Thursday, November 25, 2010

Self Deleting Text Messages

Self Deleting Text Messages

How to send self deleting SMS according to a computer hacking website that reports "this technique is called SAFE-TEXT. It's a technique where a message destroys itself after being read."

Before proceeding further there are several matters worth mentioning.

Sent flash SMS text messages are not automatically saved and thus delete after opening and closing the message, irrespective of whether the receiving party actually peruses the content or not. It is a technical mechanism included in the technical realisation of GSM and WCDMA. A flash message is technically referred to as a Message Class: Class 0. For a further discussion of flash messages see: Disappearing Sms Text Messages

Fairly recently I wrote about automatic deletion of text message, An app that can be installed on certain mobile phones and attribute a timer to received messages set to the length of time the message can be stored.  That particular discussion though related to the fact of texts being stored inside the application and encrypted so would be outside of the scope to extract and harvest data by handset readers that generate evidence:  Mobile Telephone Evidence Newsletter MTE_Vol7_MTE02_2010

Another option for automatically deleting text messages and a common feature found on smart phones is 'validity period' (not to be confused with 'validity period' for transmission/reception of SMS text messages) where the smart phone user or controller of it sets a storage clear out time for saved text messages or a security policy is set or triggered deleting stored text messages.

In each of the cases above at no time is there any suggestion of something illegitmate occurring or the desire to generate something potentially illegal. Thus, full-circle, we return to SAFE-TEXT. Instead of the actual text being sent to the target user's handset and self deleting thereafter, the recipient is supplied with a mobile internet link and visiting the website clicks the message which can then disappear within seconds. It is not clear, because I haven't tested it out as I only learned of this matter yesterday, whether the web browsing cache in the handset caches the complete activity of the mobile viewed webpage, which may provide an option to replay the message. The full extent of anonymity with SAFE-TEXT is not clear either because a user must "register" for the service and "2. If you’re the sender, the message will show your name and number." No doubt we will learn of reports that will confirm if this is a menace service or not.

Spoofing Legislation

Spoofing Legislation

Called the "Truth in Caller ID Act of 2010" the legislation (HR 1258 Report No 111-461 / Union Calendar No 264)  amending the Communications Act 1934 makes it illegal in the US "to cause any caller ID service to transmit misleading or inaccurate caller ID information, with the intent to defraud or deceive."

Spoofing Legislation
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1258rh.txt.pdf

Tuesday, November 16, 2010

iPhone - Evidence Handset Reader Tools

iPhone - Evidence Handset Reader Tools

Two questions:

1) How many 'evidence' handset reader tools can you name off the top of your head?
2) And how many of those tools extract and harvest data from iPhones?

In answer to question one we know we can at least identify thirteen (13) tools and the answer to question two is also at least thirteen (13) tools. The answers can be found in 'iPhone Forensics White Paper' published by viaForensics. The authors of the document are Andrew Hoog and Katie Strzempka.

The number of tools now available and sold into the marketplace is a bit of surprise because in most cases a large portion of the forensic community do not own one copy of each of these tools as it is not strictly necessary. It is quite useful, though, to see a report like this that brings together at least 13 tools so that there is a record of the existent of these tools and how they are viewed in relation to their usefulness.

What I like about this report is that it is produced entirely independent of any of the handset reader software manufacturers and the authors/publishers were not compensated in any way for the work and effort that went to researching and testing each tool.  I should also point out that I am not being compensated in anyway either for mentioning the researchers/publishers or this White Paper.

I wont spoil the fun for you of reproducing the findings and results recorded in the White Paper, but you can read about them for yourself at the weblink below:

http://viaforensics.com/education/white-papers/iphone-forensics/

Wednesday, November 10, 2010

A Field of Remembrance

A Field of Remembrance

In the Christian religion, and I put my name down as one who believes, there is a poignant, moving verse in New Testament, St.John, 15:13:

"Greater love hath no man than this, that a man lay down his life for his friends"  

That testimony is the tribute we pay to all of the brave who were remembered at the Field of Remembrance in Wiltshire, yesterday.

