Contaminating Evidence SIX

The original question (in Part ONE) I believe was asked by someone starting out in mobile forensics. I tend to find it is easier to start with the 2G technology [SIM Application CLA (0xA0) / 2G context], which is still predominant in certain countries; although market research shows 2G falls below 30% globally by 2020.

Furthermore, law enforcement and security still seize and find 2G SIM cards (globally speaking) associated with criminal activity - drug dealing, SIMboxing, trafficking, etc. - so any observations to assist examination may help improve outcomes, assist generate "quality in work" but without expending large quantities of capital.

Equally, with 3G and 4G SIM cards the examiner can still SELECT and ReadBinary etc. re: GSM Access. Also, it is helpful to let examiners see basic script commands and responses as the basic commands can still be issued under [USIM Application CLA (0x00)]:

SelectUSIMApplication
Select 6F07
ReadBinary

To make the following a little more interesting than merely showing a screen image of USIM Application returning the SIM Card's IMSI, does the mobile network IMSI match the network to which the IMSI was last latched?

For privacy and security purposes the IMSI has been obscured, however it is confirmed the IMSI for this discussion is a subscriber to the EE network. As an examiner you may consider looking to the last network and location the subscriber was camped.

SelectUSIMApplication
Select 6F7E (e.g. location area)
ReadBinary

SelectUSIMApplication
Select 6F73 (packet switched location area)
ReadBinary

Observations, at first instance: the LOCI and PSLOCI screens reveal that the subscriber's account has been latched to the T-Mobile network; not EE or Orange network. Who would provide feedback to the investigating office on what that means? Both of these screens show "updated" for location and routing area, yet the P-TMSI Signature Value has been unchanged FFFFFF. What significance, if any, would that import into interpreting the data?

The key point of using commands and getting responses can assist an examiner refine searches made to (U)SIM and the (U)ICC and also respond to "time-is-of-the-essence" requests in cases of device seizure at the point a trafficker is stopped and searched. Combining precise information searches can help examiner's do this.

Moreover, with enhanced scripting and script variables we can do so much more and a matter that will be considered in another blog discussion post/s soon regarding examination, evidence and validation:

==========
ContinueOnBadStatus
Select 3F00
Select 7F20
Select 6F07
If (GoodStatus = True)
{
 ReadBinary
 If (GoodStatus = True)
 Pass
}
Fail
===========
===========
Select 3F00
Select 7F10
Select 6F3A
Set $recNum = 1
While ($recNum <= $totalRecords)
{
 ReadRecord $recNum
 Increment $recNum
}
===========
===========
$count
$recordNumber
$data
$alphatag
$bitmask
===========

The tool USIM Commander is a SIM evaluation and programming tool available from Quantaq Ltd and can be found here: http://www.quantaq.com/products/simtools/

Hope you find this helpful.


Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html
Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-three.html
Contaminating Evidence FOUR - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-four.html 
Contaminating Evidence FIVE - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-five.html

Contaminating Evidence FIVE

To refresh, these discussions (links at foot of this article) originated because someone asked a question e.g. should I put a seized damaged SIM card into a seized mobile phone (handset), where both items have been found placed into the same Exhibit bag? The discussions have been to highlight helpful observations about what can be involved and learning the lesson to keep a damaged SIM card separate from the handset and conduct tests independently from combined forensic suites; hence the need for Test A Damaged SIM Card SOP.

Yes, you can run a test single APDU (application protocol data unit) command to select particular data from a SIM card, as you can run a script containing multiple test APDU commands. For example, what follows is an example of multiple APDU command to SELECT and GET RESPONSE  from the SIM card requesting the SIM's IMSI (international mobile subscriber identity). Invariably, investigating officers and security may only require just that little piece of information; and whether extracted and harvested from a working SIM or a damaged SIM. Where a damaged SIM Card is involved it wont be clear at the initial examination stage whether (a) the SIM will respond to any test or fully-blown image? and (b) if it does, could there be only chance to retrieve any data from it (the card)?

