TrewMTE Mobile & Technology Exploration: crime

Showing posts with label crime. Show all posts

Monday, February 01, 2016

Investigation USIM EFs and Service Table

There has been so much going on over the past year and with research and testing I haven't posted as much as I would like. The growth areas in the variety of methods and tools for logical data and physical data extraction, harvesting and examination; impact that apps and malware might have on evidence; wireless options available on smartphones and tablets changing the way traditional cell site analysis can be conducted; and the generally the explosion in mobile information and standards needing to be absorbed and understood has been mind-blowing to say the least. These and other matters have consumed my time and the casualty has been fewer posts at the blog. However, from all the work and research I will endeavour to post here, hopefully, useful examination and investigative information on areas that may have either become outdated or evolved such that particular methods applied or tools used could be out-of-date or updated.

USIM (UICC) Cards memory storage and network/user files have seen a massive increase since 2010. Just have a look back at a post in 2010 I made here at trewmte.blogspot and compare the EFUST (elementary files usim service table) in TS 31.102 back then 3g-usim-2g-sim-service-numbers.html compared to the latest releases 12 ( 31_series/31.102/31102-ca0.zip ) and 13 ( 31.102/31102-d20.zip )

The first thing an examiner might wish do first thing in the morning at work is check whether the USIM reader tool is up-to-date. Have a look at the EFUST list and list of elementary files below and check that your reader has the capability to detect, extract and harvest data from these files. Then ask yourself do you actually understand when they are allocated and activated in a USIM what use is made of them? What evidence maybe harvested from them? How would the acquired data assist investigations in the following categories as they would apply to the use of mobile communications?

i) Contract Law

ii) Tort Law

iii) Intellectual Property Law

iv) Criminal (including the new Cybercrime) Law

v) Data Protection Law

vi) Taxation Law

vii) Computer Law

viii) Communications Law

ix) Internet Law

x) Etc.

EFUST
Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi Level Precedence and Pre emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MexE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications
Service n°91 Support for SM-over-IP
Service n°92 Support of CSG Display Control
Service n°93 Communication Control for IMS by USIM
Service n°94 Extended Terminal Applications
Service n°95 Support of UICC access to IMS
Service n°96 Non-Access Stratum configuration by USIM
Service n°97 PWS configuration by USIM
Service n°98 RFU
Service n°99 URI support by UICC
Service n°100 Extended EARFCN support
Service n°101 ProSe
Service n°102 USAT Application Pairing

Particular note: when looking at the EFUST service list above this should not be taken as all the services that may be allocated and activated on modules in a UICC. GSM EFSST (sim service table) has particular services unique to GSM SIM (GSM 11.11), such as Service n°29: Proactive SIM which does not appear in the EFUST list. And if Service n°29: Proactive SIM is important to an investigation (and it can be) it is worth the reminder to look at GSM 11.14 (sim application toolkit) that adds services and most importantly "capabilities" between SIM and smartphone. Perhaps you might think, such as, how this can assist an investigation? My responses is consider (a) man-in-the-middle attacks (b) crime (c) cybercrime.

There has been an abundance in the growth of elementary files, too, in USIM Releases 12/13. The increase in access to varying networks by smartphones and tablets has meant the technical, privacy, commercial and monetisation influences how a subscriber latches and attaches to networks. The relevance being recovered message data for instance requires understanding and identifying how the data got there via which particular network access point etc.

