Sunday, October 11, 2009

Extra-Statutory

Extra-Statutory
.
Where, for illustrative purposes only, a Home Office circular regulates e.g. the use of listening devices and aural and visual procedures, the standards set by that document may be the same as those under a Stature (say RIPA or, previously, IOCA) but that Home Office circular does not mean by following its guidance it makes any acts or omissions compliant with the statutory provisions; conduct arising from following the circulars regulation, and not the statute, could be "wholly extra-statutory" and would probably contravene the European Convention on Human Rights - see Malone v Metropolitan Police Commissioner [1979] Ch 344; cf Malone v United Kingdom (1984) 7 EHRR 14.
.
The above represents past history events and matters have or should have moved on since then. When RIPA was introduced it was made clear that "no" extra-statutory conduct or operations were possible arising out of that new legislation. That any acts outside of that may amount to contravention and be unlawful.
.
Having illustrated a simplistic model about "extra-statutory" activity by public authority and public bodies or their personnel to avoid giving advice, direction or guidance which would/could probably mean such acts may operate in parallel to the statutory provisions instead of being enshrined within them, the same principle of extra-statutory can apply across many other areas covered by other statutes, too.
.
Advice, direction and guidance given to facilitate the transmission of sensitive and/or unlawfuly material over public systems to aid extraction and harvesting of data from device/s might probably be "wholly extra-statutory" conduct or operations. That is even where it is a one-off case. Where advice is given to do acts which appear to go against previously stated authority in dealing with certain types of materials, the expert/examiner should record all dealings with those acts that have been instructed.
.
I picked up on this whilst reading books and papers dealing with judicial review of administrative action, Blackstones Criminal Practice, Archbold, telecommunications law and practice and the laws of the internet etc etc. I also noted that ACPO Guidelines and other provisions in public sector procurement documents appear not to cover any examiner/expert who enters into extra-statutory acts.
.
These are only my observations based upon what I read, which may assist other examiners/experts. I am not giving legal advice and I do hold out to be a lawyer. It could be from what I have read that my observations may be wrong and therefore it is always recommended to seek legal advice about instructions given or past instructions acted upon, under the belief those instructing were authorised to give such directions to do such acts in the first place.

Monday, September 21, 2009

SMS Text Messages - Hearsay Evidence

SMS Text Messages - Hearsay Evidence
.
C2247 / R v Leonard 2009
YEAR OF CASE: 2009
CITATION: [2009] EWCA Crim 1251
COURT: Court of Appeal
.
SUMMARY:
Large quantities of various types of Class A drugs and cash were found in L's bedsit and on his person during a search by police.
.
At trial for possession of class A drugs with intent to supply, the prosecution argued that L was a street dealer and those drugs found had been his 'stock pile'. The defence argued that the drugs were for his personal use and that he was not a dealer but he had the large amount that was found because he intended to share them with his girlfriend.
.
The prosecution wished to admit two text messages as evidence to support its case. Both were from different people, one to compliment the 'gear', the other to complain about it. The defence argued that the text messages were inadmissible hearsay. The judge rejected the argument and admitted them as evidence of bad character as opposed to hearsay.
.
L was convicted and appealed arguing that the judge had been wrong in law.
.
Held:
Appeal dismissed. Convictions upheld. The text messages were hearsay evidence and not evidence of bad character. They fell in the scope of section 114 and 115 of the Criminal Justice Act 2003 and had to for the following reasons;
.
(i) they had not been made in oral evidence,
(ii) they were statements of fact or opinion within the meaning of section 115(2) of the 2003 Act,
(iii) the reason for the evidence being admitted was to establish the matters stated in the texts to try to prove that L had supplied the drugs to the senders of the texts, and
(iv) each message was designed to make the person in receipt of them believe the matters stated in them as required by section 115(3).
.
Once it is established that the texts are hearsay they then fall to be analysed as to whether they meet the statutory requirements regarding admission. The only basis upon which they could be admitted would be under section 114(1)(d); that it was in the interests of justice to do so. To ascertain whether that is the case, regard must then be had to the 9 propositions in section 114(2) and as they fail to meet some or all of those criteria, they may be hearsay, but they are inadmissible hearsay evidence. Despite this there was still a very strong case against L without them and their admission had not tainted the rest of the trial.
.
Note:
In this instance the senders of the text messages were never identified. If the authors can be identified then the text messages may become admissible where the authors can be potential witnesses. Thus allowing the evidence to be tested by way of cross-examination with any requisite measures in place, for example special measures under the Youth Justice and Criminal Evidence Act 1999 to alleviate such issues as fear.
.