APDU Commands
We know that the standards identify commands as follows and therefore these would most likely assist the examiner when reading the SOP. Remember in part FOUR it referred to the SOP should assist examiners by identifying the short form title and clause. So here is one exercise you can do now. Go and download ETSI GSM11.11 (Release R1999) and 3GPP TS 31.102 latest release and identify the short form title and clauses relevant to the APDU commands below:

- Select
- VerifyCHV
- ReadBinary
- ReadRecord
- UpdateBinary
- UpdateRecord
- Status

Test APDU - IMSI Request
The next step is to select and chosen the statements needed to issue commands for the SIM card to reveal the IMSI:

- 2GMode
- Select 3F00
- Select 7F20
- Select 6F07
- ReadBinary 

USIM Commander GUI Image

The IMSI has been doctored in the above image for privacy and security reasons. However, the three windows panes above illustrate how to validate commands issued to a damaged SIM card. The left pane shows the commands. the top right pane shows the status and harvested data of the commands issued. And the bottom right pane confirms the translated APDU trace and the Raw APDU trace. Thus proving the process and procedure the examiner adopted and applied during testing. This information can then be logged into the examiner's Contemporaneous Notes. 

Training and Discovery
Before jumping into conducting the tests, training and exposure to different types of SIM cards and their conditions should be the first priority. Even the best APDU scripters make mistakes. The screen images that follow illustrate mistake and correction (can you find the mistake?) and following that the importance of the learning curve an examiner needs, which is only possible base upon discovery using training SIM cards to see what might be revealed.

 

 

 

Examiner need to be encouraged to extend search investigation beyond the template. The images below, identifies CHV1 and CHV2 discovery might reveal. This discovery helps examiners to uncover if unknown CHV1 and CHV2 can be revealed.



 

Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html
Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-
three.html
Contaminating Evidence FOUR - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-four.html 

Contaminating Evidence FOUR

In the last discussion it referred to APDU (application protocol data unit) - the communications unit between the SIM card reader and the SIM card. It also mentioned that APDU are set out in the Standards. There is some more information on this you may find helpful. The Test A Damaged SIM Card SOP could include a removal of doubt (ROD)technique. The purpose of this ROD technique assists the examiner's comprehension from the outset of the 5-Ws rule of thumb:

Who - the examiner
What - testing across the interface
Where - between the DUT and the Test Tool
When - as directed by the laboratory Good Practice Guide (GPG)
Why - to avoid contamination of evidence

To aid that process the SOP could reference the procedure with the inclusion of the relevant standard numbering and title, also directing the reader to a specific clause. It is irrelevant for the purposes of testing to ask an examiner to remember something s/he was taught some time back. A permanent record in a document of direction and advice instructing the examiner is needed. Practices and procedures should not be left to guesswork. As the old adage states " it is not knowledge you need to hold-on to in your head as this is recorded in books; it is the skills and experiences you should remember." A permanent record, then, is a reference book. The skills and experiences developed through use and discovery are those essential requirements to maintain and evolve the SOP, which when recorded then goes on to become knowledge.

ISO/IEC 7816

In Part ONE it referred to ISO/IEC 7816-1. That is because it is the starting point that identifies other 7618-parts. Here we need to look at ISO/IEC7816-3. The above image show the specific section to be discussed. But for the sake of manner and form let us use a page within the SOP identifying Standards and Text applicable to it (the SOP and its procedures and tests therein):

Standard Title:
============
INTERNATIONAL STANDARD ISO/IEC 7816-3 Third edition 2006-11-01
Identification cards — Integrated circuit cards — Part 3: Cards with contacts — Electrical interface and transmission protocols
============

However a short form identity for the relevant Standard and clause/s are required. This is placed at the end of paragraph following the written procedure or test (otherwise any procedure and test would be verbosely overloaded with repetition of a Title like the above).

Short Form Identity:
=============
(ISO7816-3 (cl12.1.1)) 
=============

Note that apart from going to a separate document (e.g. relevant Standard and clause) everything that an examiner should require should be in the SOP. The reasoning behind that has many responses but to highlight: (a) avoids an examiner reading wrong, incorrect or out of date material; (b) excessive amounts of information can confuse; (c) examiners will be testing, but prior to tests and following tests contemporaneous notes should be made which could be excessively lengthy if the SOP references are not used....and so on.

It can also be helpful to produce GUI screen images and samples of APDU so that the examiner is equally guided to know what to look for in any trace file output for validation purposes.

USIM Detective

Dependent upon the (U)SIM/(U)ICC hardware reader and software (system) used it is important that the examiner does not end up using another system to perform the tests. If a different system is used a new SOP should be created for every system in use. If support is needed for that then an example can be given here. The above screen image shows the ADPU commands and responses in the USIM Detective trace file. However, Simspy2 trace file output is different:

Simspy2

  
This might suggest the commands and responses that are output should still be identical? No, not all commands and responses will be identical. Worse still, if the examiner starts quoting one system in a report and the data used is in fact from another system. An example of this is Simspy2 and USIM Detective both issue commands and responses that can acquire different data. Both issue commands to fetch data from memory locations that are not specified in the standards. This does not suggest they are wrong, merely they offer different traced evidence.