The Wiltshire Times reported memorable coverage of yesterday's Service and Days Events. Their online contribution can be read at the link below:

http://www.wiltshiretimes.co.uk/news/3816788.A_field_of_remembrance/


Poppies and Heroes - get involved......
Each year I run the Poppies and Heroes reminder appeal. Those who lose their lives in service of our country, they are our boys and girls, sons and daughters, brothers and sisters, our family. Where we expect them to protect us, it is a small return of our duty to their families that when their lives are lost we remember, we share and we console so that their mothers and fathers know we stand with them, beside them, in their loss. 

Do not send anything to me, but to know more, to commemorate or to contribute do contact two magnificent organisations 'The Poppy Appeal' and 'Help for Heroes'. Please use the links below: 

Thanks.

Tuesday, November 09, 2010

Mobile Telephone Blogs Approved Access Only

Mobile Telephone Blogs Approved Access Only

I have endeavoured to be free with sharing knowledge and information over the years through my blogs, but given the changing economy, UK and global events and advancements in forensics the nature of the technical content, new developments and examination techniques and legal information will only be accessible to approved law enforcement personnel, security specialists and authorised individuals. The following blogs are now approved access only:

Cell Site Analysis
http://cellsiteanalysis.blogspot.com

Forensic examination and evidence from SIM an USIM
http://sim2usim.blogspot.com

Forensic examination and evidence from Mobile and Smart Phones  
http://forensicmobex.blogspot.com

Mobile Telephone Evidence (http://trewmte.blogspot.com) will of course remain an open.

Monday, November 08, 2010

UK Roaming Orange and T-Mobile

UK Roaming Orange and T-Mobile

I got a text message today (08/10/10) from Orange informing me "Now you can pick up a signal from both the Orange and T-Mobile networks....."Further information about this is available at the weblink below:

https://kareena.orange.co.uk/share/

Call and text in even more places

Now you can pick up a signal from both the Orange and T-Mobile networks in the UK which means that you can call and text in even more places.
  • Your phone will use T-Mobile signal if it doesn't pick up an Orange signal
  • Your charges stay the same when you use T-Mobile signal
  • Nothing else will change, you'll just get more network coverage
There will be an impact on investigation and evidence. I have raised some additional observations in the discusssion " CSA and seamless roaming" at:

http://cellsiteanalysis.blogspot.com/2010/11/csa-and-seamless-roaming.html

CSA and seamless roaming

CSA and seamless roaming

UK seamless roaming on the H3G to O2 and H3G to Orange always added further dimensions needing to be investigated when conducting cell site analysis (CSA). However, with Orange's announcement today (08/10/10), sent by text message to its customers, will mean extending seamless roaming investigations now to Orange and T-Mobile too.

https://kareena.orange.co.uk/share/

Call and text in even more places

Now you can pick up a signal from both the Orange and T-Mobile networks in the UK which means that you can call and text in even more places.
  • Your phone will use T-Mobile signal if it doesn't pick up an Orange signal
  • Your charges stay the same when you use T-Mobile signal
  • Nothing else will change, you'll just get more network coverage
This provides further corroboration that simplifying investigations and not spending the appropriate time conducting radio tests and cross-referencing to the appropriate network records can lead to erroneous findings and reported flawed opinions to the client and court.

Sunday, November 07, 2010

ISO 17025 Toolkit

ISO 17025 Toolkit

Members at the Institute for Digital Forensics (IDF) Group at LinkedIn (http://www.linkedin.com/)  we are discussing the creation of an ISO 17025 Toolkit and assistance that might be offered by other QA standards.

You will need to be an approved but free to join participant of the Institute's IDF Group to gain access to the materials.

Thursday, November 04, 2010

Cyberbullying Report

Cyberbullying Report

US analysis of the use of email, websites, Instant Messages, Twitter, Facebook and other online resources to torment, harass and/or embarrass other children – has become an increasingly common phenomenon in American schools. The emotional injuries – and the occasional suicides – attributed to cyberbullying have led some to call for making cyberbullying a crime in and of itself.

