you with an explanation of the details just to say these investigation RF surveys require knowing the various ServiceMode states. In particular, if you are conducting a PRACH and RACH survey, relevant to investigations for Access Requests (e.g. the phone is not in idle mode but seeking a service), then the GT-I9100 is useful in that it displays not just the LAC but also the Cell ID the RACH (access) request was made. Quite a few mobiles do not do this when looking into the ServiceMode states. You have to be quick, mind you, as the ServiceMode screen changes fairly quickly if you are not ready to take a photo.

Yet another, quite old-ish, mobile phone that I haven't shown so far is the Nokia 6303. The photo shown below should explain everything. But for those not familiar to testing and examination; where a charge in the billing appears for an SMS or at least details of a called number sent an SMS (even if sent message is free) it is quite possible the party receiving the message can read it but the message wont be saved. This is known as a Class 0 message (commonly referred to as a Flash Message). Depending on make and model of mobile phone, part or all of the message which is only held in RAM might still be recoverable, provided seizure and examination is undertaken and completed fairly quickly, as RAM is updating perpetually. 

The Nokia 6303 is one of those mobiles that the handset manufacturer in combination with mobile network operator enabled this feature as they foresaw revenue generation from it and also recognised that a reasonable memory storage capacity in handset and SIM card need not be blocked up with trivial messages.

The 6303 came with a 940 MB memory card for downloaded applications etc. This proved to be useful in an investigation where text messages didn't have alphabet characters but a series of dots and dashes. At first it was thought this was incomplete text chat messages or some sort of smiley face that didn't form properly when typed on the screen.

When reviewing hundreds of text messages recovered from a mobile or smart phone it is quite easy to overlook or ignore a message as being meaningless. However, I researched the matter and following testing the message turned out to be Morse Code. I tracked down the application for this and cross-checked with the device that had been examined.

            

So next time you see a text message with an odd presentation look closely to see if it has relevance and whether your mobile phone forensic suite software has the capability to either identify the message contains additional features or can translate the message.

Hope you have enjoyed this brief look at older mobile phones used in and for mobile forensic examination, investigations and research.

Cellular Transmission Technology

Cellular Transmission Technology
Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.

http://cellsiteanalysis.blogspot.co.uk/2013/10/cellular-transmission-technology.html

Cellular Transmission Technology

Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.

A key aim and objective with CSA is to remember to start out being as thorough as you possibily can and create a very, very long list of all the elements you expect identified and what information you expect to be revealed from the elements and what has actually been revealed from the other side in evidence.

When visiting the discussion various forums discussions can often refer to a technical point but the relevant and specific cellular transmission technology is not identified. The problem this creates is quite often reference to mobile communication 'commands' and 'responses' can be transferred between cellular transmission technology. To assist with these complexities the cellular transmission technology test sheets 1 and 2 identify researched information and you have to find out whether all the information and supporting information is accurate or not. The sense of achievement is guaranteed in the finding out as opposed to confirming to the world look what I know. Have a go and see how much you think you know - what have you got to lose.

Special thanks for all the help from the superb information made available by various sources but not limited to the following organisation GSMA, 3GPP/2, TIA/EIA; Regulatory bodies; the various mobile network operators around the world; Alcatel, Andrew, Anite, Anritsu, Ericsson, Huawei, Jaybeam, Kathrein, Nec, Nokia, Nortel, Siemens, Zapp.

Nokia BB5 tool

Nokia BB5 tool

Interesting tool and with script editing and writing too.

Plug-in for mobile phones in iSync

Plug-in for mobile phones in iSync, how to use

All plug-ins can be downloaded for free.

Instructions for use
To install one of these plugins download, unzip and place the folder "PhonePlugins" in the "Library" folder (create the folder if it does not exist).

"Library" can refer either to the "Library" folder in the root of the disc (for all users), or to a specific user. In the first case the plug-in will be seen for all users in the latter only for the user for which it is installed.

The plug-in for iSync 10.5.x only work for OS X 10.5 or later.


Plug-in iSync for Motorola
ISync plug-in for Nokia phones (For Mac OS X 10.5)
ISync plug-in for Nokia For Mac OS X 10.5 or later
ISync plug-in for Sony Ericsson mobile Mac OS X 10.5

http://translate.google.co.uk/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Ffaqintosh.com%2Frisorse%2Fit%2Fothutil%2Fisync%2FiSyncLeo%2F&act=url

A European Focused Mobile Consumer Survey

A European Focused Mobile Consumer Survey

Informa Telecom and Media have published the results of their Smartphone Usage and Behaviour Survey 2012 conducting the survey in four european countries UK, Spain, Germany and the Netherlands http://www.informatandm.com/mobile-consumer-survey/ .

The results for the UK identified the brand of mobile phone owned in particular age groups.













The responses to the survey confirm that the smartphone market in the UK is segmented and therefore mobile operators attempting to forecast device usage and data/services activity may require enabling customers the selection and choice of a range of platforms to sink their teeth into optimising any consumer initiative to enable the growth of smartphones to continue.

For examiners the survey illustrates that predominantly the smartphones to be examined fall into a fairly small category, which could be quite useful for forecasting future examinations and, in particular, the expenditure on tools etc.

