Thursday, November 15, 2018

BREXIT Draft Agreement

Draft Agreement on the withdrawal ofthe United Kingdom of Great Britainand Northern Ireland from theEuropean Union and the EuropeanAtomic Energy Community
14 November 2018
This post is not for political viewpoint nor is it to encourage or solicit political opinions or debate.

For those who are involved in evidence, forensic examinations and/or investigations, if you wish to read the text in the Draft Agreement:

TITLE V
ONGOING POLICE AND JUDICIAL COOPERATION IN CRIMINAL MATTERS


ARTICLE 62
Ongoing judicial cooperation proceedings in criminal matters
See Pages 103-109

ARTICLE 63
Ongoing law enforcement cooperation proceedings, police cooperation and exchange of information
See Pages 110-114

ARTICLE 64
Confirmation of receipt or arrest
See Pages 115-116

ARTICLE 65
Other applicable Union acts
See Page 116

There is also a huge section on cooperation in Civil Matters.

The BREXIT Draft Agreement 14/11/18 can be downloaded here:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/756374/14_November_Draft_Agreement_on_the_Withdrawal_of_the_United_Kingdom_of_Great_Britain_and_Northern_Ireland_from_the_European_Union.pdf

Sunday, November 04, 2018

Armistice Day Sunday 11th November 2018

It is said "Lest We Forget".
I now say "How We Remember"
 

As this is a telecommunications technical blog readers might find it useful to remember the different forms of communications techniques used during World War 1. An excellent website for this information and also displays of wireless devices that played an important part during WW1 can be found here:

The Royal Signals Museum
https://www.royalsignalsmuseum.co.uk/ww1-ww2-communications/

See also: Victorian Texting https://trewmte.blogspot.com/2010/01/victorian-texting.html

Related Remembrance Day Posts:
https://trewmte.blogspot.com/2011/11/11th-hour-of-11th-day-of-11th-month.html
https://trewmte.blogspot.com/2014/06/d-day-6th-june.html
https://trewmte.blogspot.com/2011/06/d-day-6th-june.html
https://trewmte.blogspot.com/2017/11/100-years-remembrance-day-11112017.html
https://trewmte.blogspot.com/2010/11/field-of-remembrance.html




Saturday, July 07, 2018

Update - HERREVAD Databases Geo Location Artefacts

Back in February 2017 I wrote an article relevant to "HERREVAD Databases Geo Location Artefacts" (http://trewmte.blogspot.com/2017/02/herrevad-databases-geo-location.html) and I regularly conduct searches for any useful updates or supporting information that maybe of use.

-----

I see SANS DFIR in May 2018 published "Advanced Smartphone Forensics Poster - SANS Forensics" a poster to identify "Most Relevance Evidence Per Gigabyte" and includes the database 'Herrevad' (https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf).

-----

dmoreno1994's GeoAndroid .py script (https://github.com/NoSuitsSecurity/GeoAndroid)
positions an android phone without GPS by utilising the Herrevad database. "Herrevad: This database contains the WiFi connections history of preinstalled Google apps in Android OS devices. It can be WIFI connections of Google Play, Google Maps, Youtube, etc..

/data/com.google.android.gms/databases/herrevad"

-----

Posted yesterday 06/07/2018 Hybrid Analysis Incident Response malware analysis website (https://www.hybrid-analysis.com/sample/338a08badc67f40697db278e20390cf6dc2247e79e4b1845ea25e6c033c2572f?environmentId=200) illustrated Receiver and Intent involving Herrevad.

Receiver
com.google.android.gms.herrevad.receivers.CaptivePortalReceiver 
Intent
android.net.conn.NETWORK_CONDITIONS_MEASURED

Receiver
com.google.android.gms.herrevad.receivers.GservicesReceiver
Intent
com.google.gservices.intent.action.GSERVICES_CHANGED
 
-----

An earlier version of Receiver and Intent is recorded in Joe Sandbox Cloud Analysis (https://www.joesandbox.com/analysis/39495/0/pdf) published 12 August 2017.

