TrewMTE Mobile & Technology Exploration: lose data

Showing posts with label lose data. Show all posts

Sunday, April 24, 2011

Faraday containers found unsafe

Faraday containers found unsafe

A report that focuses on the results, following conducted practical tests, on the reliability of mobile phone shielding devices (eg 'faraday' containers) found the device shielding failed in a number of instances that the author of the report placed under test and did not prevent RF signalling reaching the test mobile phones inside the containers, the findings in this recently published paper suggests:

https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2010-27.pdf

The implications might require that an 'impact assessment' on evidence that is seized and placed in shielding devices at the scene of a crime and transported from Police Station to Police Station etc may need to be 'reconducted'. The findings in the report raise the notion whether published Guidelines advocating the use of shielding devices may now need to identify exactly the tests and research considered prior to adopting published policy on the use of shielding devices, although it is unclear at present whether that will happen at all.

Whilst the report dealt primarily with external factors (radio communications) and how the shielding devices coped with them, it also includes some other influences shielding devices can have on touch screen mobile phones, for example.

There have previously been mixed reviews about shielding devices and their impact on seized evidence that is left switched ON within shielding containers:

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3914
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4277&postdays=0&postorder=asc&start=0

If a mobile phone is already OFF, or is switched OFF at the point of seizure, then such shielding devices shouldn't be necessary at that particular juncture.

Friday, July 31, 2009

Cellphone Examination and Myths

Cellphone Examination and Myths

There are still, surprisingly, many who still promulgate myths by unwittingly conducting examinations in a particular way or use a product/device for cellphone examination to combat a particular perceived problem.

I am launching this discussion thread, which will be updated from time to time, to identify cellphone examination myths. In doing so, it is not aimed at a criticising an individual, manufacurer's product or someone selling a service. The point of the discussion is to allow people to make informed decisions as opposed to buying into a particular mythology. Do remember, I am not telling you what you should or should not do, it is your choice, my comments are only intended as helpful observations.

CELLPHONE CLOCKS

There is a claim the examiner should examine the cellphone first before examining the SIM Card. Two myths that are still circulating today (a) is that by removing the SIM Card from the phone that is switched OFF the handset clock will be lost, (b) and using a Faraday shield or RF dampening field can help prevent that. I find this rather surprising to apply these myths as a reason for creating a universal principle that handsets should be examined first and using Faraday/RF is the optimum choice for containment and examinations. To me these myths are nothing more than over exaggerated examination procedures. They transfer the skills away from the human to expecting the device and postulated procedure to be capable of coping with everyday common scenarios.

Most mobile phones today have a memory system with an on-board battery to keep data live for period of time after the external battery has been removed or the clock data along with an offset stored in flash to calculate the clock upon power up and intialisation to give the time. It is true that there are some phones (but not every phone) that can lose the clock setting when the SIM is removed, so the use of a particular examination procedure should be on a case by case basis. User-defined clocks can be quite unreliable as well and in most cases (but not all) does the clock setting of the handset ever feature as a prominent piece of evidence.

Additionaly, Faraday/RF Dampening do not influence the clock at all unless of course as is becoming more popular the user has activated the handset to use the mobile network clock, in which case Faraday/RF Dampening would have a detrimental effect by losing the clock timing on the handset whilst the handset in an isolation containment.

Any special procedures needed for very serious crime or terrorism, it is understandible that the use of a particular containment field might be needed. Majority of mobile phone seizures and recovery are pretty bog-standard occasions, so why would anyone leave a mobile phone switched ON in a containment bag where there is a high degree of chance that the bag could be knocked and potentially a key being pressed generating and/or altering data on the phone.

FARADAY/RF DAMPENING - LOSING DATA

For road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.

FARADAY/RF DAMPENING - WIPING DATA

Many of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.

FARADAY/RF DAMPENING - IMSI

SIM cards have the ability to store up to a number of IMSIs, which are commonly used where countries have multiple network operators on a State by State basis. Roaming users may have a choice to use one or several IMSIs whilst roaming in another State or Country. Activating a particular IMSI can require selection of a profile and pressing the "SEND" key to inform the network of an altered state of subscriber identity, a response from the network can be requird for that change to take affect. The protocol in some handsets has been designed to wait for the response from the newtork to be received before the IMSI change takes place inside the SIM releasing the profile to the handset. Consequently, revealing data for a particular IMSI profile might not be possible.

FEEDBACK

If anyone wants to contribute to this myths discussion send an email to me with your observations. If you want to debunk my debunking then by all means do so, I am always willing to learn.