Trace Log Generator

Trace Log Generator

I am looking into creating a new handset tool that generates a trace log of commands sent to the handset and responses received.

Quite a few times I have raised this and largely there is a stone-wall silence about why examiners 'cannot' or 'will not' provide the actual trace log associated with their examination, so that this can be checked. That is an unhealthy taboo to be active in forensics (and for evidence) and needs to be side-stepped.

The idea of the trace log that produces units of information and exported for consideration is similar to that generated by some imaging tools, which allow, as complete as possible, an examination.

This tool I believe should not compete with current tools in the same way that they perform, but the trace log should be inexpensive as the generated file will be a trace log, secured in such a manner that the original should not be altered by accident and when an examination takes place should avoid accidental contamination of the original. However, the managed principle extraction technique is based upon starting at binary and working upwards in order to allow the data to be viewed through independent products.

Additionally, I expect the trace log generator to perform tracing on a make-by-make basis, which means there should be a trace log generator module for each make. This will allow examiners to only buy what they need as opposed to have the reading capability of X-makes/models where it is an extremely low probability of examiners coming into contact with them.

There is a list of benefits but I suspect two key objectives that will benefit in the mobile forensics industry

1) Those whose job requirement limits them to push-button selection for reading an exhibit can produce the trace log first and then use another tool

2) Those who are experienced can use the trace log without needing to hector the less experienced to qualify what they have done during the acquistion examination period.

Additionally, I also envisage some form of (self)employment to arise out of this where programmers can create modules within the framework of the trace log generator and share in the revenue generation stream and at the same time see their contribution in a product generated by and for the forensic community.

I liked to know what you think?

Evidence is one thing, Understanding is another

Evidence is one thing, Understanding is another

I like Nokia. They were in at the beginning and presented the World with options, and so many walked behind, in their footsteps.  The Nokia 110 and 112 still hasn't stopped the examiner from seeing potential evidence:

Seeing through the eyes of experienced examiners:

Mobile phones - understanding their contribution to evidence.

20th Anniversary 2012/13 for SMS Texting

20th Anniversary 2012/13 for SMS Texting

If you like obscure facts, then this may be just up your street. Importantly, text messaging is one the of those services originally developed for GSM that has remained largely unchanged. Nokia have set out ten facts at the link below that they have gathered together about text messaging.  For instance, as Nokia records:

TEN. Texting is the leading cause of tenosynovitis, which is an inflammation in the thumb caused by constant text-messaging. (It’s like tennis elbow but smaller and less sporty.)

See more details at the link below:

http://nokiaconnects.com/2012/02/22/thanx-v-much-celebrating-20-years-of-the-humble-text-message/

Previously at my blog, I unearthed and presented details of a development by Sir Charles Wheatstone (1802-1875) of texting in the Victorian era called the Wheatstone ABC Telegraph, which can be found here:

http://trewmte.blogspot.com/2010/01/victorian-texting.html

Some other useful facts helpful to investigation for mobile telephone evidence.

DID YOU KNOW?

For mobile circuit switched SMS messaging as an investigator reviewing the various typical transfer Cases (A-F) to see which applies to the evidence is important. Considering transfer conditions are also undertaken for GPRS and WCDMA.

Case A: Mobile originating short message transfer, no parallel call.

Case B: Mobile terminating short message transfer, no parallel call.

Case C: Mobile originating short message transfer, parallel call.

Case D: Mobile terminating short message transfer, parallel call.

Case E: Mobile terminating short message transfer together with Inter‑MSC hand over, parallel call.

Case F: Mobile terminating short message transfer on SDCCH channel together with Inter‑MSC hand over.

However transfer cases are only one aspect, and when dealing with text messages understanding relevant instructions regarding the storage desitnation for a text messages are defined by Classes (0-3) :

Bit 1       Bit 0       Message Class
0              0              Class 0
0              1              Class 1   Default meaning: ME-specific.
1              0              Class 2   (U)SIM specific message
1              1              Class 3   Default meaning: TE specific.

SMS text message investigation doesn't end there as there are other aspects to consider such as the coding schemes used for the text messages, which can influence the maximum length of text messages, thus the user data length of a message. Commonly, the following coding schemes referred to are:

7-bit data - default GSM 160 characters (maximum 140 Octets)

8-bit data - user defined data (maximum 140 Octets)

16-bit data - user data up to 70 UCS2 characters (maximum 140 Octets)

But data coding scheme investigation doesn't stop because there are other aspects to messaging such as Cell Broadcast where 7-bit data coding allows for up to 93 characters, 8-bits data user defined is upto 82 Octets, but only 41 characters where UCS2 is used, are relevant. USSD messages using 7-bit data coding can be up to 182 characters.  In some instances, handsets sending MMS messages may only allow up to 120 characters to be attached with an image/photo.

There are of course a number of other technical aspects to consider, and not everything has been discussed above. Where training investigators or dealing with evidence, I always make the caveat that it may be easy to accept text messages on face value once the text message message has been recovered from logical storage or free space (deleted), however analysis of the TP-UD header is extremely important task to perform.