Monday, May 30, 2011

iOS 4.3.3 deletion of Location Cache

iOS 4.3.3 deletion of Location Cache

Apple responded in April 2011 to concerns in the marketplace about location data that enables a user to be tracked without their knowledge or without knowing such a mechanism existed in the iPhone:

http://www.apple.com/pr/library/2011/04/27location_qa.html

By 3rd May 2011 an early fix was suggested would be available pending the outcome of Beta tests. That the fix would deal with location backups to iTunes when Location Services was switched OFF.  

On the 5th May the promised iOS patch to resolve the iPhone location tracking went live and reduced the size of the cache of information that had been backed up. Noticeable the cache file is now considerable smaller, however the size of the update to do that was over 650 megabytes.


Loss of evidence in the cache is one observation and another is with Location Services switched OFF on the handset this may impact on historical and current Cell Site Analysis investigations.

Answer To Reset (ATR)

Answer To Reset (ATR)

It is an endless investigation when dealing with SIM/USIM. The intention of this discussion is to highlight discoveries that you may not be aware. In this instance ATR is the first data read from every SIM/USIM and can provide potentially useful information to an investigation or when making analysis about end-to-end (SIM to Network) mobile telephone evidence.  

What might be interpreted from first eight bytes of an ATR recovered? From research, this is an interpretation of the ATR from a particular manufacturer's GSM SIM:

[B1][B2][B3][B4][B5][B6][B7][B8]
3B....34...11...00...6B...C?..16...0?

Byte 6 - options
3B 34 11 00 6B C2 16 0? normal SIM+OTA
3B 34 11 00 6B C3 16 0? SIM-Toolkit (STK) SIM

Byte 7
16 EEPROM size (16K)

Byte 8 - options
3B 34 11 00 6B C? 16 01 GSM security algorithm
3B 34 11 00 6B C? 16 02
3B 34 11 00 6B C? 16 03
3B 34 11 00 6B C? 16 0A

  
As interpretation of the ATR can be possible, do all SIM ATRs follow the same identification process or when personalised uniquely characterise the ATR to instruct the handset/network with similar information about the SIM's technical profiling but identified at different byte locations in the ATR string?

Saturday, May 28, 2011

Evolving Cell Site Analysis (CSA)

Evolving Cell Site Analysis (CSA)

In 23 years of dealing with a range of cellular radio systems TACS, GSM and WCDMA and, lately, a little of LTE, in addition to NFC work, generates a measured confidence in dealing with change when it occurs.

The word 'Re-farming' of 900 MHz , largely a play word, the core of which is based upon re-allocation of spectrum from one technology and service to another (eg GSM TDMA to 3G WCDMA), and local inter-operator roaming (Orange and T-Mobile) are two such changes to which CSA is exposed. These changes are, though, nothing more than evolution in a innovation driven and commercially challenging market place. Knowledge doesn't simply disappear overnight because these changes have occurred.

Operator and spectrum imposed changes appear to have generated perhaps understandable concerns, but the premise of these concerns might actually be based upon misconceptions about how those changes impact on cell site analysis. Concerns, such as, a no-can do approach; a patch fix is needed; the notion that is all you are going to get; to a loss of evidence with the introduction of changes, are a variety I have heard. The introduction of Everything Everywhere is another good example in point. Many of the constraints currently being purveyed in the marketplace would require ignoring a considerable body of information.



Photo courtesy of www.dailymail.co.uk article-0-001097AB00000258-251_468x315.jpg

Don't Panic Mr Mainwaring!! Simply running out with a piece of test equipment and having a few shots at a target, chatting with several people or referring to comments on the web really isn't appropriate qualification for the matter under scrutiny when one is not fully certain of (figuratively speaking) the enemy.

Cell site analysis doesn't suffer from evidential menigitis just because changes take place, as there are a huge range of factors and information that need to be considered first when making a diagnosis of the matter in order to determine a prognosis.

