Friday, December 06, 2019

eSIM - Observing Possible Outcomes Part 1

Back in 2012 I wrote about the introduction of a new form factor for SIM Cards (4FF). The outline and a potted history of SIM Card form factors were illustrated and in a separate post the first ETSI standard defining this new form factor (4FF) - (R1) and (R2).

Seven years down the line in (2019) ARM Limited produced a useful graphics of where eSIM is placed in the evolutionary chain of form factors - (R3).



eSIM has already established a presence in the digital tech marketplace. SIMalliance published SIM Market Insights in June 2019 giving the following stats '2018 Shipment Volumes (SIM Units)'. Here again it is easier to show the graphics than simply record word-for-word the stats - (R4).


Recorded in in Arm's presentation are more stats 4.4 billion cellular devices by 2025 – Source: Machina 2017; $1.8 trillion operator revenue opportunity for LPWAN by 2026 – Source: GSMA 2017 to support the vision of eSIMs integration into future devices and market size - (R3).

There are, of course, numerous market reports predicting how eSIM will fair in the marketplace; this blog post is giving a potted history just to bring the discussion up to speed.

Specifications and standards for eSIM/eUICC are available from 3GPP, GSMA and SIMalliance. These will be discussed in another Part to this blog discussion. For now, what is required to know is how eSIM will actual operate in practice. The SIMalliance produced a helpful graphic (R4) showing eSIM profile (a package), delivered to a physical product (eUICC), when deployed in the field. So let us look at that first.
For the download (update) system architecture to work requires both network and device to operate and function according to the Remote SIM Provisioning Service (RSP) Architecture'. This has been designed into the RSP Architecture. The following graphics helpfully illustrate two important element: the network side and the device side (eUICC) - (R5).


Once the eUICC has been deployed in the field [it], when inserted into a compatible smartphone, will be able to download one or more mobile operator profiles and then subscribed services. An eSIM user can then switch between operator profiles or download profiles and services on the fly - time, place and location, and so on. This enables the eSIM/eUICC to excel in connectivity. This approach to connectivity is exciting and yet remarkable, for logically the SIM Card issued previously was issued and controlled by the subscriber's mobile operator. eSIM/eUICC in essence removes sovereignty which was jealously guarded by each operator prior to the intro of this technology handover. That is even to the extent where virtual mobile operators (VMOs) only functioned based upon piggy-backing off primary operators' core network but issued their own SIM Cards.

It should be understood that the envisaged usage for eSIM focussed on M2M, so candidates would be industry devices, automobiles, metering and so on. But the concept of eSIM has recently engaged operators and handset manufacturers to look at how 5G can help with profiling and service downloads. Recently, GSMA ran seminars with hands-on training for eSIM profiling and services download, which apparently was very successful.

Moreover, Samsung, Google and Apple have devices with eSIM capability.Android framework provides standard APIs for accessing eSIM and managing subscription profiles on the eSIM (Android 9). Importantly, Devices running Android 10 or higher can support devices with multiple eSIMs. So these factors alone are investigative elements for cyber security oversight, pentesters and forensic examiners to be aware.

In Part 2 the discussion will refine and define observations that have been generally stated in this post; examine more closely eSIM and eUICC aspects and then more in Parts 3 and 4 looking at potential implications for cyber security, law enforcement, forensic examiners and ICT specialists.

REFERENCES
(R1) SIM Card new 4FF form factor size - https://trewmte.blogspot.com/2012/06/sim-card-new-4ff-form-factor-size.html
(R2) ETSI release details of new 4FF UICC  - https://trewmte.blogspot.com/2012/06/etsi-release-details-of-new-4ff-uicc.html
(R3) The Challenges Deploying IoT eSIM M2M enabling Secure Communications Scaled for 1 trillion devices. Jean-Philippe Betoin Marketing Director, Secure Identity Confidential © 2019 Arm Limited.
(R4) SIMs, eSIMs and Secure Elements: Providing a roadmap to dynamic security and flexible control for connected devices. Remy Cricco Chair of the Board, SIMalliance ETSI Security Week June 2019.
(R5) GSMA SGP.21 - RSP Architecture, V2.2, 1 Sep 2017

Thursday, December 05, 2019

Update3 - HERREVAD Databases Geo Location Artefacts

This is the continuing/on-going research and discovery into HERREVAD Databases Geo Location Artefacts.

Back in 2017 little was known about HERREVAD and I posted at my blog my views that it had potential for cell site analysis and possible mobile user geographical location/s. I have found further materials on it in a useful web-article (Making Sense of OSINT Cell Tower Data for DFIR- https://osintcurio.us/2019/08/19/making-sense-of-osint-cell-tower-data-for-dfir/) where the investigator sets out the uses for the data from the HERREVAD database for the purposes as I have mentioned. So good to see my research continues to benefit criminal, civil and security investigations.