----- 

Herrevad has an interest to those on Security Stack Exchange wanting to understand how the database can reveal SSID/Cell ID geolocation info. "How do you get Geolocation information from the CellID field in the herrevad database from Google Mobile Services? (https://security.stackexchange.com/questions/180971/how-do-you-get-geolocation-information-from-the-cellid-field-in-the-herrevad-dat)

-----

Wednesday, February 14, 2018

Important principles in digital forensics


At a time when digital forensics is under the spotlight and taking salvos of criticism for poor performance and lack of knowledge about its own scientific subject matter (http://parliamentlive.tv/Event/Index/7767e1b9-0e44-4de3-8627-baf9d091f487 and https://www.theguardian.com/uk-news/2018/feb/12/police-outsource-digital-forensic-work-to-unaccredited-labs) there is no better time than to refresh on principles to signpost the way to go or leave a breadcrumb trail to find the way back to safe ground.

I posted comments back in November 2006 (http://trewmte.blogspot.co.uk/2006/11/cell-site-analysis.html) identifying principles to remember, recall and apply, when conducting Cell Site Analysis (CSA) - but they apply to examinations also -  that are still relevant to today (2G/3G/4G/5G/etc....) as they were since the inception of digital cellular radio services back in the late 1980s/1990s.

The requirements identified in standards as "mandatory", "conditional", "recommendations" and so on are not written for fun;  nor to be wilfully disregarded just because they appear complex, complicated or difficult e.g. cannot be bothered to learn them, my device/machine does the thinking for me; both render the human-being to be no more than a perfunctory-goffer (human obsolescence) for the processes generated by software and algorithms in a device or machine.

The four principles to easily remember, recall and apply:

- There are mandatory requirements with mandatory outcomes
- There are mandatory requirements with optional outcomes
- There are optional requirements with mandatory outcomes
- There are optional requirements with optional outcomes


Moreover, and a fundamental (and one might suggest absolute) requirement, is the importance to understanding 'Modal verbs terminology' adopted in the standards.

Modal verbs terminology

In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions)

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

Wednesday, January 10, 2018

URN Namespace and IMEI

RFC8141 - A Uniform Resource Name (URN) is a Uniform Resource Identifier (URI) [ RFC3986] that is assigned under the "urn" URI scheme and a particular URN namespace, with the intent that the URN will be a persistent, location-independent resource identifier. A URN namespace is a collection of such URNs, each of which is (1) unique, (2) assigned in a consistent and managed way, and (3) assigned according to a common definition. (https://tools.ietf.org/pdf/rfc8141.pdf).

Image courtesy of Diameter-Protocol

RFC7255 - This specification defines how the Uniform Resource Name (URN) reserved for the Global System for Mobile Communications Association (GSMA) identities and its sub-namespace for the International Mobile station Equipment Identity (IMEI) can be used as an instance-id. Its purpose is to fulfil the requirements for defining how a specific URN needs to be constructed and used in the ’+sip.instance’ Contact header field parameter for outbound behaviour. (https://www.rfc-editor.org/rfc/pdfrfc/rfc7255.txt.pdf).

RFC7254 - This specification defines a Uniform Resource Name (URN) namespace for the Global System for Mobile Communications Association (GSMA) and a Namespace Specific String (NSS) for the International Mobile station Equipment Identity (IMEI), as well as an associated parameter for the International Mobile station Equipment Identity and Software Version number (IMEISV) as per the namespace registration requirement found in RFC 3406 [ 1]. The Namespace Identifier (NID) ’gsma’ is for identities used in GSM, Universal Mobile Telecommunications System (UMTS), and Long Term Evolution (LTE) networks. The IMEI and the IMEISV are managed by the GSMA, so this NID is managed by the GSMA. (https://tools.ietf.org/pdf/rfc7254.pdf).