Tuesday, October 09, 2007

Conflicts Call Records & SMS Delivery Dates

Conflicts Call Records & SMS Delivery Dates

One of the topics dealt with on my training courses just last week is getting examiners to appreciate the relevance of date and time stamps for received SMS text messages. Essentially, it should not be assumed as fact that a text message date and time stamp and call record date and time stamp for the SMS reflect the actual date and time of receipt by a mobile telephone.

The warning during training is worth raising, but there is nothing better that having a reminder about this matter. I have had two reminders of the fact that delayed text messages can occur. Over the last couple of days, Two text messages that were sent to me arrived yesterday and today. The text that was received yesterday 08/10/07 was sent on the 05/10/07. The text received today 09/10/07 was sent on the 04/10/07. Note how the older dated of the two text messages arrived later.




There may be some who might argue that:

1) 7F106F3C was full up and 7F106F43 threshold was exceeded, thus preventing texts being received? I can confirm 7F106F3C wasn't full and there is plenty of memory for incoming texts, thus 7F106F43 would not have been invoked.

2) That my mobile 'phone inbox was full up? I can confirm that it wasn't and there is plenty of memory available for incoming texts.

3) That my phone had been switched off all that time? I can confirm my mobile 'phone has been switch ON, on most occasions, except at night and for re-charging. Additionally, I have been receiving texts from others.

4) That the mobile had or has been in a poor service coverage areas? No this would not be correct because on the 04/10/07 I was right by the mobile operator's mast from which my mobile receives service and usually the location for my mobile is in a good coverage service area.

This topic raises important matters regarding mobile telephone evidence in criminal proceedings:

A) That the date and time in an SMS text message is the SMSC date and time that received the sent text message from its subscriber. There are some, not many, mobile telephones that do identify a date and time for the text folder when the message was received, but that is not the text message itself. Also the folder date and time is as accurate as the user set the clock on the mobile 'phone. The latter folder issue maybe a moot point though for where the text message is deleted and later to be recovered, the mobile telephone folder or its date and time stamp are not recovered.

B) That the call records reflect the charging parameters date and time, not necessarily the delivery date and time of an SMS text message. Therefore, this can create conflict between the call records dates and time and SMS delivery dates and times.

C) In criminal proceedings, we largely deal with historical data and therefore the subscriber of an mobile telephone account may receive a message that can be some time after the date it was sent and the message maybe subsequently saved or deleted. However it may also be the case that the subscriber may not remember down the line whether a particular text was received late or not.

To overcome this problem and for corroborative purposes, naturally, call record data that identifies details of a received SMS text message should include the network operator's record confirming receipt of the text message including date and time stamp. The network receipt arises as the mobile 'phone is required to provide confirmation of the message delivered to it. You might think this is analogous to a "Registered Post" letter requiring the addressee to sign having taken taking delivery of it.

Sunday, August 26, 2007

Cloning GSM SIM Card Report

Cloning GSM SIM Card Report


This report that is available for download was written back in 2002 and was one of the first on the market to look at what was happening with GSM SIM Card cloning marketplace and I believe this report was the first to report on this matter in the mobile telephone evidence and forensic community.

I am letting this report out as it was written in 2002 but largely because there is so much about cloning of SIM Cards that is available by way of the Internet (Google says 1,580,000 threads) that I think it is hardly likely that I am breaking any professional, forensic or moral taboos.


Monday, February 19, 2007

USB Profiler mobile 'phone examination

USB Profiler mobile 'phone examination

Ever found it annoying, like I have, when trying to examine mobile 'phones and SIMs/USIMs that given the fast range of applications and USB plug-in devices to be used it becomes difficult to know which USB connections are actually running on the computer. That means not just USB devices logged as previously being used but whether there is a live-link currently running. As always it is the simple, straightforward programs that make our lives so much easier. USBDeview profiles all USB connections and provides a global view of activity on your computer. You could of course spend time scrolling through DeviceManager...but that can be long winded. This freeware program speeds up the detection process. Enjoy.

Thursday, January 04, 2007

3G USIM-Detective Training Course 2007

3G USIM-Detective Training Course 2007

This core course introduces mobile telephone examiners and computer investigators to foundation information about Universal Subscriber Identity Module (USIM) card computer architecture, operating functionality, file structures and elementary files. The course is intended to assist delegates understand the complexity of 3G USIM cards and potential locations where user and network data can be recorded.

Ideally, delegates on this course should already have undertaken study into GSM SIM cards as the course requires delegates to also examine 3G USIM cards using Quantaq Solutions USIM-Detective software.

Courses: March, April and May 2007

http://rapidshare.com/files/10245341/USIM-Detective_datahseet_2007.pdf.html

Downloading from Rapidshare:
1. Click the above URL link or copy and paste into browser address bar
2. Go to bottom of Rapidshare html page displayed and click box that says FREE
3. Enter the four alphanumeric code into box that says "here"
4. Click Download (that also displays mirror site from which download is being obtained)
5. File download dialogue box appears, choice Open or Save