Unless each Lab produces its own system then the market forces of commercially or freely available systems will be the pool from which systems are obtained. The more tools the better, but budgets can dictate a system to be used, although in reality obtaining free software should not present a problem. Purchasing a commercial system, it should be possible to fully scrutinised data captured and that the system has the back-up evidence to produce a trace file output containing the commands and responses where validation is needed.

Validation requires confirmed interpretation of commands issued and as mention in previous discussion seeking guidance from the standards can save an awful lot of time and assists avoiding guesswork:

GSM11.11

Lastly, but still relevant to Test A Damaged SIM Card SOP, it should be made clear in the SOP that the standard referred to identifies the "interface" as referenced in the standard. In this discussion ISO7816-3 confirms the "electrical interface" and the transmission protocols used. However, as (U)SIM cards emerge with additional capabilities in the (U)SIM or at the (U)ICC level it is important to record additional interfaces significant to the method and process evidence is captured:

Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html

Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html

Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-three.html

Metrology - USB part 2

Continuing with the discussion relating to Metrology and Universal Serial Bus (USB) cables.

Metrology - http://trewmte.blogspot.co.uk/2015/05/metrology.html
In the first discussion it raised the observations iso9001 has been mentioned and this standard provides a useful guide on record keeping. In most cases users take for granted that the cable/lead/plug is ok and just swap it out if it is deemed not working? Simple questions:

1) Is there a cable/lead tester on the market?
2) What results can be obtained?
3) How to determine output results?
4) Compare manufacturing guidelines for MTTF and MTBF?
5) Can the results scrutinised be improved?
6) Can a minimum standard be achieved.

Metrology - USB part 1 - http://trewmte.blogspot.co.uk/2015/06/metrology-usb-part-1.html
Later the discussion raised the notion that smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g. the combination of three separate entities involved in inter-connection during an examination:

1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence

And ended with the point that the discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT at fault, is the ET at fault or are both DUT/ET together faulty?

In order to eliminate the USB cable's involvement in the acquisition process as the source of causing corrupted data or inducing faults into the DUT requires expanding the investigation of what is known about USB tolerances or identified faults.

Mechanical Failures

Types of USB connector left to right (ruler in centimetres): micro-B plug, UC-E6 proprietary (non-USB) plug, mini-B plug, standard-A receptacle (upside down), standard-A plug, standard-B plug

The procedure required to dissect and strip back a USB plug from its cable. In itself, there is nothing special in this task being performed other than for revelation purposes to allow observations of what is happening underneath the main moulded cable covering, due to the fact that the human eye does not possess x-ray vision. This USB cable was chosen as it had visible signs of wear and tear at the USB plug end that connects to the device (DUT) and charging of a DUT was known to be intermittent.

The USB cable was terminated at either end with a mini-B plug and standard-A plug. The photo below shows the mini-B plug end has been dissected and stripped back.

 The standard coloured wiring is expressed as:

Pin 1		VCC (+5 V, red wire)
Pin 2		Data− (white wire)
Pin 3		Data+ (green wire)
Pin 4		Ground (black wire)

It was noticeable from a study of the separate coloured internal wire covers - Green, Red, Black and White ( For a quick reference source refer to https://en.wikipedia.org/wiki/USB. ) - that the Red wire cover was in fact a Pink in colour with deterioration (more brittle, easy to pull off covering) than the other coloured coverings.

Given that the mini-B plug is the end that is connected into the DUT raises concerns as to whether the wear and tear could cause damage to the DUT, too. As the Red(Pink) coloured cover concerns the power V_CC (+5 V, red wire) it is not difficult to speculate the potential for damage or failure and that on the balance of probability (at one of the end of the scale) the quality assurance programme should have identified this as a problem or issue to be addressed, (and at the other end of the scale) that beyond reasonable doubt the quality control processes should have removed this physical medium (USB cable) from the pool of tools/devices that could be used during an examination process.

The sampling rates for conducted Vbus and Vcc etc tests can be deduced from the USB standards. Full USB compliance test equipment maybe expensive for those who are trading as a one-man business. There are some simple test rigs out there which require the use of a digital multimeter and test cables that may offer a lower cost solution worth investigating.