Thursday, May 19, 2011

Aggregated SIM

Aggregated SIM

Interesting news story out of  Reuters that has been posted by many website that states that Apple has proposed a standardized SIM card smaller than those it currently uses in the iPhone and iPAD in order to be able to produce thinner devices, an Orange executive told Reuters on Tuesday. The news story also mentions Apple having gone along the Standards path and approached ETSI (European Telecommunications Standards Institute) and a hint that something could be seen as early as next year.

http://www.reuters.com/article/2011/05/17/us-summit-orange-apple-idUSTRE74G4WY20110517

This is SIM card developmental news and fascinating to watch as SIM and the microprocessor electronic card (ICC/UICC) that it uses takes further steps on its evolutionary journey.  We already know some of the form factors for ICC/UICC:

The integrated and non-integrated examples
Photobucket

A closer look at an integrated example
Photobucket

When SIM (subscriber identity module) cards were introduced for GSM (global systems for mobile) communication devices (handset/terminal devices) ETSI standardised the ID-1 format which was an ISO-size card as defined in the international standard ISO-7816 and commonly referred to as a 'credit card' size. A plug-in size (the size of a 'postage stamp') was also introduced and these designs are commonly seen in the standard GSM11.11. Distinctively, the shape, size and operational performance of the card means that the card, called an ICC- integrated circuit card (or Universal ICC following the introduction of 3G-WCDMA cellular radio) - should be distinguished from the SIM module, which is itself a programmable area on the card.   However, a further card size emerged and was defined in the 2004-03 ETSI standard TS 102.221 as "mini-UICC". It should be noted that where I have mentioned GSM11.11 this standard refers to the use of SIM cards with GSM technology and services. The lineage of GSM SIM and its standards are linked to ETSI standards including TS 102.221 and, of course, ISO standards. A similar path can be trod when dealing with U-ICC/U-SIM.

As for Apple's suggested development, what we don't know at this stage is what the aggregated SIM (but I think I might want to read that as form factor and size) will look like or its content for that matter. We can only guess at this stage.

Sunday, May 08, 2011

Forensic Mobile Examination Posts

Forensic Mobile Examination Posts

Latest posts at: http://forensicmobex.blogspot.com/

Nokia s40 Forensic Analysis - Call Release
Deleted Text Messages 3GS iPhones
Blackberry Forensic Analysis

The criteria for authorised access to cell site analysis blog is either:

a) Law Enforcement
b) Security Services (MI5, MI6, CID, SB, FBI....)
b1) Security Specialists - a proveable record in security for
networks, digital forensics, handsets, SIM, CDR etc
c) Authorised individuals (people whom I know)

Cell Site Analysis Posts

Cell Site Analysis Posts

Latest posts at: http://cellsiteanalysis.blogspot.com/

Requesting Cell Site Data
Blackberry Forensic Analysis
GSM Radio DNA Bracelet - RACH
GSM Radio DNA Bracelet

The criteria for authorised access to cell site analysis blog is either:

a) Law Enforcement
b) Security Services (MI5, MI6, CID, SB, FBI....)
b1) Security Specialists - a proveable record in security for
networks, digital forensics, handsets, SIM, CDR etc
c) Authorised individuals (people whom I know)

Requesting Cell Site Data

Requesting Cell Site Data


Engaging with defence solicitors or law enforcement with respect to seeking cell site evidence can be a tricky business. Invariably the request for data is largely governed by the type of case and the instruction of work. Problematical with the latter point is there maybe the notion that the person instructing actually has sufficient technical knowledge and understanding to comprehend the technical details to be analysed and the types of detail the CSA expert will need.

A mistake in common practice that I have noted with examiners and experts is to assume the CDR contains the complete cell site details, and clearly that cannot be the case. The structure and content of CDR vis-a-vis TAP files both are different and have different purposes, but ae not generated for the purposes to include cell site details. I have seen some company websites identifying themselves as experts and suggesting cell site details are found in extended CDRs. I do not agree as cell site details have absolutely nothing to do with a generated per call CDR or indeed TAP file for that matter. There are a minimal references to cell sites by way of cell ID (start/end) and a few other bits and pieces, but nothing more would be generated by the mobile phone, radio network, the switch or data capture machine for inclusion into a CDR/TAP file.