The last update was
Update2 - HERREVAD Databases Geo Location Artefacts
https://trewmte.blogspot.com/2019/05/update2-herrevad-databases-geo-location.html

Tuesday, September 17, 2019

Policing today

As the murder investigation into the appalling and tragic death of PC Andrew Harper is on going https://www.bbc.co.uk/news/uk-england-berkshire-49726196 I am sure I am sharing thoughts others have already stated long before me; not preaching, just asking:

                                  What exactly do people want from the Police?

We pay for these men and women to work on the "front line" for us dealing with enquiries, handling difficult and serious situations.  There is no small section of society or victim group deserving only of the police attention to deal with their concerns and everyone else can go to hell. The police represent all of us (good, bad and indifferent) and we represent all of the "front line". And if you are not supporting the safety of the police on the streets then what happens if officers do not want to do the job anymore, what then?

It is worth taking 5-mins to look at the list here:

https://en.wikipedia.org/wiki/List_of_British_police_officers_killed_in_the_line_of_duty

Saturday, August 17, 2019

Observations from the digital backyard-2

Good to have a catch-up chat with my old friend Vinny Parmar. Vinny holds the position Higher Digital Forensics personnel responsible as the Quality Representative (QR) for the Computer Forensics Department at West Midlands Police (WMP); the team responsible for having achieved UKAS Accreditation (iso17025) and ensuring its continued compliance and maintaining the standards. It is during my conversation with Vinny that I reminded, as from previous conversations with him, that Vinny's broad range of experience (worked in the private/public sectors, digital forensics, setting up a laboratory, and now UKAS Accreditation) should he decide to hang up his work boots (some way off yet) I think Vinny would be a great lecturer bringing cutting-edge, real-world working experience to University students.

I see Heather Mahalik has a new role as Senior Director of Digital Intelligence at Cellebrite and has just written a blog post about the reasons for joining the company ( Blog Post - Heather Mahalik ). For those that are not aware, Heather's background includes being a SANS Senior Instructor and co-authored the books Practical Mobile Forensics editions 1 and 2  and was the Technical Editor for the book Learning Android Forensics; all three published by Packt Publishing. Congratulations Heather and good luck in the new role.

There are quite a few founding fathers that have contributed to the evolution of digital forensics and cell site analysis. Previously I have mentioned back in 2014 the contribution Albert Einstein made to cell site analysis ( https://trewmte.blogspot.com/2014/07/csa-site-survey-method3mobility-models.html ) due to the mobile telecommunications industry adopting Einstein's 1926 “The Random Walk Mobility Model”. It seems only fair to mention another well-know character and celebrity forensicator no less, who celebrated his birthday back in June, and that is Batman (copyright DC Comics). Batman's role in using investigative forensics to solve crimes is very well known and some of his cases can be found here - The Forensic Files of Batman published by iBooks ISBN1596871156 (ISBN13: 9781596871151  see www.dcccomics.com and www.ibooks.net).



It is the use of Batman's punch index cards inserted into the Bat Computer which then computed the input, analysed the results and produced an output answer that some have observed this might be the originator for the concept of Computer Forensic Suites. So well done and our respects to Einstein and Batman for their contributions to our industry.

Monday, June 03, 2019

75 Years Remembrance D-DAY

Reposting my blog-post back of 06/06/2011 to support remembrance of 75-years of D-Day

D-Day 6th June




I mentioned today's important date to a number of people. Quite a few had forgotten the date and mainly the younger generation didn't know about events that took place on this date back in 1944.




For anyone who may have missed it or might want to know more, here are some links providing the historical background.

NORMANDY LANDINGS
British Legion Remembrance d-day-65
Wikipedia Normandy Landings
Britannica DDay
Remembrance D-Day.html
Lifeformation D-Day


SCHOOL CHILDREN (CBBC)
BBC/CBBC D-Day




Tuesday, May 21, 2019

Update2 - HERREVAD Databases Geo Location Artefacts

This second update concerns HERREVAD Databases Geo Location Artefacts referred to by me in my previous posts:

Update - HERREVAD Databases Geo Location Artefacts (2018)
http://trewmte.blogspot.com/2018/07/update-herrevad-databases-geo-location.html

and

HERREVAD Databases Geo Location Artefacts (2017)
http://trewmte.blogspot.com/2017/02/herrevad-databases-geo-location.html

Due to lack of reporting and information about HERREVAD Databases I have kept monitoring the information superhighway to see if any additional information comes up about HERREVAD.