One such rig is USB Tester from Fried Circuits http://friedcircuits.us/docs/usb-tester

Another rig from the same source is USB Tester and Phone Charging http://friedcircuits.us/docs/usb-tester-and-phone-charging/

Inexpensive rigs like these should not be a problem but it is essential to carefully document their use in your QA procedures and their requirement to be calibrated.

There are still numerous matters to discuss that have been identified regarding Metrology and USB, which shall be published shortly. The total sum of these discussion Parts build eventually to an identified set of criteria that examiners may wish to apply for QA purposes to reduce or remove the medium USB as having an adverse impact during data acquisition between a DUT and the ET.

Metrology - USB part 1

With smartphones, tablets and other devices fitting the description Size-Scaled Digital Technology (SSDT) using USB physical connectivity provides for the simplest of examination DUT illustrations e.g the combination of three separate entities involved in inter-connection during an examination.

1) DUT (the target device (SSDT) containing suspected evidence
2) The physical medium (USB) to carry the source data to the examination tool
3) The examination tool (ET) used to extract and harvest evidence

It is possible to extrapolate even greater numbers of inter-connected entities but then it would be simpler, if I were to do that, to simply write a book instead of writing this blog post. Moreover, greater numbers of inter-connections exponentially introduce the potential for higher risk of failure relevant to an entity's MTBF (mean time between failure) and MTTF (mean time to failure). 

                [”British scientist, Sir William Thomson (Lord Kelvin, 1824 - 1907),
                   concisely captured the aspect of knowledge so that others can study
                   the observations and apply the results without having to repeat the
                   experiment, when he wrote: “When you can measure what you are
                   speaking about and express it in numbers, you know what you are
                   talking about.”]

SSDT - USB - ET provides a useful basis upon which to consider metrological traceability:

"A core concept in metrology is metrological traceability,^[7] defined by the Joint Committee for Guides in Metrology as "property of a measurement result whereby the result can be related to a reference through a documented unbroken chain of calibrations, each contributing to the measurement uncertainty".^[8] Metrological traceability permits comparison of measurements, whether the result is compared to the previous result in the same laboratory, a measurement result a year ago, or to the result of a measurement performed anywhere else in the world."
http://en.wikipedia.org/wiki/Metrology#Metrological_traceability

An excellent source of reference for definitions for the science of measurement is:

International vocabulary of metrology — Basic and general concepts and associated terms (VIM)

Vocabulaire international de métrologie — Concepts fondamentaux et généraux et termes associés (VIM)
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2008.pdf


International vocabulary of metrology – Basic and general concepts and associated terms  (VIM) 3rd edition  (2008 version with minor corrections)
Vocabulaire international de métrologie – Concepts fondamentaux et généraux et termes associés (VIM)
3e édition  (Version 2008 avec corrections mineures).
http://www.bipm.org/utils/common/documents/jcgm/JCGM_200_2012.pdf

Why have I shown two versions of the same document? Traceability is the answer. Building a quality system requires identification of reference materials upon which test measurements are (or have been in the past) conducted.  Anyone involved in lab preparation and of running a lab should be aware that standards iso17025 and iso9001 identify principles that may be adopted for a wide range of industries etc. It is only when drilling down into how these principles should be applied in practice does one become aware of how, metaphorically speaking, naked one is without something or someone else pointing to a path to follow.

VIM is an acknowledged and established international standard that can be referenced for defining the naming conventions for testing. Of course, there is still the need for knowledge, skill and experience for operating under lab conditions. Early works of Scroggie and Johnstone even today provide useful observations about various aspects of testing involved in a laboratory environment can be found in Radio and Electronic Laboratory Handbook 1980 edition (Marcus Graham Scroggie and George Gordon Johnstone ISBN 0-408-00373-1 and ISBN 13: 9780408003735). The book is available from Amazon and from reputable booksellers.

There are a range of other reference materials from testing through to calibration. For instance NASA (Deep Space Network) http://deepspace.jpl.nasa.gov/dsndocs/810-005/214/214-1.pdf ;  Laboratories for the Design and Assembly of Electronic Devices using Surface Mount Components conferencepaper.pdf ;  Handbook of Laboratory Experiments in Electrical and Electronics Vol.3 (Adamu Murtala Zungeru; James G. Ambafi ISBN 9781497507203) ; and the list goes on. These reference materials are in addition to publications produced by the FBI, NIST, ACPO etc...

