Saturday, July 07, 2018

Update - HERREVAD Databases Geo Location Artefacts

Back in February 2017 I wrote an article relevant to "HERREVAD Databases Geo Location Artefacts" ( and I regularly conduct searches for any useful updates or supporting information that maybe of use.


I see SANS DFIR in May 2018 published "Advanced Smartphone Forensics Poster - SANS Forensics" a poster to identify "Most Relevance Evidence Per Gigabyte" and includes the database 'Herrevad' (


dmoreno1994's GeoAndroid .py script (
positions an android phone without GPS by utilising the Herrevad database. "Herrevad: This database contains the WiFi connections history of preinstalled Google apps in Android OS devices. It can be WIFI connections of Google Play, Google Maps, Youtube, etc..



Posted yesterday 06/07/2018 Hybrid Analysis Incident Response malware analysis website ( illustrated Receiver and Intent involving Herrevad.



An earlier version of Receiver and Intent is recorded in Joe Sandbox Cloud Analysis ( published 12 August 2017.


Herrevad has an interest to those on Security Stack Exchange wanting to understand how the database can reveal SSID/Cell ID geolocation info. "How do you get Geolocation information from the CellID field in the herrevad database from Google Mobile Services? (


Wednesday, February 14, 2018

Important principles in digital forensics

At a time when digital forensics is under the spotlight and taking salvos of criticism for poor performance and lack of knowledge about its own scientific subject matter ( and there is no better time than to refresh on principles to signpost the way to go or leave a breadcrumb trail to find the way back to safe ground.

I posted comments back in November 2006 ( identifying principles to remember, recall and apply, when conducting Cell Site Analysis (CSA) - but they apply to examinations also -  that are still relevant to today (2G/3G/4G/5G/etc....) as they were since the inception of digital cellular radio services back in the late 1980s/1990s.

The requirements identified in standards as "mandatory", "conditional", "recommendations" and so on are not written for fun;  nor to be wilfully disregarded just because they appear complex, complicated or difficult e.g. cannot be bothered to learn them, my device/machine does the thinking for me; both render the human-being to be no more than a perfunctory-goffer (human obsolescence) for the processes generated by software and algorithms in a device or machine.

The four principles to easily remember, recall and apply:

- There are mandatory requirements with mandatory outcomes
- There are mandatory requirements with optional outcomes
- There are optional requirements with mandatory outcomes
- There are optional requirements with optional outcomes

Moreover, and a fundamental (and one might suggest absolute) requirement, is the importance to understanding 'Modal verbs terminology' adopted in the standards.

Modal verbs terminology

In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions)

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

Wednesday, January 10, 2018

URN Namespace and IMEI

RFC8141 - A Uniform Resource Name (URN) is a Uniform Resource Identifier (URI) [ RFC3986] that is assigned under the "urn" URI scheme and a particular URN namespace, with the intent that the URN will be a persistent, location-independent resource identifier. A URN namespace is a collection of such URNs, each of which is (1) unique, (2) assigned in a consistent and managed way, and (3) assigned according to a common definition. (

Image courtesy of Diameter-Protocol

RFC7255 - This specification defines how the Uniform Resource Name (URN) reserved for the Global System for Mobile Communications Association (GSMA) identities and its sub-namespace for the International Mobile station Equipment Identity (IMEI) can be used as an instance-id. Its purpose is to fulfil the requirements for defining how a specific URN needs to be constructed and used in the ’+sip.instance’ Contact header field parameter for outbound behaviour. (

RFC7254 - This specification defines a Uniform Resource Name (URN) namespace for the Global System for Mobile Communications Association (GSMA) and a Namespace Specific String (NSS) for the International Mobile station Equipment Identity (IMEI), as well as an associated parameter for the International Mobile station Equipment Identity and Software Version number (IMEISV) as per the namespace registration requirement found in RFC 3406 [ 1]. The Namespace Identifier (NID) ’gsma’ is for identities used in GSM, Universal Mobile Telecommunications System (UMTS), and Long Term Evolution (LTE) networks. The IMEI and the IMEISV are managed by the GSMA, so this NID is managed by the GSMA. (

Tuesday, November 07, 2017

100 Years - Remembrance Day 11/11/2017

I do not know the artist but the message in the painting below is understood. If you haven't done so and you see a person selling Poppies do stop and buy one; even if you give 5p it goes to a good cause.