This article analyzes the arguments for and against creating a new, “cyberbullying” offense. It argues that existing criminal law can adequately address cyberbullying when the “harm” it inflicts rises to the level that warrants the use of criminal sanctions; it also argues that the residual instances of cyberbullying which do not qualify for the use of criminal liability are better addressed by other, non-criminal means.

http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID1537873_code342087.pdf?abstractid=1537873&mirid=1

US Cases - Interpretation regarding seizure

US Cases - Interpretation regarding seizure

Two interesting US cases posted at Susan Brenner, Professor of Law, blog highlighting the complexity in interpretation regarding seizure, relevant to these cases were Blackberry devices.

http://cyb3rcrim3.blogspot.com/2010/10/blackberry-seized-unlawfully.html
http://cyb3rcrim3.blogspot.com/2010/10/blackberry-seized-lawfully.html

Wednesday, November 03, 2010

Quad-SIM (4 in 1)

Quad-SIM (4 in 1)

Wonder how we will handle the examination of this beast? Which profile will need to be read first? Will the handset have different profiles? Will each SIM have its own password?  There are so many question this news story raises. Previous experience has shown care is needed with handling the examination of handsets containing two (dual) SIMs (http://sim2usim.blogspot.com/2008/11/cloning-test-sim-cards.html).


Spreadtrum Announces the World’s First Single Chip Quad-SIM Standby Solution
The SC6600L6 allows four GSM SIM cards simultaneously running on standby mode with only one set of baseband and RF. It integrates a processor engine and controller for supporting quadruple SIM cards and has an improved graphic user interface for Quad-SIM. The product supports different multi-SIM options, including dual SIM, triple SIM, and Quad-SIM in a single set of baseband and RF chip, provides more choices to handset designers and meets need of users from different regions.

http://www.spreadtrum.com/eng/showNews.asp?name=1&ID=306

Tuesday, November 02, 2010

Smart Card Hacking

Smart Card Hacking

Back in 2002 I wrote about SIM Card Cloning for examiners to demonstrate the state of the market place, where software and hardware was being openly promoted that researchers could obtain and what might an examiner be exposed to when examining a cloned SIM Card. A copy of that report can be downloaded here:

SIM Card Cloning
http://www.4shared.com/document/GMz_Gqcc/Special_Edition_2002_SIM_Cloni.html

In 1998 I circulated  a report (UPD5-1 Vol1 - FEN98) on Smart Card Hacking to members of the British Association of Criminal Experts (BACE). The archive report has been scanned page by page and put into acrobat.pdf format and can now be downloaded here:


Smart Card Hacking
http://www.4shared.com/file/kq5NGzns/UPD5-1_Vol1_-_FEN98.html

The smart card hacking report has an interesting description for classification of the various levels of criminal activity in addition to techniques of smart card hacking. This particular report was the one that inspired me to write about SIM Card Cloning for exmainers. Once again thanks and respect to Ross Anderson and Markus Kuhn.

It is important to consult the laws of the country you are in when dealing with research for cloning SIM Cards. This blog article does not promote or advocate anyone to break the law by cloning or attempting to clone SIM cards for the purposes of obtaining services or breaching property rights belonging to respective particular network operators etc.

Monday, November 01, 2010

Location Update (LU) and Cell Site Analysis (CSA)

Location Update (LU) and Cell Site Analysis (CSA)

Heine, G; referred to the model "An MS performs LU on several occasions: every time it changes the location area, periodically, when a periodic location update is active, or with IMSI attach/ detach switched on at the time when it is subsequently turned on again."

That statement minimises, thus hides, a considerable body of mobile activity and, importantly, cell site analysis (CSA) suffers when students and practitioners fail to take into account the importance in the depth of knowledge and understanding that is needed to include the important facet of Location Update when conducting CSA. The following may assist students and practitioners with a simplified operational background as to events when Location Update (LU) takes place:

The MS requests a control channel from the BSC. The BTS decodes the CHAN_REQ, calculates the distance MS«BTS (timing advance), and forwards all this information to the BSC. Please note that the CHAN_REQ already indicates which service the MS requests (Location Update, in this case).

After the CHAN_RQD is received and processed, the BSC informs the BTS which channel type and channel number shall be reserved (CHAN_ACT).

The BTS confirms with a CHAN_ACT_ACK that it received and processed the CHAN_ACT.