3GPP TS 31.102 V12.10.0 (2016-01)
4 Contents of the Files 18
4.1 Contents of the EFs at the MF level 18
4.2 Contents of files at the USIM ADF (Application DF) level 18
4.2.1 EFLI (Language Indication) 18
4.2.2 EFIMSI (IMSI) 19
4.2.3 EFKeys (Ciphering and Integrity Keys) 20
4.2.4 EFKeysPS (Ciphering and Integrity Keys for Packet Switched domain) 21
4.2.5 EFPLMNwAcT (User controlled PLMN selector with Access Technology) 21
4.2.6 EFHPPLMN (Higher Priority PLMN search period) 22
4.2.7 EFACMmax (ACM maximum value) 23
4.2.8 EFUST (USIM Service Table) 25
4.2.9 EFACM (Accumulated Call Meter) 27
4.2.10 EFGID1 (Group Identifier Level 1) 28
4.2.11 EFGID2 (Group Identifier Level 2) 28
4.2.12 EFSPN (Service Provider Name) 28
4.2.13 EFPUCT (Price per Unit and Currency Table) 29
4.2.14 EFCBMI (Cell Broadcast Message identifier selection) 30
4.2.15 EFACC (Access Control Class) 31
4.2.16 EFFPLMN (Forbidden PLMNs) 31
4.2.17 EFLOCI (Location Information) 32
4.2.18 EFAD (Administrative Data) 33
4.2.19 Void 35
4.2.20 EFCBMID (Cell Broadcast Message Identifier for Data Download) 35
4.2.21 EFECC (Emergency Call Codes) 36
4.2.22 EFCBMIR (Cell Broadcast Message Identifier Range selection) 37
4.2.23 EFPSLOCI (Packet Switched location information) 37
4.2.24 EFFDN (Fixed Dialling Numbers) 39
4.2.25 EFSMS (Short messages) 39
4.2.26 EFMSISDN (MSISDN) 41
4.2.27 EFSMSP (Short message service parameters) 41
4.2.28 EFSMSS (SMS status) 43
4.2.29 EFSDN (Service Dialling Numbers) 43
4.2.30 EFEXT2 (Extension2) 44
4.2.31 EFEXT3 (Extension3) 44
4.2.32 EFSMSR (Short message status reports) 45
4.2.33 EFICI (Incoming Call Information) 45
4.2.34 EFOCI (Outgoing Call Information) 49
4.2.35 EFICT (Incoming Call Timer) 50
4.2.36 EFOCT (Outgoing Call Timer) 50
4.2.37 EFEXT5 (Extension5) 51
4.2.38 EFCCP2 (Capability Configuration Parameters 2) 51
4.2.39 EFeMLPP (enhanced Multi Level Precedence and Pre-emption) 52
4.2.40 EFAaeM (Automatic Answer for eMLPP Service) 53
4.2.41 Void 54
4.2.42 EFHiddenkey (Key for hidden phone book entries) 54
4.2.43 Void 54
4.2.44 EFBDN (Barred Dialling Numbers) 54
4.2.45 EFEXT4 (Extension4) 55
4.2.46 EFCMI (Comparison Method Information) 55
4.2.47 EFEST (Enabled Services Table) 56
4.2.48 EFACL (Access Point Name Control List) 56
4.2.49 EFDCK (Depersonalisation Control Keys) 57
4.2.50 EFCNL (Co-operative Network List) 57
4.2.51 EFSTART-HFN (Initialisation values for Hyperframe number) 59
4.2.52 EFTHRESHOLD (Maximum value of START) 59
4.2.53 EFOPLMNwACT (Operator controlled PLMN selector with Access Technology) 59
4.2.54 EFHPLMNwAcT (HPLMN selector with Access Technology) 60
4.2.55 EFARR (Access Rule Reference) 61
4.2.56 Void 62
4.2.57 EFNETPAR (Network Parameters) 62
4.2.58 EFPNN (PLMN Network Name) 64
4.2.59 EFOPL (Operator PLMN List) 65
4.2.60 EFMBDN (Mailbox Dialling Numbers) 66
4.2.61 EFEXT6 (Extension6) 67
4.2.62 EFMBI (Mailbox Identifier) 67
4.2.63 EFMWIS (Message Waiting Indication Status) 67
4.2.64 EFCFIS (Call Forwarding Indication Status) 69
4.2.65 EFEXT7 (Extension7) 70
4.2.66 EFSPDI (Service Provider Display Information) 70
4.2.67 EFMMSN (MMS Notification) 71
4.2.68 EFEXT8 (Extension 8) 73
4.2.69 EFMMSICP (MMS Issuer Connectivity Parameters) 73
4.2.70 EFMMSUP (MMS User Preferences) 76
4.2.71 EFMMSUCP (MMS User Connectivity Parameters) 77
4.2.72 EFNIA (Network's Indication of Alerting) 77
4.2.73 EFVGCS (Voice Group Call Service) 78
4.2.74 EFVGCSS (Voice Group Call Service Status) 80
4.2.75 EFVBS (Voice Broadcast Service) 80
4.2.76 EFVBSS (Voice Broadcast Service Status) 82
4.2.77 EFVGCSCA (Voice Group Call Service Ciphering Algorithm) 83
4.2.78 EFVBSCA (Voice Broadcast Service Ciphering Algorithm) 84
4.2.79 EFGBABP (GBA Bootstrapping parameters) 84
4.2.80 EFMSK (MBMS Service Keys List) 85
4.2.81 EFMUK (MBMS User Key) 86
4.2.82 Void 87
4.2.83 EFGBANL (GBA NAF List) 87
4.2.84 EFEHPLMN (Equivalent HPLMN) 88
4.2.85 EFEHPLMNPI (Equivalent HPLMN Presentation Indication) 88
4.2.86 EFLRPLMNSI (Last RPLMN Selection Indication) 89
4.2.87 EFNAFKCA (NAF Key Centre Address) 89
4.2.88 EFSPNI (Service Provider Name Icon) 90
4.2.89 EFPNNI (PLMN Network Name Icon) 91
4.2.90 EFNCP-IP (Network Connectivity Parameters for USIM IP connections) 91
4.2.91 EFEPSLOCI (EPS location information) 94
4.2.92 EFEPSNSC (EPS NAS Security Context) 96
4.2.93 EFUFC (USAT Facility Control) 97
4.2.94 EFNASCONFIG (Non Access Stratum Configuration) 98
4.2.95 EFUICCIARI (UICC IARI) 102
4.2.96 EFPWS (Public Warning System) 102
4.2.97 EFFDNURI (Fixed Dialling Numbers URI) 103
4.2.98 EFBDNURI (Barred Dialling Numbers URI) 104
4.2.99 EFSDNURI (Service Dialling Numbers URI) 104
4.2.100 EFIWL (IMEI(SV) White Lists) 105
4.2.101 EFIPS (IMEI(SV) Pairing Status) 106
4.2.102 EFIPD (IMEI(SV) of Pairing Device) 107

