TrewMTE Mobile & Technology Exploration: alter data

Tuesday, August 12, 2008

Dual International Mobile station Equipment Identity (IMEI)

Dual International Mobile station Equipment Identity (IMEI)

When we think of mobile telephones we mostly think in terms of them of having a single International Mobile station Equipment Identity number. For two decades, whether for an analogue or digital mobile 'phone, we have often associated, to assist in showing importance of, and drawing anology about, that mobile 'phone serial numbers are alike to vehicle chassis numbers - in essence IMEIs are intended to be unique numbers.

Because of that unique numbering scheme, it follows that each mobile phone should only have one IMEI. That has changed and mobile 'phone manufacturers can include two IMEIs. The two IMEIs can be viewed via the label under the battery pack (see photo below Samsung SGH-D888), or by entering *#06# (asterisk, octothorp, 0, 6, octothorp).

Having reviewed the Standards and other documentation and found no definitive statement about the requirement for a dual IMEI numbering scheme, I put out some enquiries and I am grateful to those who assisted. I am told it would appear the occurrence of the dual IMEIs are due to there being two radio chipsets in some handsets. As I understand it, also, I won't find anything in the Standards about this matter - just yet. Moreover, it does not automatically follow that a handset having Dual SIM/USIM slots implies or infers that the handset has two radio chipsets, thus two IMEIs.

Evidentially, of course it is noted this matter impacts in numerous ways when conducting examination using automated physical and/or logical harvesting of data and the much-needed handset (manual) examination.

Sunday, March 09, 2008

Writing To Mobile Phones Under Examination

Writing To Mobile Phones Under Examination

There is always the debate as to what amounts to "forensic" processes and whether that can be left to human intervention to do that, whether a device alone can do that or whether it is the combination of human intervention and the device working together that can fulfil the objective? Perhaps germane and relevant to the above question is (1) knowing the potential of each to write to a mobile telephone should be understood first? (2) Whether, as a consequence of using the process, what data are or might be altered/lost? (3) To then decide whether "forensic" is an appropriate and applicable statement to label the process in the first place?

The discussion below starts to address Point 1. When examining mobile telephones there are at least five separate categories under which an examiner can or may write to a mobile telephone due to automated processes (indirect intervention) and/or direct human intervention. The categories and their contents below are not exhaustive, but have been used to illustrate some elements involved with Point 1.

A) Standard powering ON (direct human intervention) a mobile telephone can invoke automated processes (indirect intervention):

- wearleveling - can overwrite physical data

- updating files - writes new content to file

- setting off calendars alarms

B) Connecting data aquisition devices (direct human intervention) to mobile telephones to obtain stored data (indirect intervention):

- AT Command sets; to instruct mobile to identify its profile, fetch data (IMEI and SMS text messages etc). The example below illustrates a typcial communication of seeking the profle of a mobile telephone and the response received:-

SENDING frametype 0x00/length 0x08/8

41A54T2B+43C47G4DM49I0D AT+CGMI.

1 "AT+CGMI"

2 "Sony Ericsson"

3 "OK"

RECEIVED frametype 0x00/length 0x1F/31

41A54T2B+43C47G4DM49I0D 0D 0A 53S6Fo6En79y2045

AT+CGMI...Sony E

72r69i63c73s73s6Fo6En0D 0A 0D 0A 4FO4BK0D 0A

ricsson....OK..

Manufacturer info received

Sony Ericsson [Manufacturer: Sony Ericsson]

SENDING frametype 0x00/length 0x09/9

41A54T2B+43C53S43C53S3F?0D

AT+CSCS?.

1 "AT+CSCS?"

2 "+CSCS:

"GSM""

3 "OK"

SENDING frametype 0x00/length 0x0A/

10 41A54T2B+43C53S43C53S3D=3F?0D

AT+CSCS=?.

1 "AT+CSCS=?"

2 "+CSCS: ("GSM","IRA","8859-1","UTF-8","UCS2")"

3 "OK"

RECEIVED frametype 0x00/length 0x40/64

41A54T2B+43C53S43C53S3D=3F?0D 0D 0A

2B+43C53S43

AT+CSCS=?...+CSC

53S3A:20 28

(22"47G53S4DM22"2C,22"49I52R41A22"2C S:

("GSM","IRA",

22"3883883553992D-31122"2C,22"55U54T46F2D-38822

"8859-1","UTF-8"

2C,22"55U43C53S32222"29)0D 0A 0D 0A 4FO4BK0D 0A ,

"UCS2")....OK..

- Simply connecting a plug and cable to a mobile phone will write a nibble of data to the phone's memory in order to register the communications path along which data shall pass

C) By use of a communications protocol (direct human intervention) in order to extract and harvest data from a mobile telephone can write and overwrite data (indirect intervention):

- Bluetooth: to pair devices requires an identical code to be loaded by examiner on to the mobile telephone and can overwrite previously stored code

- Some Symbian mobile telephones require an agent to be loaded on to the phone in order for the examiners devices to communicate with the phone and then has to be deleted after examination

- Hex-dumping can require the use of flash boxes to flash clips (code) to flash memory that can overwrite blocks of data containing user data

D) To gain access to a mobile telephone may require the entry (direct human intervention)of security codes -

- Passwords/PINS

- Re-setting Passwords/PINs

E) Examiners using devices to select (direct human intervention) specific data can cause the operating system of a mobile telephone to handle data in a particular way (indirect intervention):

-some smart phones write to files in order to keep track of data and in some instances shift data around to accommodate the "fetch" request for certain data

Essentially the categories and content illustrated above merely sets the stage to highlight what an examiner faces when seeking to conduct data aquisition from a mobile telephone. Plug and play (PnP) devices cannot be used in isolation, that they need supervision (direct human intervention). Direct human intervention, with ot without a device, can have consequences too. Furthermore the mobile telephone under examination can as a consequence react to direct human intervention, as well as indirect intervention.

Mobile Phone Forensic Examination

Greg Smith has over 30 years (1985 to 2016) experience in handling digital and mobile telephone evidence in criminal and civil investigations and providing services to blue-chip clients in the UK. Our unit the DEEU conducts acquisition and harvesting of data from:

SIM/USIM/MMC Cards
Mobile/Smart Phones/Tablets
Satellite/WiFi
Computer Forensics/network

Forensically recovering saved and deleted data using a range of hardware and software tools to obtain or image physical data or download logical data.

Cell Site Analysis investigations and evidence since 1988.

Contact:
The DEEU
Email: trewmte@gmail.com