Sunday, September 13, 2009

BCCH data uncovered

BCCH data uncovered
.
The data found in the elementary file broadcast control channel (EFBCCH) 7F20:6F74 / 7F21:6F74 can provide useful data relating to a geographical radio area when combined with location area information data.

.
Method for translating BCCH information data. The question is, is the translation below to find the BCCH frequencies correct and what have I not mentioned below? You will need copies of GSM11.11, GSM03.03, GSM04.08 as well as understanding coding schemes.
.
FIGURE 1 What the Standard states:
.
FIGURE 2 What that means:
.

.
FIGURE 3 Harvested data from a Orange SIM Card read:
.


.
FIGURE 4 Translating the hex output to binary:
.


.
FIGURE 5 Converting to decimal digits which translates again and corresponds to GSM assigned uplink/downlink frequencies:
.
BCCH Frequencies (ARFCN)
761 765 766 774 781 782 786 787 789 790 797 799 801 803 806 813 816 825 828 829 838 846 847 849 869
.
FIGURE 6 Corroborating the conversion using another tool:
.
.
More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

Friday, July 10, 2009

Mobile Phone Flash Memory Chip Evidence

Mobile Phone Flash Memory Chip Evidence
.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is:
.
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
.
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110:
.
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
.
However under the same section in the User Guide it states:
.
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
.
As a query about forensic reliability and accuracy:
.
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
.
As a query about evidential weight and value:
.
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?

Fowler-Nordheim Tunnelling Principle

Fowler-Nordheim Tunnelling Principle
.
The floating gate can be charged and discharged by using Fowler-Nordheim "tunnelling". A principle whereby certain electrons subjected to an electric field can cross the forbidden gap of an insulator to enter the conduction band and thus flow freely for a short distance to a positively charged area.

Sunday, May 17, 2009

A808 Watch Phone With Bluetooth

A808 Watch Phone With Bluetooth
.
The spec for the A808 Tri-band (GSM 900 / 1800 / 1900 MHZ), GPRS and Bluetooth connectivity, a 1.3 inch touch screen and interestly not only keyboard but handwritten input. Additionally it comes with an MP3 / MP4 multimedia player and FM radio. And it's made in China.
.
.
The SIM is underneath the back cover and the cover carries an Apple-logo. Anyone examined this fancy goods style watch mobile telephone before and if so can you please send an email to me (to the email address located at the top my blogspot page) to let me know of any useful programs for downloading data via bluetooth. Thanks.
.

