Friday, July 31, 2009

Cellphone Examination and Myths

Cellphone Examination and Myths
.
There are still, surprisingly, many who still promulgate myths by unwittingly conducting examinations in a particular way or use a product/device for cellphone examination to combat a particular perceived problem.
.
I am launching this discussion thread, which will be updated from time to time, to identify cellphone examination myths. In doing so, it is not aimed at a criticising an individual, manufacurer's product or someone selling a service. The point of the discussion is to allow people to make informed decisions as opposed to buying into a particular mythology. Do remember, I am not telling you what you should or should not do, it is your choice, my comments are only intended as helpful observations.
.
CELLPHONE CLOCKS
There is a claim the examiner should examine the cellphone first before examining the SIM Card. Two myths that are still circulating today (a) is that by removing the SIM Card from the phone that is switched OFF the handset clock will be lost, (b) and using a Faraday shield or RF dampening field can help prevent that. I find this rather surprising to apply these myths as a reason for creating a universal principle that handsets should be examined first and using Faraday/RF is the optimum choice for containment and examinations. To me these myths are nothing more than over exaggerated examination procedures. They transfer the skills away from the human to expecting the device and postulated procedure to be capable of coping with everyday common scenarios.
.
Most mobile phones today have a memory system with an on-board battery to keep data live for period of time after the external battery has been removed or the clock data along with an offset stored in flash to calculate the clock upon power up and intialisation to give the time. It is true that there are some phones (but not every phone) that can lose the clock setting when the SIM is removed, so the use of a particular examination procedure should be on a case by case basis. User-defined clocks can be quite unreliable as well and in most cases (but not all) does the clock setting of the handset ever feature as a prominent piece of evidence.
.
Additionaly, Faraday/RF Dampening do not influence the clock at all unless of course as is becoming more popular the user has activated the handset to use the mobile network clock, in which case Faraday/RF Dampening would have a detrimental effect by losing the clock timing on the handset whilst the handset in an isolation containment.
.
Any special procedures needed for very serious crime or terrorism, it is understandible that the use of a particular containment field might be needed. Majority of mobile phone seizures and recovery are pretty bog-standard occasions, so why would anyone leave a mobile phone switched ON in a containment bag where there is a high degree of chance that the bag could be knocked and potentially a key being pressed generating and/or altering data on the phone.
.
FARADAY/RF DAMPENING - LOSING DATA
For road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.
.
FARADAY/RF DAMPENING - WIPING DATA
Many of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.
.
FARADAY/RF DAMPENING - IMSI
SIM cards have the ability to store up to a number of IMSIs, which are commonly used where countries have multiple network operators on a State by State basis. Roaming users may have a choice to use one or several IMSIs whilst roaming in another State or Country. Activating a particular IMSI can require selection of a profile and pressing the "SEND" key to inform the network of an altered state of subscriber identity, a response from the network can be requird for that change to take affect. The protocol in some handsets has been designed to wait for the response from the newtork to be received before the IMSI change takes place inside the SIM releasing the profile to the handset. Consequently, revealing data for a particular IMSI profile might not be possible.
.
FEEDBACK
If anyone wants to contribute to this myths discussion send an email to me with your observations. If you want to debunk my debunking then by all means do so, I am always willing to learn.

Tuesday, July 14, 2009

Mobile Evidence CDR/Billing Course

Mobile Evidence CDR/Billing Course
.
One-day live training session on mobile evidence CDR/Billing.
.
- understanding and obtaining evidence
- standards
- relationship between network and user
- relationship to cell site analysis (CSA)
.
I am proposing this training with a number issues that impact in the background:
.
- obtain training at a cost-effective price in difficult economic times
- people need training, even in difficult economic times
- demonstrate training from experienced individuals has been undertaken
- to improve understanding of CDR/Billing, thus improve evidential standards
.
The attendee does not require to have undertaken CDR/Billing work before.
.
I have checked out and compared prices for a one-day course and found the following:
.
1) They do not provide content like the course I am proposing;
2) They do not impart the experience to deal with the specifics, my course does;
3) They do not impart the information how to go about getting the evidence, mine does;
4) I won't be using the training course to take your money and then have the cheek to tell you why you should be using my examiner/exerpt services or buy my product;
5) My courses have always been about empowering people with the skills needed to do the job.
.
The basic cost per person is £239.00
.
Factors to consider: the training cost does not pay for your:
.
- your travel
- your overnight accommodation (should you want to stay on and travel back the next day)
- your food
- any other expense
.
The minimum number of attendees MUST be 50 to run the course due to the proposed venue in Surrey UK (and very nice it is too).
.
Interested, then please send an email to me, for a registration form:
.
trewmte @ gmail.com