4.3 DFs at the USIM ADF (Application DF) Level 108
4.4 Contents of DFs at the USIM ADF (Application DF) level 108
4.4.1 Contents of files at the DF SoLSA level 108
4.4.1.1 EFSAI (SoLSA Access Indicator) 109
4.4.1.2 EFSLL (SoLSA LSA List) 109
4.4.1.3 LSA Descriptor files 112

4.4.2 Contents of files at the DF PHONEBOOK level 113
4.4.2.1 EFPBR (Phone Book Reference file) 113
4.4.2.2 EFIAP (Index Administration Phone book) 115
4.4.2.3 EFADN (Abbreviated dialling numbers) 116
4.4.2.4 EFEXT1 (Extension1) 119
4.4.2.5 EFPBC (Phone Book Control) 120
4.4.2.6 EFGRP (Grouping file) 121
4.4.2.7 EFAAS (Additional number Alpha String) 122
4.4.2.8 EFGAS (Grouping information Alpha String) 123
4.4.2.9 EFANR (Additional Number) 123
4.4.2.10 EFSNE (Second Name Entry) 125
4.4.2.11 EFCCP1 (Capability Configuration Parameters 1) 125
4.4.2.12 Phone Book Synchronisation 126
4.4.2.12.1 EFUID (Unique Identifier) 126
4.4.2.12.2 EFPSC (Phone book Synchronisation Counter) 127
4.4.2.12.3 EFCC (Change Counter) 128
4.4.2.12.4 EFPUID (Previous Unique Identifier) 128
4.4.2.13 EFEMAIL (e-mail address) 129
4.4.2.14 Phonebook restrictions 130
4.4.2.15 EFPURI (Phonebook URIs) 130

4.4.3 Contents of files at the DF GSM-ACCESS level (Files required for GSM Access) 131
4.4.3.1 EFKc (GSM Ciphering key Kc) 131
4.4.3.2 EFKcGPRS (GPRS Ciphering key KcGPRS) 132
4.4.3.3 Void 132
4.4.3.4 EFCPBCCH (CPBCCH Information) 132
4.4.3.5 EFInvScan (Investigation Scan) 133
4.4.4 Contents of files at the MexE level 134
4.4.4.1 EFMexE-ST (MexE Service table) 134
4.4.4.2 EFORPK (Operator Root Public Key) 134
4.4.4.3 EFARPK (Administrator Root Public Key) 136
4.4.4.4 EFTPRPK (Third Party Root Public Key) 137
4.4.4.5 EFTKCDF (Trusted Key/Certificates Data Files) 138

4.4.5 Contents of files at the DF WLAN level 138
4.4.5.1 EFPseudo (Pseudonym) 138
4.4.5.2 EFUPLMNWLAN (User controlled PLMN selector for I-WLAN Access) 139
4.4.5.3 EFOPLMNWLAN (Operator controlled PLMN selector for I-WLAN Access) 139
4.4.5.4 EFUWSIDL (User controlled WLAN Specific Identifier List) 140
4.4.5.5 EFOWSIDL (Operator controlled WLAN Specific IdentifierList) 141
4.4.5.6 EFWRI (WLAN Reauthentication Identity) 141
4.4.5.7 EFHWSIDL (Home I-WLAN Specific Identifier List) 142
4.4.5.8 EFWEHPLMNPI (I-WLAN Equivalent HPLMN Presentation Indication) 143
4.4.5.9 EFWHPI (I-WLAN HPLMN Priority Indication) 143
4.4.5.10 EFWLRPLMN (I-WLAN Last Registered PLMN) 144
4.4.5.11 EFHPLMNDAI (HPLMN Direct Access Indicator) 144