Friday, May 15, 2009

Undercover Officer Down, how might SIM Access Control Class help? Part 1

PART 1: Undercover Officer Down, how might SIM Access Control Class help?
.
The following is a scenario created to help examiners and experts know more about how to determine what data in SIM/USIM elementary files can mean and to appreciate what is required to be understood before examining SIM/USIM and giving evidence. Computer forensics has made a significant contribution to data recovery that can be used for harvesting data from mobile telephones and SIM cards, however data recovery is only one element of mobile telephone evidence and is not ‘the evidence’ to be considered in isolation to everything else.
.
Moreover, an examiner and an expert are expected to usefully advise with respect to investigations where data obtained from mobile telephones and SIMs/USIMs are involved, so, here to, this scenario will hopefully open examiners' and experts' eyes to new ways of considering data. What the law of evidence wants to know is, provided the data recovered is not a problem, what does the data actually mean and how should it be interpreted.
.
Scenario
An undercover officer working has infiltrated a criminal organisation involved in drugs and people trafficking. The undercover officer needs to keep details and seek answers without blowing his cover. The situation is always life threatening. The officer is required to report back by mobile phone to Control every 7-14 days.
.
PC0001 on patrol in the Shopping Mall sees a known drug dealer in the doorway of a Supermarket with an unknown IC1 female handing over a package. PC0001 calls and waits for back up before approaching. A stop and search is then conducted using the appropriate procedures under PACE 1984. A quantity of drugs is found, large bundle of money, along with two mobile telephones which were all subsequently put into evidential containers and the two individuals are carted off in the wagon to the local nick.
.
The alleged crime of drug selling (given the quantity seized) is fairly low down the scale and the money found was £1,780.00, but compared with other crimes wasn’t high and so priority won’t be given to this case over other cases in the system. The mobile phones are sent away for examination. The person assigned to deal with the examination of the mobile telephone and SIM card conducts a quick level examination for subscriber details, mobile telephone number, SIM serial number/ICCID, phonebook and text messages. Before starting examining the mobile telephone the examiner becomes ill and doesn’t complete the work.
.
The examination would need to be passed to another examiner who would have to start from scratch as the next examiner could not possibly give evidence about someone else’s work for the new examiner would have no knowledge about the previous examination. By chance the new examiner chosen for the work had just come back from Greg Smith’s TrewMTE SIM Card training course where he had undergone deep level training into being a professional examiner and taught about ethical working practices, understanding the symbiotic relation with other mobile telephone devices and network elements, technical standards, working practices and SIM Card examination and data investigation etc (well alright, but it is only a modest promotion about me).
.
The new examiner conducted a fresh examination, starting with the SIM Card. Having been trained to look for evidence of activity and indicators about the potential user of the SIM card, the new examiner immediately contacted the Senior Officer where PC0001 was stationed. The new examiner, having been trained to identify certain data and corroborate the finding with reference material to ensure the meaning of the data, explained to the Senior Officer that he was examining a mobile telephone SIM Card that may belong to someone in the Security Services and that if he, at the local level, was examining this SIM then it could mean there was a man [undercover] down in the field?
.
Asked why the new examiner might suspect this, he referred to the recent training he had had and had identified from a mandatory data file in the SIM Card an elementary file titled EFACC (Access Control Class). The SIM had recorded Access Class 12 which is referenced as “Security Services”. The examiner also informed the Senior Officer that he had acquired from the SIM the subscriber details and mobile telephone number but was not authorised to access personal details. The examiner also mentioned that as ex-British Army he had field experience and should “intel” suggest there may be a “man down” that he would rely on all efforts to be made to rescue him, he therefore considered the user of the SIM (being examined) would equally rely on the same.
.
The Senior Officer took the details and immediately set in motion a priority search. The details the new examiner had given to the Senior Officer had proven correct and were linked to an officer on field ops. It transpired the office had not been in contact for 14 days. Because of the work involved MI5 were called in for their superior network of intelligence and, given the nature of the criminal organisation, every school boys heroes were sent in, the SAS, to conduct ground surveillance, attack, capture and rescue. The undercover officer was rescued, badly beaten, bleeding and barely alive, but alive nonetheless.
.
To clear up some loose ends to this scenario: How did the drug dealer come to be in possession of the undercover officer's mobile phone? The undercover officer had been rumbled by the gang and when running away, before the gang captured him, he had thrown it away and working on the long shot he hoped that someone would find it and hand it in. The drug dealer had found it, assumed it had been dropped by a passer-by and considered it could provide anonymity for drug dealing. There is a separate story about other evidence the mobile tied to the drug dealer, but this scenario is about saving an important life.
.
So what can be learned from the above scenario and what facts are known:
.
a) that the examiner as fact needs proper training to know what data can be significant
b) that as a statement of fact there is an elementary file in SIM called EFACC (Access Control Class)
c) that as a statement of fact the elementary file EFACC (Access Control Class) can be assigned to a User with an Access Class 12 assigned to “Security Services”
d) the examiner should know the limitations of the tools s/he works with before using them
e) the examiner to have the tools that actually reveal the information that is significant
f) that a proper and full examination of a SIM is an absolute requirement rather than merely the examiner conducting a dumbed-down check, only looking at certain data sets
g) that checking the findings immediately following a SIM read is essential
h) to communicate straightaway of the potential for life threatening situations or national security
i) that “priority” check means “speed and instantly” and not manyarna
.
In part 2 it will identify the full 16 Access Classes, look at Class 12 technical elements for Access Control Class, how it works, its uses and its limitations. What will become abundantly clear, if Part 1 and Part 2 are only dealing with Access Class 12 what can be learned about all the other Access Classes? More importantly, why has proper checking about Access Control Class and other EFs in SIM Cards not become standard practice?

