Sunday, June 23, 2013

Considering Clone Test SIM Card Tools

Considering Clone Test SIM Card Tools

There have been a few mentions about clone test Sim Cards at this blog raising observations as to possible issues that may be useful to know.  

http://trewmte.blogspot.co.uk/2012/10/to-clone-or-not-to-clone.html
http://trewmte.blogspot.co.uk/2008/11/cloning-test-sim-cards.html

Yet further observations examiners may find useful to consider are whether it is necessary for a cloned test SIM Card tool to produce identical files, structure and format for every clone test card produced or whether the make/model of handset can influence e.g. the number of files etc necessary to gain access to a handset's memory? Cust_Files pre-generated on a cloned test card should be included or excluded from consideration regarding the number of GSM/3GPP EFs identified on a cloned test card? The importance, if any, of the evolution in a clone test card's development?

Below are two screen dumps, following examination using just one (U)SIM Card Reader, from two different clone test SIM Cards supplied by different manufacturer with their tools that provide a useful visual indicator when placed in context with the above observations. The observations above and the images below are not published to suggest a problem with a particular clone test SIM Card or tool. The observations are for the purpose should two different examiners use two different clone test SIM Cards and tools to generate evidence which one would be more pertinent for use when accessing memory on a particular handset etc?      





Friday, June 21, 2013

PIN Enabled SIM Card

PIN Enabled SIM Card

A recent question raised the notion what data would be revealed if the SIM Card was read but had a PIN enabled. Using a free SIM Card reader the results are below. Do remember, using different readers their output can reveal different results dependent upon how the programmer wrote the software. The results are from an old Phase 2 GSM SIM Card.





Additional tests with the PIN Locked SIM Card conducted with different SIM Readers




 











Saturday, June 15, 2013

Android z7.logs

A SDcard logs examined from a:

1. Samsung Galaxy SII NFC
2. Android OS
3. z7logs
4. z7.log.x (x = 1 or 2)

The log examined z7.logs.2 using notepad reveals the sample of the data below:

    - z7.log.2
    3 Sep 2012 11:45:35 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Timescape deactivated
    3 Sep 2012 11:45:35 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(-)
    3 Sep 2012 11:46:20 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(+)
    3 Sep 2012 11:46:20 INFO[0][ANSharedCommon[Thread[main,5,main]]]Intent action: com.sonyericsson.android.timescape.plugin.intent.action.ACTIVATE
    3 Sep 2012 11:46:20 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Timescape activated
    3 Sep 2012 11:46:20 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Notifying Timescape to requery TimescapeProvider.
    3 Sep 2012 11:46:20 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(-)
    3 Sep 2012 11:46:29 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(+)
    3 Sep 2012 11:46:29 INFO[0][ANSharedCommon[Thread[main,5,main]]]Intent action: com.sonyericsson.android.timescape.plugin.intent.action.ACTIVATE
    3 Sep 2012 11:46:29 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Timescape deactivated
    3 Sep 2012 11:46:29 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(-)
    3 Sep 2012 11:47:31 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(+)
    3 Sep 2012 11:47:31 INFO[0][ANSharedCommon[Thread[main,5,main]]]Intent action: com.sonyericsson.android.timescape.plugin.intent.action.ACTIVATE
    3 Sep 2012 11:47:31 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Timescape activated
    3 Sep 2012 11:47:31 WARNING[0][ANSharedCommon[Thread[main,5,main]]]Notifying Timescape to requery TimescapeProvider.
    3 Sep 2012 11:47:31 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(-)
    3 Sep 2012 11:48:04 INFO[0][ANSharedCommon[Thread[main,5,main]]]onReceive(+)
    3 Sep 2012 11:48:04 INFO[0][ANSharedCommon[Thread[main,5,main]]]Intent action:

The history to this SDcard is that it is currently being used in :

- Samsung Galaxy SII NFC

It was used in a:

- Samsung Galaxy Ace2
- Android OS

The card originated from an:

- Song Ericsson Xperia X10 mini Fashion Edition
- Android OS

The last entry SDcard z7.log.2 file date is 08/09/2012 although the last record entry in the log is 03 September 2012. The 08/09/2012 date is correct because the Samsung Galaxy Ace2 was received on the 04/09/2012 but the SD card was migrated to the Samsung Galaxy Ace2 when it was first used 08/09/2012 and later again migrated to the Samsung Galaxy SII NFC on the 05/12/2012.

Just one thing the Xperia was never used for internet or email etc only calls and texts.

Thursday, June 13, 2013

Interest in The Rates of Pay

Do you remember I wrote a small piece back in October 2012 about The Rates of Pay - http://trewmte.blogspot.co.uk/2012/10/the-rates-of-pay.html? I also posted at Forensic Focus to allow for open discussion - http://www.forensicfocus.com/Forums/viewtopic/t=9747/. It is useful to see over six months down the line what interest there is on this subject, with over 26,000 viewers of discussion:




Saturday, June 01, 2013

Examples of cell site maps used in evidence


Here are another two examples of specifically generated cell site maps using network infrastructure and radio survey data from a particular mobile network operator, in this case orange PCS, which formed part of the jury bundle in an old murder case.


Equal Power Boundary Map

 photo radioboundarymap_zps1485917d.jpg

Character (Text) Composite Map 
 photo radiochararctercompositemap_zpsa50cba7c.jpg