Another matter I have noted, when dealing with expert and examiner cell site reports and those conducting radio test measurements is this vague suggestion allude to an implicit fact that because the examiner took GPS measurements when conducting tests this somehow creates a fact that the cellular radio coverage is corroborated by this or the movements of the handset user is somehow tracked this way. There appears on the face of it at least a confusion between GPS and the mobile network. Neither GSM or WCDMA propagate GPS signals, merely they take data output in the form of a packet of data from a GPS module/unit and forward that packet through the device/network to the terminal that will somehow make use of the data. If I need support for that fact then I find it at first instance in the radio frequencies adopted for GSM and WCDMA and from which all else will follow when dealing with cellular radio propagation and communications.

So what are the data field elements that the examiner/expert might seek at first instance. Clearly there needs to be corroboration of a GSM originated/terminated and start and/or end of a mobile communication. The list below is not data (email/internet/download etc) communication related.

----------------------------------------
Date ?
Time ?
Calling party ?
Called party ?
Type of call ?
Duration ?
Registration (ringing time before answer) ?


Mast location Details for start of call
---------------------------------------
[Start of call] Site ID number?
[Start of call] Site Name?
[Start of call] Site Address?
[Start of call] Site Post code?
[Start of call] Type of transmission 3G WCMDA site or GSM site?
[Start of call] Frequency Range?
[Start of call] Macrocell or Microcell?
[Start of call] Height of Antennas?
[Start of call] Is this a omni-directional site?
[Start of call] How many sectors at site (e.g. 3, 6 etc)?
[Start of call] Easting and Northing?
[Start of call] Longitude and Latitude?
[Start of call] Cell ID (hex)?
[Start of call] Cell ID (dec)?
[Start of call] Cell ID (last digit as sector)?
[Start of call] Broadcast Control Channel (BCCH) number?
[Start of call] Azimuth (bearing of coverage)?


Mast location Details for end of call
-------------------------------------
[End of call] Site ID number?
[End of call] Site Name?
[End of call] Site Address?
[End of call] Site Post code?
[End of call] Type of transmission 3G WCMDA site or GSM site?
[End of call] Frequency Range?
[End of call] Macrocell or Microcell?
[End of call] Height of Antennas?
[End of call] Is this a omni-directional site?
[End of call] How many sectors at site (e.g. 3, 6 etc)?
[End of call] Easting and Northing?
[End of call] Longitude and Latitude?
[End of call] Cell ID (hex)?
[End of call] Cell ID (dec)?
[End of call] Cell ID (last digit as sector)?
[End of call] Broadcast Control Channel (BCCH) number?
[End of call] Azimuth (bearing of coverage)?

The cell site details should relate at minimum to the material time of the mobile communications and at least  upto the date the request for  information is being made in order to comprehend any changes at the Masts for the Mast that handled the start of the call and the Mast that handled the end of the call.

Request notification of any Mast alterations
-----------------------------------------
[Any change to Mast] Decommissioned?
[Any change to Mast] Height of Antenna altered?
[Any change to Mast] Azimuth Bearing of coverage?
[Any change to Mast] Mechanical or electrical tilt changes and to what degree?
[Any change to Mast] Licenced Power or Transmission power?
[Any change to Mast] Type of transmission from 2G GSM to 3G WCDMA or vice versa?

It is quite possible to seek considerably more about the arrangements at each Mast, but that often means dealing with each operator's specific matters on a case by case basis.   These elements are not included here.

Saturday, May 07, 2011

Blackberry Forensic Analysis




























GSM Radio DNA Bracelet - RACH

GSM Radio DNA Bracelet - RACH (Random Access Channel)

The logical channels set out http://cellsiteanalysis.blogspot.com/2011/01/gsm-radio-dna-bracelet.html each provide useful information that is of use to cell site analysis (CSA). A common misunderstanding that arises with CSA is it has been used in evidence in such away that only a minutiae of information is considered. This in turn has led to some believing CSA can be defined by a limited selection of elements. The world of CSA is far, far larger in rich content than those limited elements. An examiner only comes to know about the rich content having first applied him/herself to learning the symbiotic, co-partnership between the science & technology and examination & forensic procedure leading to evidence & opinion.