Thursday, May 14, 2009

Mobile Telephone Examination Procedure

Mobile Telephone Examination Procedure
.
This discussion continues on the theme to highlight, over the last five years, the diminishing quality of the knowledge in mobile telephone evidence training and very poor understanding by those giving advice about or presenting mobile telephone forensic evidence and opinion.
.
By way of further illustration about poor understanding which was given in an advice note regarding mobile telephone examination procedure, the advice given:
.
(1) by removing the battery of certain make/model of mobile telephone can lose the date and time stamp and call history, but using a Shielding Room can prevent this because you won’t need to remove the battery.
.
(1a) the party giving the advice above then went on to suggest they did not think, by and large, the above is a better methodology that should be adopted and went on to advocate that the method of producing a clone test SIM (Access Card) appeared to them to be more appropriate.
.
A shielding room is used to prevent radio signals entering a given space that the shielding is designed to protect, and also prevent the mobile telephone from registering to the mobile telephone network; [it] cannot though prevent loss of full call history and date and time stamp irrespective of whether the mobile telephone is in a shielded room or not. Removing the battery on some older models of mobile telephone can lose the full call history and date and time stamp. To produce a clone test SIM (Access Card) the examiner is required at first instance to remove the battery to get to the SIM/USIM. So how is their recommendation shown (in 1a) that it is any better than the unsuitable Shielding Room scenario (in 1)?

.
- For the record the point I am making is not to advocate shielding rooms or faraday bags, I am just pointing out the absurdity of the advice -
.
By noting in their advice that using a Shielding Room may not be the best method (thus tacitly negativing its use) the advice then goes on to positively suggest that the examiner wouldn’t need to remove the battery because it is in a shielding room and that call history and date and time stamp on the mobile telephone would be secure. They then go on to advocate the removal of the battery which implicitly requires taking the SIM out also from the handset for the purposes of producing a clone test SIM (Access Card). Their advice is confusing as they have already admitted removing the battery can lose data.
.
An examiner will naturally have to remove the SIM/USIM out of the handset anyway (thus removing the battery first is one point; another point being removing the SIM/USIM can inevitably cause loss of data in the handset - it can't be helped) because the proper order of examination requires a full examination of the SIM/USIM to get at evidence that is not readily available and obtainable by leaving the SIM/USIM in the handset during examination.
.
I concluded from reading their advice that it contained so many mixed messages and conflicting use of methodologies which each method that would usually be used for the treatment of different issues in isolation were now being squeezed together to make them work, would leave an examiner following their advice open to and vulnerable to potentially discrediting their own evidence.

.
Moreover, if the advice note was intended to succeed in getting an examiner to use Access Cards over Shielding Rooms then in my view it failed to convince me to use one or not the other.

Monday, February 02, 2009

SIM PIN Challenge 2

SIM PIN Challenge 2
.
A reminder that this challenge ends on the 15th February 2009:
.
http://trewmte.blogspot.com/2009/01/sim-pin-challenge.html
.
No pressure here guys, but we have had the first written response to the SIM PIN Challenge from a Challenge Entrant who has just started in mobile telephone forensics. This Challenge should therefore be a walk in the park for all you mobile phone and computer forensic examiners who have given evidence about SIM Cards in Court.
.
As a brief history about SIM Cards, the requirement for *Personal Identity Number (PIN) to be available in a SIM Card is defined by way of the GSM Standard GSM11.11. Moreover, GSM11.11 v3 1995 standard and onwards can be downloaded free of charge. So at least we know there is over 13 years of technical knowledge about SIM Card PIN that is traceable. Furthermore, there are other standards that are used to test for allocation and activation of PIN and the mandated execution of the function between the mobile phone and SIM Card.
.
*Do remember that PIN is only used because it is comon language now, but has been made obsolete from the standards and replaced by CHV (Card Holder Verification).
.
Finally, many ten of thousands of SIM Cards have been examined and their evidence, along with examiners' testimonies/experts' opinions, have been presented in criminal proceedings at Court for well over a decade. A large number of the SIM Cards presented for examination had PIN enabled, thus understanding the fundamental operation of PIN is vital to forensic investigation understanding and the evidence presented about it.
.
I have sent copies of this Challenge and MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE (see weblink at the end of this discussion) to the following who have the responsibility for: innovation, universities and skills; and regulation of forensic sciences:
.
Rt Hon John Denham Secretary of State for the
Department of Innovation, Universities and Skills (DIUS)
.