In March 2019 the GmsCore.apk (Android Marshmallow) had an Incident Response Report at Hybrid Analysis concerning MITRE ATT&CK Techniques Detection identifying malicious indicator. The lengthy report suggests Fingerprintng location information that HERRAVAD is associated:

com.google.android.gms.herrevad.receivers.CaptivePortalReceiver // android.net.conn.NETWORK_CONDITIONS_MEASURED 
com.google.android.gms.herrevad.receivers.GservicesReceiver //  com.google.gservices.intent.action.GSERVICES_CHANGED

https://www.hybrid-analysis.com/sample/d75d4607b04ef24459cda329739b7222c5b70c53886316620c45bc3b7ddc6a3b?environmentId=200#signature-ff7edd80fdd3ee84d005809e9b2df85e

DRONE FORENSICS

There is a good article about Drone Forensics in eForensics Magazine. The synopsis for the article states:
"The project begins to look into the broad range of UAVs that are likely to be encountered by police forces in the UK, specifically targeting the more budget end of the spectrum whilst still having all the functionality required to commit a range of crimes. The project focuses on post criminal activity analysis of the UAV and controller and while there is some discussion of commercial counter UAV tools it is not the focus of this project. One example of this analysis comes from media files stored on the drone and the kind of information that can be gathered from them through metadata. Using a purely practical, experimentation and analysis based approach, a thorough examination was made of both the UAV and its controlling Android and iOS devices. The project concludes that metadata is the best way to obtain information regarding flights, particularly where the Bebop’s “Drone Academy” feature is disabled as it specifically states that this will track your drone’s flights, though there is an analysis of the files created by the “Drone Academy” feature."
https://eforensicsmag.com/product/drone-forensics/

However, there a huge range of technology to consider with evidential value and later on I will present additional supporting info to the community. In the meantime here is a great Infographics by (c) Jethro Hazelhurst of the Pixhawk PX4 autopilot.

Thursday, May 09, 2019

Observations from the digital backyard...

I have been meaning to post on this subject for a while so without being side tracked again, here goes..

Very good work by Brett Shavers over at 'DFIR Training (Brett Shavers)' who is aiming to create 'The most complete DFIR resource on the planet.' Brett has sure done a great job so far and receives regular plaudits for his work; so be ensure you have time to drop in on his site https://www.dfir.training/info/about.

Note: DFIR (Digital Forensics & Incident Response) is a broad church of highly skilled and experience people from a wider background field than digital forensics but has good cross-compatibility with pure digital forensics.

Phill Moore (RandomAccess) another outstanding character in our field has a highly successful website called 'Knowledge Base - This week in 4N6', that provides highlights occurring in the digital forensics world... https://thisweekin4n6.com/. For up-to-date news do visit Phill's website; Phill has a good reputation for quality news. Phill's just asked me to remind readers to also have a look at his additional blog https://thinkdfir.com/.

Mobile forensics is not without its new discoveries as Mike "forensicmike" Williamson found out and detailed his findings in his article 'MPT – LG’s incognito version of KnowledgeC' https://www.forensicmike1.com/2019/04/27/mpt-lgs-incognito-version-of-knowledgec/. Mike is a nice guy and generously shares of his knowledge with others as he has in this discussion about uncovering LG hidden MPT partition and its value to investigations. His findings have also been recognised and published in Interpol's Digital 4N6 Pulse Issue II. Top man for sharing, Mike!

Yet another name known in the digital forensics arena is 'San4n6', who is in fact Darryl Santry at IACIS (International Association of Computer Investigative Specialists): Staff Mobile Forensics, Adjunct Prof; who has undertaken a wonderful initiative (training project) to educate young teenagers in Cyber issues. Darryl is taking the complex, complicated and convoluted knowledge and experiences of the Cyber arena and delivering that information through his teaching in terms that young students can understand. Darryl's doing a great job and what a first class guy for doing this. IACIS will be having upcoming conferences and I will update readers on those dates when I know. https://www.iacis.com/

Andrew "rathbuna" Rathbun, a forensic computer examiner, who launched DISCORD Digital Forensics (a server containing a confederation of digital and technical chat forums) which has seen a staggering membership uptake of 1500 members in less than an year. The Discord members provide really good quality advice. Superb work in bringing this together Andrew!! I will update this discussion shortly with how to join.

I cannot forgot to mention my friend Jamie Morris and his established website https://www.ForensicFocus.com. It now has nearly 36,000 members and is still going from strength to strength after all these years; whilst many similar websites have gone by the wayside. Well done, Jamie!

I will have more names to add in my next post on this subject.