4.4.6 Contents of files at the DF HNB level 145
4.4.6.1 Introduction 145
4.4.6.2 EFACSGL (Allowed CSG Lists) 145
4.4.6.3 EFCSGT (CSG Type) 148
4.4.6.4 EFHNBN (Home NodeB Name) 150
4.4.6.5 EFOCSGL (Operator CSG Lists) 150
4.4.6.6 EFOCSGT (Operator CSG Type) 152
4.4.6.7 EFOHNBN (Operator Home NodeB Name) 153
4.4.7 Void 153

4.4.8 Contents of files at the DF ProSe level 153
4.4.8.1 Introduction 153
4.4.8.2 EFPROSE_MON (ProSe Monitoring Parameters) 153
4.4.8.3 EFPROSE_ANN (ProSe Announcing Parameters) 154
4.4.8.4 EFPROSEFUNC (HPLMN ProSe Function) 155
4.4.8.5 EFPROSE_RADIO_COM (ProSe Direct Communication Radio Parameters) 156
4.4.8.6 EFPROSE_RADIO_MON (ProSe Direct Discovery Monitoring Radio Parameters) 157
4.4.8.7 EFPROSE_RADIO_ANN (ProSe Direct Discovery Announcing Radio Parameters) 158
4.4.8.8 EFPROSE_POLICY (ProSe Policy Parameters) 158
4.4.8.9 EFPROSE_PLMN (ProSe PLMN Parameters) 160
4.4.8.10 EFPROSE_GC (ProSe Group Counter) 161
4.4.8.11 EFPST (ProSe Service Table) 162
4.4.8.12 EFPROSE_UIRC (ProSe UsageInformationReportingConfiguration) 162

4.5 Contents of Efs at the TELECOM level 166
4.5.1 EFADN (Abbreviated dialling numbers) 166
4.5.2 EFEXT1 (Extension1) 166
4.5.3 EFECCP (Extended Capability Configuration Parameter) 166
4.5.4 EFSUME (SetUpMenu Elements) 166
4.5.5 EFARR (Access Rule Reference) 166
4.5.6 EFICE_DN (In Case of Emergency – Dialling Number) 167
4.5.7 EFICE_FF (In Case of Emergency – Free Format) 167
4.5.8 EFRMA (Remote Management Actions) 168
4.5.9 EFPSISMSC (Public Service Identity of the SM-SC) 168

4.6 Contents of DFs at the TELECOM level 168
4.6.1 Contents of files at the DFGRAPHICS level 169
4.6.1.1 EFIMG (Image) 169
4.6.1.2 EFIIDF (Image Instance Data Files) 170
4.6.1.3 EFICE graphics (In Case of Emergency – Graphics) 171
4.6.1.4 EFLAUNCH SCWS 171
4.6.1.5 EFICON 175

4.6.2 Contents of files at the DFPHONEBOOK under the DFTELECOM 176
4.6.3 Contents of files at the DFMULTIMEDIA level 176
4.6.3.1 EFMML (Multimedia Messages List) 176
4.6.3.2 EFMMDF (Multimedia Messages Data File) 179
4.7 Files of USIM 180

I will leave you to conclude whether you may think USIM has little or no relevance to an investigation.

Friday, January 04, 2013

Cellphone Surveillance

Cellphone Surveillance

Have you ever tried traversing the ground (metaphorically speaking) between two opposite and opposing opinions? It is never easy. Here is an informative and interesting short article (weblinks below) on how far cellphone surveillance generates contentions. The Courts faced between balancing the needs of law and governance, (unelected) government - that of public servants using technology as a tool in the need for surveillance and detection of crime - and those of the citizen living in a democracy.

The reference materials used in the article are most important as they underpin the author's opinion to establishing the believed causal link to effect and affect (I guess) - that of surveillance gluttony at a cost to deminishing democracy and freedoms. The other side of that coin, which in fairness is not extrapolated at all to the same degree in this article, that of what has surveillance and detection achieved? I am mindful that the Judges founded their Court rulings on the evidence before them and the article illuminates the fulcrum for this is that 'things' get pushed too far for comfort when it comes to infringing law and governance and citizen's freedoms. The article appears to suggest (but I accept I could have misunderstood the message) that totalitarism is the occupational desire of (unelected) government in order for it to perform and to provide treatment to a problem or issue.

http://reason.com/archives/2012/12/17/your-cellphone-is-spying-on-you?goback=.gde_128064_member_199071347

http://reason.com/archives/2012/12/17/your-cellphone-is-spying-on-you/1

Thursday, July 28, 2011

M2M Crime

M2M Crime

In the last discussion (mobile-markets) a reference was made to M2M (machine-to-machine) market stats. Yesterday's article from 'pcworld' about hackers using mobile communications for war texting to unlock car doors (war_texting) should provide useful material to study about M2M for MTEB Students to identify 'potential' crime activity and where evidence maybe generated. Send your finalised report (pdf), for marking, by email please.