Mr Andrew Rennison UK Forensic Science Regulator
.
MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE

Thursday, January 08, 2009

SIM PIN Challenge

SIM PIN Challenge
.
Back in 2005 I was at a presentation by a SIM manufacturer when the presentation turned to CHV (Card Holder Verification), the correct technical term for PIN used for SIM Cards.
.
The presentation had reached the part "Verifying the CHV" and went on to record:
.
~ To verify PIN, the verifyCHV APDU is used....
.
A0 20 00 CHVNum 08 PINValue
.
~ The message sent from the phone to the SIM in order to check your PIN number 1111, is:
.
A0 20 00 01 08 313131FFFFFFFF
.
This all seemed normal until three slides later when the presentation started to discuss "File Structure after personalization" and displayed the graphics starting with the Master File (MF) and under which there were five Elementary Files (EF). The graphics displayed in the presentation were text book style when discussing MF and EFs, except for this presentation the manufacturer had gone as far as to identify two particular CHV EFs; one of which was 3F00 - EF_CHV1 0000.
.
.
So does that mean a particular EF under the MF in SIM with a logical address 3F00 0000 is always going to be the CHV1 file and would the raw data from that EF reveal a user's PIN number?
.
Below are raw data extracts from three phases of SIM cards - Phase 1, Phase 2 and Phase 3 (2+) and harvested from the Master File (MF) 3F00 and an unnamed EF immediately under the MF with an address 3F00 0000.
.
Your challenge, if you are interested, is to examine the raw data and corroborate whether the data reveals a user's CHV1 (PIN number) or not.
.
To help, you may want to check the GSM SIM card standard GSM 11.11 to comprehend file structure, formatting and coding etc for elementary files and to learn what the standard has to say about CHV/PIN.
.
As forensic investigators you shouldn't need the 'carrot and stick' approach to get you to undertake this challenge because I know how much you all love your work and can't get enough of it and that should be reward enough :-). However, the first person who posts the correct answer at Forensic Focus , I am sure we can sort out some sort of prize:
.
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349
.
However, there are some rules (there is always something like this):
.
1) In your answer it should contain identification to a document or weblink that supports the answer (the document/weblink must be traceable and not based on "something somebody told you"). This will be checked before any prize is awarded.
2) Challenge closes 15th February 2009.
3) I wont be giving the answer, because I do not want everyone just to sit back and think they can wait for my reply.
.
GOOD LUCK
.
PHASE 1 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 1A 47 3F 00 00 00 F1 F4 44 13 15 83 02 03 04 00 82 8A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
----------------------------------------
Allocated memory :1A47File ID :3F00
Type of file :MFNumber of DF : 2
Number of EF : 3 Number of CHV's : 4
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :2 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 18 00 00 00 00 FF FF FF 13 06 00 00 02 01 00 00 0A FF
----------------------------------------
File ID :0000
Type of file :RFU
Structure of file :Transparent
File Size :0018
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 15
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 2 SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 63 9C 3F 00 01 FF FF FF FF 01 0E 93 02 07 02 00 83 8A 00 00 00 00 83 00 FF
----------------------------------------
Allocated memory :639C
File ID :3F00
Type of file :MF
Number of DF : 2
Number of EF : 7
Number of CHV's : 2
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :0 Tries left
CHV1(PIN1) Status :0 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 12 00 00 04 00 FA FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0012
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 10
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------
.

Phase 3 (2+) SIM Card
3F00
--------------------------------------------------------------------------------
Response: 00 00 00 01 3F 00 01 00 00 00 00 00 09 81 04 12 0A 00 83 8A 83 8A
----------------------------------------
Allocated memory :0001
File ID :3F00
Type of file :MF
Number of DF : 4
Number of EF : 18
Number of CHV's : 10
CHV1(PIN1) :Disabled
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
CHV1(PIN1) Status :3 Tries left
CHV1(PIN1) Status :10 Tries left
--------------------------------------------------------------------------------
.
3F00:0000

--------------------------------------------------------------------------------
Response: 00 00 00 17 00 00 04 00 FB FF FF 01 02 00 00
----------------------------------------
File ID :0000
Type of file :EF
Structure of file :Transparent
File Size :0017
Read Access :CHV (PIN) 15
Write Access :CHV (PIN) 11
Increase Access :CHV (PIN) 15
Rehabilitate :CHV (PIN) 15
Invalidate Access :CHV (PIN) 15
File Status :Not Invalidated
--------------------------------------------------------------------------------