Secrets and Evidence of Older Mobiles

It is good to learn that the Nokia 3310 may make a return, albeit with an Android operating system. The nostalgia for these types of mobile phones has clearly not been lost. What it might suggest is that consumers still want a mobile telephone to remain a mobile telephone and to look like one.

The older mobile phones I have in mind though are the ones that are still used in examinations, investigations and research. Since there is nostalgic sentiment in the air I thought you might be interested in some examples of older mobile phones from my lab toolkit.

Now these old buzzards are used for basic GSM telephony services. There isn't a universal SIM that will work with these as some from my collection operate with a 5-volt SIM and so on. Importantly they are used due to the fact they have an external antenna and extendable external antenna. In some investigation instances RSSI will show network detection and a small amount of RF power whereas mobiles/smartphones with embedded antennas show Emergency Calls Only.

You might recall I have written numerous articles on radio surveys and two that may seem appropriate to this discussion are:

CSA: Mobile Phones and Fringe Coverage
http://trewmte.blogspot.co.uk/2010/06/csa-mobile-phones-and-fringe-coverage.html

GSM Radio Test Measurements
http://trewmte.blogspot.co.uk/2010/06/gsm-radio-test-measurements.html

The next selection of mobiles/smartphones each provide different radio characteristics due to the manufacturer's selection of RF chipset and functionality.

My five beauties, as I call them, are my Nokia 3210s. Great phones and they still operate perfectly well today. You can also see in the photo that all bar one mobile have embedded antenna. Some are mobile phones and some are smartphones. Combined they offer the ability for RF surveys and testing voice telephony, data downloads, instant messaging etc. The common laptop application Network Monitor (NMonitor/NetMonitor) still provides good feedback when connected to the Nokia 3210 (nmon activated). Blackberry requires a bit of setting up with applications such as MagicBerry, BBHTool, etc., and creating JAD-files (depending on what you want to achieve). Now with the Samsung models GT-I8160 and GT-I9100 both are used with 2G and 3G networks and illustrates the point that two models of smartphone from the same manufacturer display didn't RF survey details.

Now I wont bore you with an explanation of the details just to say these investigation RF surveys require knowing the various ServiceMode states. In particular, if you are conducting a PRACH and RACH survey, relevant to investigations for Access Requests (e.g. the phone is not in idle mode but seeking a service), then the GT-I9100 is useful in that it displays not just the LAC but also the Cell ID the RACH (access) request was made. Quite a few mobiles do not do this when looking into the ServiceMode states. You have to be quick, mind you, as the ServiceMode screen changes fairly quickly if you are not ready to take a photo.

Yet another, quite old-ish, mobile phone that I haven't shown so far is the Nokia 6303. The photo shown below should explain everything. But for those not familiar to testing and examination; where a charge in the billing appears for an SMS or at least details of a called number sent an SMS (even if sent message is free) it is quite possible the party receiving the message can read it but the message wont be saved. This is known as a Class 0 message (commonly referred to as a Flash Message). Depending on make and model of mobile phone, part or all of the message which is only held in RAM might still be recoverable, provided seizure and examination is undertaken and completed fairly quickly, as RAM is updating perpetually. 

The Nokia 6303 is one of those mobiles that the handset manufacturer in combination with mobile network operator enabled this feature as they foresaw revenue generation from it and also recognised that a reasonable memory storage capacity in handset and SIM card need not be blocked up with trivial messages.

The 6303 came with a 940 MB memory card for downloaded applications etc. This proved to be useful in an investigation where text messages didn't have alphabet characters but a series of dots and dashes. At first it was thought this was incomplete text chat messages or some sort of smiley face that didn't form properly when typed on the screen.

When reviewing hundreds of text messages recovered from a mobile or smart phone it is quite easy to overlook or ignore a message as being meaningless. However, I researched the matter and following testing the message turned out to be Morse Code. I tracked down the application for this and cross-checked with the device that had been examined.

            

So next time you see a text message with an odd presentation look closely to see if it has relevance and whether your mobile phone forensic suite software has the capability to either identify the message contains additional features or can translate the message.