The BSC sends the IMM_ASS_CMD, which activates the previously reserved channel. The BTS sends this information over an AGCH to the MS. The MS finds “its” IMM_ASS_CMD by means of the request reference, which is already contained in the CHAN_REQ.

Layer 2, the LAPDm connection is activated only now. The MS sends a SABM to the BTS, which (differently from LAPD) already contains data (LOC_UPD_REQ in this case).

The BTS confirms that a LAPDm connection was established by sending an UA message, which repeats the LOC_UPD_REQ.

The BTS passes LOC_UPD_REQ to the BSC. Although this is a transparent MM message, the BSC still processes the LOC_UPD_REQ in parts, because the BSC amongst others, requires the Mobile Station Classmark information. The BSC packs LOC_UPD_REQ, together with the current LAC, and CI into a CL3I message (Attention: the LOC_UPD_REQ from the MS contains the old LAC!) and then sends this within a SCCP CR
message to the MSC. The CR message carries not only the LOC_UPD_REQ to the MSC, but also requests establishment of an SCCP connection.

If the MSC is able to provide the requested SCCP connection,then the CR is answered with a CC. A logical connection from the MS to the MSC/VLR exists from this point in time on. The MSC/VLR answers the LOC_UPD_REQ with an AUTH_REQ This message is conveyed to the BSC via the established SCCP connection.

BSC and BTS transparently forward the AUTH_REQ to the MS. Most important content is the random number parameter (RAND). The MS (more precisely the SIM) calculates the result SRES by feeding RAND and Kj into the algorithm A3, then transparently sends SRES in an AUTH_RSP message to the MSC/VLR. The VLR compares SRES with the value provided by the HLR.

The MSC/VLR switches on ciphering, if the result from the authentication is correct. For this purpose, the MSC/VLR sends information to both, the MS and the BTS.

The BTS extracts its part form the ENCR_CMD message, which is Kc and sends the rest in a CIPH_MOD_CMD message to the MS. The CIPH_MOD_CMD message only contains the information, which cipher algorithm (A5/X) shall be used. The MS confirms, by sending a CIPH_MOD_COM message that ciphering was activated.

If Equipment Check is active, then the MSC/VLR requests the MS to provide its IMEI. This is done in an IDENT_REQ message, which is transparent for the BSS. Please note that the IDENT_REQ message also allows to request the TMSI or the IMSI. The equipment check may be performed at almost any time during the scenario, or in other words, is not tied to this place of the scenario.

The MS transparently transmits its IMEI in an IDENT_RSP message to the MSC/VLR, where it is checked by means of the EIR, whether that equipment is registered stolen or not approved.

The MSC/VLR assigns a TMSI, which is used instead of the IMSI in order to make tracking of subscribers more difficult. TMSI_REAL_CMD is also a transparent message between MSC/VLR and MS. The most important content of this message is the new TMSI. Please note that the assignment of a TMSI may also take place at the end within the LOC_UPD_ACC.

The MS confirms with a TMSI_REAL_COM that the new TMSI was received and stored. If the new TMSI is assigned with a LOC_UPD_ACC, then the TMSI_REAL_COM is obviously sent only after the LOC_UPD_ACC.

Sending of the transparent LOC_UPD_ACC message confirms that the MSC/VLR has stored the new Location Area (LAI). This concludes the Location Update process. The control channel that was occupied on the Air-interface has to be released, after the Location Update scenario has ended. For this purpose, the MSC sends the CLR_CMD message to the BSC. The BSC passes this command in a CHAN_REL to the BTS, which passes it to the MS. By sending a DEACT_SACCH, the BSC requests the BTS to cease sending of SACCH messages (SYS_INFO 5/6).The MS reacts on receiving a CHAN_REL message by sending a DISC (LAPDm).

This requests from the BTS to release its Layer 2 connection. The BTS confirms release of the Layer 2 connection by sending an UA message. Towards the BSC, the BTS confirms release of the Air-interface connection by sending of a REL_IND message. The BSC forwards this acknowledgment in a CLR_CMP to the MSC. The BSC requests the TRX in a RF_CHAN_REL to release the occupied resources on the Air-interface. RLSD requests release of the SCCP resources.

RF_CHAN_REL_ACK confirms release on the Air-interface. RLC confirms release of the SCCP resources.