Tuesday, October 12, 2010

Domestic Abuse is a Crime

If there was a public stand and famous people such as Simon Cowell, Cheryl Cole, Louis Walsh were stood on it promoting X-Factor no doubt crowds would pack around the stand listening adoringly to these famous people. Should we really need fame in our immediate presence then to pay the same equal attention when two ordinary non-famous people publicly speak about those who oppress, create mental fear and inflict physical pain and suffering?

Walking in the Surrey town of Dorking today in the area of an open air arcade there was such a stand and two women were there promoting help for those that have or are suffering from Domestic Abuse. No crowds thronged to stop and listen to their message. These two women represent relatively the unheard in our society who speak out on Domestic Abuse and the help that is available. They are the people who give their time freely and rarely get recognised for what they do. Well done to the two women I saw and spoke with today; one who outlined cultural domestic abuse and another an off duty Surrey Police Officer giving up her time to get the message out and familiar with Abuse crimes that she encounters during her work. Victims, I learned, can be women, children and men caught up in a cycle of abuse in relationships who may feel trapped and unable to speak out or speak up for themselves. Men, I understand, don't speak up because they feel too ashamed to tell anyone.

The statistics for Domestic Abuse crime in the UK makes very sad reading indeed and why I wanted to make this small contribution to help by offering to mention the Groups and their contact points where victims can go, get help and seek advice. All enquiries are in complete and strictist confidence.

If you are a victim, don't suffer in silence. Even if you are unsure but just want to check out where you stand - these are very skilled people who can help, if you will let them.

CONTACT TELEPHONE NUMBERS
Surrey Women's Aid 24-hour help-line: 01483-776822
Caterham Police Station: 01483-630292
East Surrey Domestic Abuse Services: 01737-771350
North Surrey Outreach: 01932-260690
Your Sanctuary Surrey helpline: 01483-776822
Childline: 0800 1111
National Domestic Abuse Helpline: 0808 2000 247

CONTACT WEBSITES:
www.esdas.org.uk
www.surreycc.gov.uk/domesticabuse
www.victimsupport.org.uk

CONTACT EMAIL:
support@esdas.org.uk

Friday, June 18, 2010

Checking Masts - CSA 2

Checking Masts - CSA 2

In response to the discussion at Checking Masts - CSA, a couple of questions that I have been asked:

- Do you, yourself perform Cell Site Analysis/Surveys for cases?

- If so what equipment do you use for this very interesting task??

Answer:

Yes I do and have been doing so since the early 90s for GSM and since 2006 for 3G.

.
I use Nokia network monitor for 2G and have used, but do not particularly like, some of these newer independent flash files that enable some smartphones to obtain 3G network control data. I do continue to use them as one tool but for fairness reasons in dealing with the radio evidence. The reason for that is there are no:

1) forensic standards for the calibration of test equipment generating evidence

2) forensic standards for the content or quantity of radio data captured for evidence

3) forensic requirements for user mobile phones to be calibrated

4) standards that requires a mobile phone after it has left the manufacturing production line to maintain its radio mask calibration longer than 12-months.

For example, dealing with point 4) most mobiles in use do not precisely meet calibration standards, but largely their radio mask is towards the upper or lower limits due to the way in which mobile phones are treated by their users: dropped, fall in water, exposed to fag ash, drink splatter, overcharging, over heating, running the battery flat during calls etc etc. All these things and more take there toll on mobile phone operation over time and it is not surprising to find that calibrated radio engineer test equipment often produce a better RxLv sensitivity. For instance, if one puts a used mobile phone side by side with a radio engineers test rig they both record 'absolute' measurments, obviously, but the disparity between 'relative' measurements can be surprising.

For radio engineer test rig I use Anite's Nemo Handy. Also I have secured in evidence the requirement for the readings and the electronic files that contain the readings and the screen prints to be served in evidence because:

a) they are original evidence

b) it exposes not just preservation of evidence but the processes which brought the evidence about

c) it means the prosecution can meet the Golden Rule without being fed spurious argument of why things can't be done

d) it stops outsourcer firms holding back on evidence or unilaterally deciding that they control what our courts and criminal justice system can or cannot see

e) whilst I used Anite's Nemo Handy .dt1 file for the criminal case in which I was advising, the requirement is not limited to simply radio test measurements from Nemo Handy but all other radio test equipment etc and equally applies to handset and U/SIM card evidence.