Hope you have enjoyed this brief look at older mobile phones used in and for mobile forensic examination, investigations and research.

A European Focused Mobile Consumer Survey

A European Focused Mobile Consumer Survey

Informa Telecom and Media have published the results of their Smartphone Usage and Behaviour Survey 2012 conducting the survey in four european countries UK, Spain, Germany and the Netherlands http://www.informatandm.com/mobile-consumer-survey/ .

The results for the UK identified the brand of mobile phone owned in particular age groups.













The responses to the survey confirm that the smartphone market in the UK is segmented and therefore mobile operators attempting to forecast device usage and data/services activity may require enabling customers the selection and choice of a range of platforms to sink their teeth into optimising any consumer initiative to enable the growth of smartphones to continue.

For examiners the survey illustrates that predominantly the smartphones to be examined fall into a fairly small category, which could be quite useful for forecasting future examinations and, in particular, the expenditure on tools etc.

Blackberry Enterprise Solutions

BB Manuals and Guides

For me, at any rate, using this link probably leads to the best way to get instant access (that is at a glance, click the link) to manuals and guides specific to versions of Blackberry Enterprise Solutions - http://docs.blackberry.com/en/admin/?userType=2

There is also further BB support links to various manuals and help here: http://docs.blackberry.com/en/ and for the Blackberry knowledge base here: http://btsc.webapps.blackberry.com/btsc/microsites/searchEntry.do

Examination Techniques3: Blackberry Bold

Examination Techniques3: Blackberry Bold

Examiners may have noticed that the internet is flooded with secret or hack codes that may be entered into a handset and a brief description of the code's purpose. Every make and model seems to have its own codes. One code that has been doing the rounds since 2010 is the Blackberry Bold code for ' Display cause of PDP reject ' relevant to GPRS. Below is list of sample entry codes posted on the internet. As you can see there appears to be some variation in the way the code is expressed it should be entered into a Blackberry:

ALT+JKVV @ Home Screen. Display cause of PDP reject
http://newestblackberryfreeware.com/blackberry-tips-and-tricks/blackberry-secret-codes/

ALT-JKVV Home Screen Display cause of PDP reject
http://forum.mintywhite.com/viewtopic.php?f=9&t=790

ALT-JKVV Home Screen Display cause of PDP reject
http://forums.crackberry.com/archive/index.php?t-78665.html

ALT+JKVV @ Home Screen. Display cause of PDP reject
http://www.xusermanual.com/all-tags/blackberry-bold-3-secret-codes

It is recommended that examiners may wish to consider researching the use of the codes on test handsets prior to conducting 'live' examination on the evidential DUT.

However, a second matter that was apparent from the internet postings that there was no assistance given to the reader or, for that matter, an examiner as to the interpretation of the information (data) that would be displayed on the screen of the DUT as a value or a cause that would be relevant to it (the value).

In order to understand the meaning of the data relevant to ' Display cause of PDP reject ' examiners should at first instance review 3GPP TS24008 / GSM 0408 in order to understand the relevance of PDP with respect to 'Activate PDP Context Reject State ' when it is On and the value given in an ' Activate PDP Context Reject SM Cause '.

Below are several tables compiled with content relevant to PDP reject values and their causes. Whilst I have reviewed standards and other sources to seek agreement of the values and causes, you may wish to check for yourself the accuracy of the information recorded in the tables. The 3GPP/GSM standards have been identified above and to conduct simple Binary/Hex/Decimal conversion readers may wish to visit an online calculator website similar to the one at the following link http://easycalculation.com/binary-converter.php.

GMM Cause Information Element



SM Cause Information Element



SM Cause Information Element on GTP protocol



Whilst the values and causes in the tables above have been identified there is still additional information that the standards identify relevant to each of them. Having said that, being able to investigate these values/causes and trace them to the GSM MS / WCDMA UE and to the network is quite helpful, particularly when dealing with blacklisted handsets or invalid IMSIs. Additionally, the values and causes provide a useful guide when conducting live tests for GPRS cell site analysis.