11th NOVEMBER (1917-2017)

We stand on the shoulders of those who fought and gave us "freedom and liberties" which are so easily taken for granted today.

Sunday, October 29, 2017

Understanding Metadata

NISA 2017 - UNDERSTANDING METADATA - WHAT IS METADATA, AND WHAT IS IT FOR? is available. Surprisingly, not read anywhere else that this update was out, being that it is a highly relevant subject to digital (mobile, computer, audio, etc.) forensics.

Android CDD

As of the 1st September 2017 Android published their updated Compatibility Definitions Document version 8.

9.8.1 . Usage History - Android stores the history of the user's choices and manages such history by UsageStatsManager . Device implementations: [C-1 -1 ] MUST keep a reasonable retention period of such user history. [SR] Are STRONGLY RECOMMENDED to keep the 1 4 days retention period as configured by default in the AOSP implementation.

See also: 9.9. Data Storage Encryption, 9.9.2. File Based Encryption, 9.9.3. Full Disk Encryption,

Face Recognition

Following Apple's Face ID launch this is one of those hot topics at the moment. This technology is not without its sceptics and questions still remain whether it can become full proof. In today's world, that is a big ask.

I have collected some bits and pieces worth reading.

Apple's September 2017 paper on face ID and security - []

Kairos produce a useful comparison chart of facial recognition services[]

The Guardian Newspaper published an article of Samsung's flawed Iris scanner - []

New research proposal just out 'Bypassing 3D Facial Recognition Authentication on Mobile Devices' - []

NCSC Cyber Security: Small Business Guide

Cyber security can feel like a daunting challenge for many small business owners. But it needn’t be. Following the five quick and easy steps outlined in this guide could save time, money and even your business’ reputation.

National Crime Agency - Suspicious Activity Reports (SARs) 2017

A lot of good work being achieved by the NCA.

Threema - white paper

Latest white paper Sept 2017

Threema is the world’s favourite secure messenger and keeps your data out of the hands of hackers, corporations and governments. Threema can be used completely anonymously, allows to make end-to-end encrypted voice calls, and offers every feature one would expect from a state-of-the-art instant messenger.

Useful for running lab tests.

Childrens' Smart Watch Tracking Movements

Is a stranger hacking your child's smart watch? Warning that loopholes in the devices are being targeted to track youngsters' movements.

Daily Mail Science Tech Article 4991102

Mobile Data Traffic 2016-2021

Very Low Cost Training $99.00 - US Marketplace

Just been reading a post from Dennis Carroll Special Agent / Law Enforcement Instructor about some very low cost training in the States

"The Fox Valley Technical College in partnership with the National Criminal Justice Training Center (NCJTC) have approved my three day cellular device investigations course. The first course is being offered in Appleton Wisconsin in December as a pilot and then throughout the US as requested. The FVTC and NCJTC have obtained a grant to lower the cost of this course to $99. This is the lowest price you will find for a three day comprehensive cellular device investigation course. There is a link to request this course at your host agency on the link below. Please share if you would."

5G in Five Minutes

New Cyber Report recognises legal actions

June 2015 I sketched foreseen legal actions impacting on cybercrime. I posted a diagram-infographic in Feb 2016 "LEGALLY SPEAKING – OBSERVATIONS CHART FOR JUDGES BARRISTERS AND SOLICIT0RS" -

I am pleased to see that ETSI (European Telecommunications Standards Institute) have also picked up on my themes in their 2017 published technical report (TR) CYBER; Implementation of the Network and Information Security (NIS) Directive ETSI TR 103 456 V1.1.1 (2017-10) with reference to Contract, Tort and Crime.