The additional benefit this offers is that where the police want to save money extracting and harvesting data that is subsequently produced in reports and want to cut down on unessential data, this means they can still produce reports with only the content they want to show. The full copy of data are still obtained by the examiner and this means the defence, having a copy of the full data in electronic format, can examine all the other data to see whether any vital evidence for the defendant's case has been overlooked or not.

Moreover, the defence can still examine the exhibit as the prosecution will have already produced their evidence. This will allow for variations in evidential standard or interpretation to be checked and exposed, if any, in order to maintain the principle 'nothing lost in translation.'

This can also work on other levels as well. Such as, we know the Forensic Regulator is due to launch soon and the public sector are rushing around to create and approve their own standards. However, the independent sector has not had the opportunity to qualify whether the public sector standards are better than the standards in the independent sector. The work I have been doing is to highlight issues and attitudes to mobile phone evidence and to let the courts know there is evidence the courts can have. If the Regulator accepts procedures created by the public sector it should not bar the independent sector procedures being accepted also.

If the independent sector were automatically disbarred from having their own procedures accepted it could potentially lead to following public sector standards containing systemic failure being promulgated throughout the country. Not only that but the knock-on can directly affect small business by placing heavy regulation and financial demands upon small business, causing collapse and unemployment in MPs constituencies. Apart from which there may be the issues associated with breach of human rights under the Human Rights Act and the European Convention on Human Rights.

Apologies for the length of commentary. It was necessary to go along this discussion path because it is important to promote standards and to highlight choices available to people interested in mobile telephone evidence and identify what is possible by knocking over artificially generated psychological boundaries. I would hope to get the message into evidence in the London area, but my instructions come from outside of London these days and London appears to be a bit of a no-go zone.

If you want to start a new topic, ask a question or join the discussion on ny previous postings then please join in a Forensic Focus Mobile Forensic Discussion Forum.

CHECKING MASTS - CSA

CHECKING MASTS - CSA

.
I have had several discussions with people who are new to mobile telephone evidence and have asked me to provide further discussion on matters concerning Checking Masts. Also from police sections asking me to open up the discussion as to what might happen when Mast checks are not made and how that might impact on a criminal case. Whilst the criminal case discussion is hypothetical, some events happening in the discussion are factual and drawn from a number of criminal cases.
.
The necessity to check with a mobile network operator regarding details of a particular Mast (Cell Site) and the bearing of coverage (azimuth) from it, for a particular Cell ID, at the material time to see whether it has changed prior to conducting cell site analysis is a useful rule to follow. There are, of course, many other matters that need to be checked also, but I have simplified the issues for the purposes of this discussion.
.
The details of Mast changes are recorded by Operators and recorded in their databases. Single Point of Contact (SPOC) is not prevented from asking about Checking Mast details and obtaining the relevant information. However, as a SPOC doesn’t decide what evidence should or shouldn’t be required for a criminal investigation, the SPOC should be asked to obtain this information.
.
The Masts
Below is an image (a) which displays a Mast's radio coverage for a particular Cell ID illuminating in a westerly direction towards a block of flats.

Image (a)

.
The next image (b) below displays the same Mast (as above) relating to radio coverage with its associated Cell ID but this time the radio coverage is illuminating in an easterly direction, in the opposite direction towards a house.

Image (b)
.

For the purposes of this discussion the Mast is shown close to the properties in both images. This was done for artistic purposes and is not intended to mean the Mast is actually that close to both properties. Also an actual Cell ID has not been shown but the inference about Cell ID being relevant is inferred by the presence of radio coverage being displayed.

Criminal Case
Imagine if you will that on a particular date, let us say the 30th March 2008, a dead body is found in the house, shown in image (b). The police have been alerted to the property by a neighbour because of a dreadful smell emanating from the direction of the house. Upon entering the property the police find a decomposing body of a woman on the floor. The Pathologist is called and indicates, following assessment of the decomposing body, that the body had been dead for approximately two weeks. That would generate a time line back to Tuesday 16th March 2008.

The police conduct door-to-door enquiries and one neighbour next door but one mentions that two weeks ago as she passed the house there was shouting emanating from inside the property and cries for help. The neighbour thought nothing more of it because the couple that lived there had regular arguments, which the neighbours and passers-by could overhear.

.
The police asked the neighbours had they noticed anything else? One lady who lived a few doors away replied that she looked out of her window and that she had seen the man that lived there leave the property at about 8.30pm, and that would have been a Tuesday, and funnily enough that was about two weeks ago.

