Cellphone Examination and Myths
.
There are still, surprisingly, many who still promulgate myths by unwittingly conducting examinations in a particular way or use a product/device for cellphone examination to combat a particular perceived problem.
.
I am launching this discussion thread, which will be updated from time to time, to identify cellphone examination myths. In doing so, it is not aimed at a criticising an individual, manufacurer's product or someone selling a service. The point of the discussion is to allow people to make informed decisions as opposed to buying into a particular mythology. Do remember, I am not telling you what you should or should not do, it is your choice, my comments are only intended as helpful observations.
.
CELLPHONE CLOCKS
There is a claim the examiner should examine the cellphone first before examining the SIM Card. Two myths that are still circulating today (a) is that by removing the SIM Card from the phone that is switched OFF the handset clock will be lost, (b) and using a Faraday shield or RF dampening field can help prevent that. I find this rather surprising to apply these myths as a reason for creating a universal principle that handsets should be examined first and using Faraday/RF is the optimum choice for containment and examinations. To me these myths are nothing more than over exaggerated examination procedures. They transfer the skills away from the human to expecting the device and postulated procedure to be capable of coping with everyday common scenarios.
.
Most mobile phones today have a memory system with an on-board battery to keep data live for period of time after the external battery has been removed or the clock data along with an offset stored in flash to calculate the clock upon power up and intialisation to give the time. It is true that there are some phones (but not every phone) that can lose the clock setting when the SIM is removed, so the use of a particular examination procedure should be on a case by case basis. User-defined clocks can be quite unreliable as well and in most cases (but not all) does the clock setting of the handset ever feature as a prominent piece of evidence.
.
Additionaly, Faraday/RF Dampening do not influence the clock at all unless of course as is becoming more popular the user has activated the handset to use the mobile network clock, in which case Faraday/RF Dampening would have a detrimental effect by losing the clock timing on the handset whilst the handset in an isolation containment.
.
Any special procedures needed for very serious crime or terrorism, it is understandible that the use of a particular containment field might be needed. Majority of mobile phone seizures and recovery are pretty bog-standard occasions, so why would anyone leave a mobile phone switched ON in a containment bag where there is a high degree of chance that the bag could be knocked and potentially a key being pressed generating and/or altering data on the phone.
.
FARADAY/RF DAMPENING - LOSING DATA
For road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.
.
FARADAY/RF DAMPENING - WIPING DATA
Many of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.
.
FARADAY/RF DAMPENING - IMSI
SIM cards have the ability to store up to a number of IMSIs, which are commonly used where countries have multiple network operators on a State by State basis. Roaming users may have a choice to use one or several IMSIs whilst roaming in another State or Country. Activating a particular IMSI can require selection of a profile and pressing the "SEND" key to inform the network of an altered state of subscriber identity, a response from the network can be requird for that change to take affect. The protocol in some handsets has been designed to wait for the response from the newtork to be received before the IMSI change takes place inside the SIM releasing the profile to the handset. Consequently, revealing data for a particular IMSI profile might not be possible.
.
FEEDBACK
If anyone wants to contribute to this myths discussion send an email to me with your observations. If you want to debunk my debunking then by all means do so, I am always willing to learn.