This discussion started out by referring to the physical medium USB to carry the source data from the DUT to the examination tool (ET). The relevance of doing so is that if the examiner eliminates the medium as the cause for failure or corrupted evidence then the logical conundrum that remains, is the DUT can be at fault, is the ET can be at fault or are both DUT/ET together faulty?

To understand the technical properties for USB look here:

USB Type C
http://www.usb.org/developers/usbtypec/
http://www.usb.org/developers/docs/
http://www.usb.org/developers/docs/usb_31_060115.zip

This version of USB specification is identified, not simply from personal experience, but due to industry adoption of the standard:

(a) http://www.usb.org/press/USB_Type-C_Specification_Announcement_Final.pdf  

(b) http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/



Image credited to http://arstechnica.com/gadgets/2014/08/small-reversible-usb-type-c-connector-finalized/

(c) https://support.apple.com/en-gb/HT204360 etc...

A testing schedule for MTBF and MTTF cannot be created unless the device class using a version of the USB specifications is corroborated:

Device Classes (some useful resource materials)
http://www.usb.org/developers/docs/devclass_docs/
http://www.atmel.com/dyn/resources/prod_documents/doc4322.pdf
http://www.linux-usb.org/usbnet/
http://cscott.net/usb_dev/data/devclass/usbcdc11.pdf

Moreover, if USB 3.0 is backward compatible with USB 2.0 could USB 3.0 be used as the de facto standard for all SSDTs to assist defining MTBF and MTTF?

What about USB plug/port sizes, would these create different test requirements?

Lastly, and to close Part 1 of this blog discussion, there is another question equally worth asking: "Does a manufacturer's/supplier's warranty for 12 or 24 months mean that lab testing is not necessary for that period of the warranty in question?


Previous discussion under Metrology
http://trewmte.blogspot.co.uk/2015/05/metrology.html

Knowing DUT memory
http://trewmte.blogspot.co.uk/2015/05/knowing-dut-memory.html

EU common charger for all mobiles/tablets

Members of the European Parliament have presented a persuasive first stage plan, based upon reduction of waste and consumer easy for charger migration when changing to a new handset, to the Council of Members for the need for a universal charger for all new mobiles sold into the EU.

2012/0283(COD)
26.4.2013
***I
DRAFT REPORT
on the proposal for a directive of the European Parliament and of the Council on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment (COM(2012)0584 – C7-0333/2012 – 2012/0283(COD))
Committee on the Internal Market and Consumer Protection

In accordance with the amendment to Article 2(3) of the proposed Directive.
Amendment 3

"appropriate type throughout the Union may be necessary. Interoperability between radio equipment and accessories such as chargers simplify use of radio equipment and reduce unnecessary waste."

"throughout the Union is necessary in some cases. Interoperability between radio equipment and accessories such as chargers simplifies use of radio equipment, reduces unnecessary waste and costs. A renewed effort to develop a common charger would therefore be highly desirable and consequently be beneficial in particular for consumers and other end-users."

If the further proposed stages receive approval the timescale envisaged to introduce a universal charger common to all new mobile phones could be available on the market by 2017 at the earliest. That is because members states will be given two years to transpose the new directive into local legislation.

Of course, the technical realisation needs to be transformed into an approved technical standard. Some years ago the EU approved micro-USB for use with smart phones. However, as the EU has yet to (a) decide the which standard will be ratified for the proposed universal charger; (b) given there has been technology advances since the earlier approval for use of micro-USB; (c) mobile tablets etc have also proliferated in the marketplace; the directive would need to cover these too, as would the Directive's need to have applicablity to other forms of radio equipment using a charger supplied into the EU for consumer use.

Of the various connector types it could be the universal charger connector may come in several guises. Two that come to mind are Apple's Lightning connector and the new type-C connector USB3.1 recently annouce by the USB Standards Group. Both would already be in the marketplace before the two-year deadline has expired.

Apple's Lightning connector
http://en.wikipedia.org/wiki/Lightning_(connector)







USB Standards Group type-C connector USB 3.1
http://www.usb.org/press/USB-IF_Press_Releases/Type-C_PR_20131203_Final.pdf
http://www.usb.org/developers/USB-Futures.pdf


Image Source - http://www.mrgco.com/blog/usb-3-0-promoter-group-announces-new-type-c-connector-for-usb/