To cut a long story short, the police found the man who lived in the house a month later, seized his mobile telephone and having retrieved his mobile telephone subscriber details, obtained call records and identified the Masts that routed mobile calls to and from his mobile phone. From the records it was noted that two weeks before the body was found his mobile had used a Mast for a call (on Tuesday at 8.00pm), the Mast was sited 2.4Km away from where he lived with his partner. This was also the nearest Mast to the house.

The police called for radio test measurements to be conducted outside the house three weeks later. The time-span from the estimated time of death to radio testing was approximately 9 weeks. The radio tests confirmed that the Cell ID recorded in the call records is the same as detected outside the house.

The man, during questioning, confirmed he had not been back to the house since leaving on the Saturday. That being the Saturday prior to the Tuesday when it is approximated the death took place. He had also been living in a Bedsit because the relationship with his partner had irrevocably broken down and they had agreed to split and go their separate ways.
.
The police believed from the evidence that they had thus far that it was enough to hold the man, now a suspect, and the death case turned into a murder case. The evidence they relied upon was:

1) The neighbours hearing regular arguments and cries for help on the fateful day
2) The neighbour that says she saw the suspect leaving the house at 8.30pm
3) The call records that shows a call on the Tuesday from the suspect's mobile telephone using a Cell ID from a Mast that is sited 2.4Km away and is the nearest Mast to the house
4) The radio test measurements that show the Mast’s coverage, thus Cell ID, used by the suspect's mobile phone illuminated outside the house.

So at minimum there appears to be four good pillars of evidence. However, when the radio test measurements were conducted no checks had been made with the mobile operator whether any changes had been made to the Masts in the area prior to radio test measurements being conducted. It subsequently came to light at trial that the Cell ID illuminating towards the house (image (b)) had only been illuminating eastwards towards the house from Thursday 18th March 2008 after the alleged murder due to changes at the Mast. Prior to that date the Mast had been illuminating westwards, towards a block of flats (image (a)).

Impact on Criminal Case
So when the police had noted from the suspect's call records that over the last few months they showed the suspect's mobile phone using a particular Cell ID for mobile calls that the police thought could be made or received from the house, they were mislead and operated under a false assumption. The suspect had, in fact, been having an affair with a married woman in the block of flats (image (a)) and didn't want to say anything for fear of reprisals from the woman’s husband who was known to have a temper and may take it out on the woman if she was called as a witness. It was this affair that the victim, when she was alive, and been tipped off about some months earlier and the cause of the couple constantly arguing.

The lack of discovery about any changes to a particular Mast prior to conducting radio test measurements impacted on the case by:

.
- the test results, that should add value to a case, were inaccurate and unhelpful- introduced delays into an investigation as the test results steered the police investigation in the wrong direction
- operational man-hours increased
- operational costs increased
- worst still, a false allegation of murder was made against an innocent person

As to the other pillars of evidence: 3) and 4) were no longer valid and the woman with whom the suspect was having an affair corroborated the dates and times she was with the suspect. As to 1) and 2)? On the fateful day, 1) the argument that was heard by a neighbour turned out to be the victim's ex-boyfriend from a previous relationship whom she had given evidence against him for drug dealing, some 5 years earlier, and who had been released from prison 20 days before the murder. He had vowed to seek revenge against the victim. 2) The neighbour who saw the suspect at 8.30pm at night in fact saw a silhouette of the man she thought was the suspect because it was 8.30pm at night and her eyesight wasn't as good at night. The silhouette leaving the house was the ex-boyfriend leaving after having murdered his ex-girlfriend.

Further Observations

In consequence, by not checking with the operator about their Masts prior to conducting radio test measurement caused lost investigation time to find the real culprit, unnecessary redundant evidence, increased costs, investigation time increased exponentially, apart from wrongly accusing a person. Moreover, as checking the Masts is a well known procedure, not to have checked it during an investigation may amount to act of intent to plant evidence to create incrimination against someone by using an act of deliberate omission during an investigation.

This is only a hypothetical discussion, but if these acts were operated in reality on a regular basis in criminal cases and applied as policy in widespread use across England, it may potentially lead to £20 millions in retrials. Of course that shouldn’t be possible arising from the 'Golden Rule' of disclosure, enunciated by Lord Bingham in R -v- C & H (February 2004), when he said that ‘fairness requires that full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence’. The test is an objective one and is grounded on what is ‘reasonable’. However, the guidance makes it plain that an expert witness is no longer to be trusted to exercise his or her own judgment in deciding what falls within this definition and what is and is not relevant.