Sunday, March 09, 2008

Writing To Mobile Phones Under Examination

Writing To Mobile Phones Under Examination

There is always the debate as to what amounts to "forensic" processes and whether that can be left to human intervention to do that, whether a device alone can do that or whether it is the combination of human intervention and the device working together that can fulfil the objective? Perhaps germane and relevant to the above question is (1) knowing the potential of each to write to a mobile telephone should be understood first? (2) Whether, as a consequence of using the process, what data are or might be altered/lost? (3) To then decide whether "forensic" is an appropriate and applicable statement to label the process in the first place?

The discussion below starts to address Point 1. When examining mobile telephones there are at least five separate categories under which an examiner can or may write to a mobile telephone due to automated processes (indirect intervention) and/or direct human intervention. The categories and their contents below are not exhaustive, but have been used to illustrate some elements involved with Point 1.

A) Standard powering ON (direct human intervention) a mobile telephone can invoke automated processes (indirect intervention):

- wearleveling - can overwrite physical data

- updating files - writes new content to file

- setting off calendars alarms

B) Connecting data aquisition devices (direct human intervention) to mobile telephones to obtain stored data (indirect intervention):

- AT Command sets; to instruct mobile to identify its profile, fetch data (IMEI and SMS text messages etc). The example below illustrates a typcial communication of seeking the profle of a mobile telephone and the response received:-

SENDING frametype 0x00/length 0x08/8

41A54T2B+43C47G4DM49I0D AT+CGMI.

1 "AT+CGMI"

2 "Sony Ericsson"

3 "OK"

RECEIVED frametype 0x00/length 0x1F/31

41A54T2B+43C47G4DM49I0D 0D 0A 53S6Fo6En79y2045

AT+CGMI...Sony E

72r69i63c73s73s6Fo6En0D 0A 0D 0A 4FO4BK0D 0A

ricsson....OK..

Manufacturer info received

Sony Ericsson [Manufacturer: Sony Ericsson]

SENDING frametype 0x00/length 0x09/9

41A54T2B+43C53S43C53S3F?0D

AT+CSCS?.

1 "AT+CSCS?"

2 "+CSCS:

"GSM""

3 "OK"

SENDING frametype 0x00/length 0x0A/

10 41A54T2B+43C53S43C53S3D=3F?0D

AT+CSCS=?.

1 "AT+CSCS=?"

2 "+CSCS: ("GSM","IRA","8859-1","UTF-8","UCS2")"

3 "OK"

RECEIVED frametype 0x00/length 0x40/64

41A54T2B+43C53S43C53S3D=3F?0D 0D 0A

2B+43C53S43

AT+CSCS=?...+CSC

53S3A:20 28

(22"47G53S4DM22"2C,22"49I52R41A22"2C S:

("GSM","IRA",

22"3883883553992D-31122"2C,22"55U54T46F2D-38822

"8859-1","UTF-8"

2C,22"55U43C53S32222"29)0D 0A 0D 0A 4FO4BK0D 0A ,

"UCS2")....OK..

- Simply connecting a plug and cable to a mobile phone will write a nibble of data to the phone's memory in order to register the communications path along which data shall pass

C) By use of a communications protocol (direct human intervention) in order to extract and harvest data from a mobile telephone can write and overwrite data (indirect intervention):

- Bluetooth: to pair devices requires an identical code to be loaded by examiner on to the mobile telephone and can overwrite previously stored code

- Some Symbian mobile telephones require an agent to be loaded on to the phone in order for the examiners devices to communicate with the phone and then has to be deleted after examination

- Hex-dumping can require the use of flash boxes to flash clips (code) to flash memory that can overwrite blocks of data containing user data

D) To gain access to a mobile telephone may require the entry (direct human intervention)of security codes -

- Passwords/PINS

- Re-setting Passwords/PINs

E) Examiners using devices to select (direct human intervention) specific data can cause the operating system of a mobile telephone to handle data in a particular way (indirect intervention):

-some smart phones write to files in order to keep track of data and in some instances shift data around to accommodate the "fetch" request for certain data

Essentially the categories and content illustrated above merely sets the stage to highlight what an examiner faces when seeking to conduct data aquisition from a mobile telephone. Plug and play (PnP) devices cannot be used in isolation, that they need supervision (direct human intervention). Direct human intervention, with ot without a device, can have consequences too. Furthermore the mobile telephone under examination can as a consequence react to direct human intervention, as well as indirect intervention.

Mobile Phone Forensic Examination

Greg Smith has over 30 years (1985 to 2016) experience in handling digital and mobile telephone evidence in criminal and civil investigations and providing services to blue-chip clients in the UK. Our unit the DEEU conducts acquisition and harvesting of data from:

SIM/USIM/MMC Cards
Mobile/Smart Phones/Tablets
Satellite/WiFi
Computer Forensics/network

Forensically recovering saved and deleted data using a range of hardware and software tools to obtain or image physical data or download logical data.

Cell Site Analysis investigations and evidence since 1988.

Contact:
The DEEU
Email: trewmte@gmail.com