Saturday, July 11, 2009

ECHR Fairness with evidence

European Convention on Human Rights (ECHR)
Fairness with evidence
.
As part of the training syllabus for students, consideration is given to the professional, ethical and moral standards associated with the work of the examiner and expert and the evidence they produce.
.
“Equality of arms” principle
Enshrined in Article 6 ECHR and incorporated into HumanRights Act - the right to a fair trial involves observance of the principle under which the defendant in criminal proceedings must have “a reasonable opportunity of presenting his case to the court under conditions which do not place him at a substantial disadvantage vis-à-vis his opponent”
- Kaufman v. Belgium 50 DR 98;
- Neumeister v. Austria 1 EHRR 91;
- Delcourt v. Belgium 1 EHRR 355;
- Borgers v. Belgium 15 EHRR 92;
- Jespers v. Belgium 27 DR 61;
- Bendenoun v.France
.
ECHR Article 6
The principle of equality of arms under Article 6(1) overlaps with specific guarantees in Article 6(3) which are not confined to specific aspects.
.
Equality is relevant for example where an expert witness appointed by the defence is not accorded equal treatment with one appointed by the prosecution or the court, may amount to a breach of the principle
-Bonisch v. Austria 9 EHRR 191
.
Non-disclosure to the defence may equally amount to a breach
- Foucher v. France 25 EHRR 234
.
Forensic Conduct and Standards
Dealing with duty of all prosecution (including police and civilian staff) and defence examiners and experts.
.
The court held “It was the clear duty of government forensic scientists to assist in a neutral and impartial way in criminal investigations. The cause of the injustice to Miss Ward on the scientific side of the case stemmed from the fact that three senior forensic scientists…regarded their task as being to help police. They became partisan. It was their clear duty to act in the cause of justice. That duty should be spelt out to all engaged…in the forensic services in the clearest terms.”
- R v. Judith Ward (1992) CA 142 NLJ 859

Friday, July 10, 2009

Mobile Phone Flash Memory Chip Evidence

Mobile Phone Flash Memory Chip Evidence
.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is:
.
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
.
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110:
.
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
.
However under the same section in the User Guide it states:
.
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
.
As a query about forensic reliability and accuracy:
.
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
.
As a query about evidential weight and value:
.
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?

Mobile Phone Flash Memory Chip Evidence

Mobile Phone Flash Memory Chip Evidence
.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is:
.
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
.
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110:
.
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
.
However under the same section in the User Guide it states:
.
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
.
As a query about forensic reliability and accuracy:
.
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
.
As a query about evidential weight and value:
.
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?

Fowler-Nordheim Tunnelling Principle

Fowler-Nordheim Tunnelling Principle
.
The floating gate can be charged and discharged by using Fowler-Nordheim "tunnelling". A principle whereby certain electrons subjected to an electric field can cross the forbidden gap of an insulator to enter the conduction band and thus flow freely for a short distance to a positively charged area.

Fowler-Nordheim Tunnelling Principle

Fowler-Nordheim Tunnelling Principle
.
The floating gate can be charged and discharged by using Fowler-Nordheim "tunnelling". A principle whereby certain electrons subjected to an electric field can cross the forbidden gap of an insulator to enter the conduction band and thus flow freely for a short distance to a positively charged area.

Happy Birthday Nikola Tesla

Important scientific history associated Nikola Tesla and it's his Birthday today.
Magnetic field strength


http://www.google.co.uk/search?q=nikola+tesla&ct=tesla09&oi=ddle
http://www.google.co.uk/search?hl=en&q=Nikola+tesla+magnetic+field&meta