It is the influence of the Golden Rule placing affirmative duties on the prosecution from 2004 onwards that safeguards the reliability of evidence in criminal cases. That suggests were Her Majesty's Inspectorate called upon to require the prosecution tomorrow to provide, from randomly selected 200 cases from across the country by the Inspectorate, documents of enquiry to a particular operator seeking to be notified of any changes to a particular Mast in a particular case and the documented response received from the operator, they could do so.

That doesn't mean to say if the prosecution mobile telephone case has 50 Masts used for calls that documentation for each of the 50 Masts would be necessary, as rarely are all Masts relevant to an alleged crime, anyway, and a large proportion being used for padding simply to show movement. The relevant Masts are those where the Masts and coverage can illustrate that the mobile telephone or telephones could potentially be at the scene of crime, which on the whole usually relates to the last three to six Masts nearest the scene of crime. Besides I couldn't see the prosecution being hoodwinked into believing that because there are 50 Masts in a case that the number amounted to far too many enquiries to be made to the operator and so didn't make any enquiries at all.

As I have mentioned above this is purely hypothetical, but hopefully it illustrates the importance of Checking Masts before conducting radio test measurements.

Tuesday, September 08, 2009

Mobile Phone Identity Theft

Mobile Phone Identity Theft

With a title like that you could be forgiven if you thought that someone had taken your mobile phone, stolen the name off it and just chucked the hardware back at you. Not interested in the phone, only want the name. Oh yes, call me Nokia N70 from now on.

The latest scare of Mobile Phone ID Theft as reported by Matt Cole Newsbeat Report for BBC online service Newsbeat can be found here:

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_8242000/8242709.stm

Crimes like these create scepticism because the logistics encumbent upon the perpetrators to ensure that the enterprise of this crime succeeds are so long winded, bearing in mind that the mobile phone isn't being stolen, just a filing cabinet of personal information collated from various sources; and for what, so someone can run up a mobile phone bill. A solution to this part of the Identity Theft conundrum is to get a prepaid mobile phone and stick £5.00 on it. Now the matter is no longer ID theft, but call theft - £5 worth.

As for obtaining the filing cabinet of personal information about you? The only easier way that the perpetrators could speed up that process is if they were getting hold of information obtained from others who are themselves engaged in the business of selling and trading in people's personal details.

Tuesday, January 13, 2009

CHECKING MASTS - CSA

CHECKING MASTS - CSA

.
Since linking with Jamie Morris at Forensic Focus to create a Mobile Forensics Discussion Forum (http://www.forensicfocus.com/index.php?name=Forums&file=viewforum&f=14) to bring mobile telephone evidence to a wider audience, I have had several discussions with people who are new to mobile telephone evidence and have asked me to provide further discussion on matters concerning Checking Masts. Also from police sections asking me to open up the discussion as to what might happen when Mast checks are not made and how that might impact on a criminal case. Whilst the criminal case discussion is hypothetical, some events happening in the discussion are factual and drawn from a number of criminal cases.
.
The necessity to check with a mobile network operator regarding details of a particular Mast (Cell Site) and the bearing of coverage (azimuth) from it, for a particular Cell ID, at the material time to see whether it has changed prior to conducting cell site analysis is a useful rule to follow. There are, of course, many other matters that need to be checked also, but I have simplified the issues for the purposes of this discussion.
.
The details of Mast changes are recorded by Operators and recorded in their databases. Single Point of Contact (SPOC) is not prevented from asking about Checking Mast details and obtaining the relevant information. However, as a SPOC doesn’t decide what evidence should or shouldn’t be required for a criminal investigation, the SPOC should be asked to obtain this information.
.
The Masts
Below is an image (a) which displays a Mast's radio coverage for a particular Cell ID illuminating in a westerly direction towards a block of flats.

Image (a)

Image (b)
.

The lack of discovery about any changes to a particular Mast prior to conducting radio test measurements impacted on the case by:

Further Observations

As I have mentioned above this is purely hypothetical, but hopefully it illustrates the importance of Checking Masts before conducting radio test measurements.

Mobile Phone Forensic Examination

Greg Smith has over 30 years (1985 to 2016) experience in handling digital and mobile telephone evidence in criminal and civil investigations and providing services to blue-chip clients in the UK. Our unit the DEEU conducts acquisition and harvesting of data from:

SIM/USIM/MMC Cards
Mobile/Smart Phones/Tablets
Satellite/WiFi
Computer Forensics/network

Forensically recovering saved and deleted data using a range of hardware and software tools to obtain or image physical data or download logical data.

Cell Site Analysis investigations and evidence since 1988.

Contact:
The DEEU
Email: trewmte@gmail.com