For instance let us accept that RACH is a GSM uplink common control channel. In that little nugget of information given by the statement there is firstly the science and technology. The technology is Global System for Mobile (communications) a digital cellular radio system. The adopted GSM system manipulates (modulates) the physical radio signals such that physical signals whilst analogue in nature when manipulated hold a secret inside that is revealed when de-modulated revealing the important data (digital). Moreover, the statement uplink is relevant to note, as is common control channel (CCCH). There are four nominated logical control channel assigned connected with CCCH - Paging Channel (PCH), Access Grant Channel (AGCH), Notification Channel (NCH) and, of course, RACH.  The term 'common' needs clarification, too, because it identifies that the channels are common to all users (mobile users) in a geographical radio area via their handsets. 'Uplink' defines the direction to which the control channel data are transmitted.

In combination, the examination of transmitted data becomes highly significant for it represent an action by the user's mobile phone creating the 'first' step in radio DNA evidence. A Layer 3 trace (example below), and when we say Layer 3 we are taking about RR (radio resources), identifies the access request RACH message sent to the network and a response from the network to it. The example below has been extrapolited (thus goes beyond) what would normally be seen from the raw data. The network and handset are programmed to understand each other and do not needs man's convoluted and verbose explanations but should the machinery, so to speak, need such explanation, god help us, for access to the GSM radio network would probably take three months just to camp on the network without using further resources.


Equally, for cell site analysis we need to know what information can be gleaned from RACH. The image below identifies a screen from an Ericsson handset with TEMS pocket (a radio diagnostic tool) in active mode. I will deal with the paging details in another discussion thread. 




We first see the string '0 1 4 1 0E'. The point to note is that it only contains basic GSM info and not GPRS. Had it included GPRS info the string would consist of seven different separate elements instead of five. So how do we understand the order in which the data appears?  

First element '0':  refers to Cell Barred (0: No, 1: Yes)
Second element '1': refers to Call Re-establishment (0: Allowed, 1: Not allowed)
Third element '4': refers to Max number of retransmissions (1, 2, 4, 7)
Fourth element '1': refers to Number of RACH bursts sent for the last connection (1–7)
Fifth element '0E': refers to Establishment Cause/Random: Reference used in the latest RACH burst (00–FF)

The fifth element is, as referred to above, the 'first' step in radio DNA evidence. As this is generated by the user's handset it makes it interesting as it shows the examiner has understanding of seeking out evidence from the science and technology under test and that the data should be obtained using forensic methodology to secure unaltered data. Importantly, it illustrates to the examiner how to start to establish a link within the chain of data created by a mobile phone from when it is first switched ON, when using resources, until it it is switched OFF.  

The actually RACH access request generated is no more than 8-bits in length. The GSM standard TS04.08 defines the message content format as seen below:


How to interpret the access request message content for establishment cause can be found in TS04.08:


And when the mobile is answering to paging for radio resources connection establishment.



There is so much detail associated with RACH it is possible to write a book solely dealing with this single subject. I do not have the time or luxury to put all that detail here, but to provide a flavour to you that the radio DNA evidence in the bracelet contains a gold mine of evidential information that is largely and randomly ignored and apparently seen by some as not being relevant. I wonder with the little I have mentioned above whether you would think the same?

In the next RACH discussion I shall open up to you more and give insight into RACH and some evidential possibilities.

Monday, May 02, 2011

Sir Henry Cooper World Boxing Legend Has Died

Sir Henry Cooper World Boxing Legend Has Died

Sir Henry Cooper, a boxing legend to British boxing fans and boxing fans all over the world, has died. A great advocate and ambassador for boxing, to me Sir Henry was a Gentleman Boxer, an advocate for fair play and clean boxing in the sport. A great man of his time, a World class boxer. Respects and commiserations to his family.  



Photo courtesy of::
http://www.solarnavigator.net/sport/sport_images/henry_cooper.jpg

Daily Telegraph report:
http://www.telegraph.co.uk/sport/othersports/boxingandmma/8487084/Sir-Henry-Cooper-the-former-boxer-dies-aged-76.html