Sunday, May 17, 2009

A808 Watch Phone With Bluetooth

A808 Watch Phone With Bluetooth
.
The spec for the A808 Tri-band (GSM 900 / 1800 / 1900 MHZ), GPRS and Bluetooth connectivity, a 1.3 inch touch screen and interestly not only keyboard but handwritten input. Additionally it comes with an MP3 / MP4 multimedia player and FM radio. And it's made in China.
.
.
The SIM is underneath the back cover and the cover carries an Apple-logo. Anyone examined this fancy goods style watch mobile telephone before and if so can you please send an email to me (to the email address located at the top my blogspot page) to let me know of any useful programs for downloading data via bluetooth. Thanks.
.

Friday, May 15, 2009

Undercover Officer Down, how might SIM Access Control Class help? Part 1

PART 1: Undercover Officer Down, how might SIM Access Control Class help?
.
The following is a scenario created to help examiners and experts know more about how to determine what data in SIM/USIM elementary files can mean and to appreciate what is required to be understood before examining SIM/USIM and giving evidence. Computer forensics has made a significant contribution to data recovery that can be used for harvesting data from mobile telephones and SIM cards, however data recovery is only one element of mobile telephone evidence and is not ‘the evidence’ to be considered in isolation to everything else.
.
Moreover, an examiner and an expert are expected to usefully advise with respect to investigations where data obtained from mobile telephones and SIMs/USIMs are involved, so, here to, this scenario will hopefully open examiners' and experts' eyes to new ways of considering data. What the law of evidence wants to know is, provided the data recovered is not a problem, what does the data actually mean and how should it be interpreted.
.
Scenario
An undercover officer working has infiltrated a criminal organisation involved in drugs and people trafficking. The undercover officer needs to keep details and seek answers without blowing his cover. The situation is always life threatening. The officer is required to report back by mobile phone to Control every 7-14 days.
.
PC0001 on patrol in the Shopping Mall sees a known drug dealer in the doorway of a Supermarket with an unknown IC1 female handing over a package. PC0001 calls and waits for back up before approaching. A stop and search is then conducted using the appropriate procedures under PACE 1984. A quantity of drugs is found, large bundle of money, along with two mobile telephones which were all subsequently put into evidential containers and the two individuals are carted off in the wagon to the local nick.
.
The alleged crime of drug selling (given the quantity seized) is fairly low down the scale and the money found was £1,780.00, but compared with other crimes wasn’t high and so priority won’t be given to this case over other cases in the system. The mobile phones are sent away for examination. The person assigned to deal with the examination of the mobile telephone and SIM card conducts a quick level examination for subscriber details, mobile telephone number, SIM serial number/ICCID, phonebook and text messages. Before starting examining the mobile telephone the examiner becomes ill and doesn’t complete the work.
.
The examination would need to be passed to another examiner who would have to start from scratch as the next examiner could not possibly give evidence about someone else’s work for the new examiner would have no knowledge about the previous examination. By chance the new examiner chosen for the work had just come back from Greg Smith’s TrewMTE SIM Card training course where he had undergone deep level training into being a professional examiner and taught about ethical working practices, understanding the symbiotic relation with other mobile telephone devices and network elements, technical standards, working practices and SIM Card examination and data investigation etc (well alright, but it is only a modest promotion about me).
.
The new examiner conducted a fresh examination, starting with the SIM Card. Having been trained to look for evidence of activity and indicators about the potential user of the SIM card, the new examiner immediately contacted the Senior Officer where PC0001 was stationed. The new examiner, having been trained to identify certain data and corroborate the finding with reference material to ensure the meaning of the data, explained to the Senior Officer that he was examining a mobile telephone SIM Card that may belong to someone in the Security Services and that if he, at the local level, was examining this SIM then it could mean there was a man [undercover] down in the field?
.
Asked why the new examiner might suspect this, he referred to the recent training he had had and had identified from a mandatory data file in the SIM Card an elementary file titled EFACC (Access Control Class). The SIM had recorded Access Class 12 which is referenced as “Security Services”. The examiner also informed the Senior Officer that he had acquired from the SIM the subscriber details and mobile telephone number but was not authorised to access personal details. The examiner also mentioned that as ex-British Army he had field experience and should “intel” suggest there may be a “man down” that he would rely on all efforts to be made to rescue him, he therefore considered the user of the SIM (being examined) would equally rely on the same.
.
The Senior Officer took the details and immediately set in motion a priority search. The details the new examiner had given to the Senior Officer had proven correct and were linked to an officer on field ops. It transpired the office had not been in contact for 14 days. Because of the work involved MI5 were called in for their superior network of intelligence and, given the nature of the criminal organisation, every school boys heroes were sent in, the SAS, to conduct ground surveillance, attack, capture and rescue. The undercover officer was rescued, badly beaten, bleeding and barely alive, but alive nonetheless.
.
To clear up some loose ends to this scenario: How did the drug dealer come to be in possession of the undercover officer's mobile phone? The undercover officer had been rumbled by the gang and when running away, before the gang captured him, he had thrown it away and working on the long shot he hoped that someone would find it and hand it in. The drug dealer had found it, assumed it had been dropped by a passer-by and considered it could provide anonymity for drug dealing. There is a separate story about other evidence the mobile tied to the drug dealer, but this scenario is about saving an important life.
.
So what can be learned from the above scenario and what facts are known:
.
a) that the examiner as fact needs proper training to know what data can be significant
b) that as a statement of fact there is an elementary file in SIM called EFACC (Access Control Class)
c) that as a statement of fact the elementary file EFACC (Access Control Class) can be assigned to a User with an Access Class 12 assigned to “Security Services”
d) the examiner should know the limitations of the tools s/he works with before using them
e) the examiner to have the tools that actually reveal the information that is significant
f) that a proper and full examination of a SIM is an absolute requirement rather than merely the examiner conducting a dumbed-down check, only looking at certain data sets
g) that checking the findings immediately following a SIM read is essential
h) to communicate straightaway of the potential for life threatening situations or national security
i) that “priority” check means “speed and instantly” and not manyarna
.
In part 2 it will identify the full 16 Access Classes, look at Class 12 technical elements for Access Control Class, how it works, its uses and its limitations. What will become abundantly clear, if Part 1 and Part 2 are only dealing with Access Class 12 what can be learned about all the other Access Classes? More importantly, why has proper checking about Access Control Class and other EFs in SIM Cards not become standard practice?

Thursday, May 14, 2009

Mobile Telephone Examination Procedure

Mobile Telephone Examination Procedure
.
This discussion continues on the theme to highlight, over the last five years, the diminishing quality of the knowledge in mobile telephone evidence training and very poor understanding by those giving advice about or presenting mobile telephone forensic evidence and opinion.
.
By way of further illustration about poor understanding which was given in an advice note regarding mobile telephone examination procedure, the advice given:
.
(1) by removing the battery of certain make/model of mobile telephone can lose the date and time stamp and call history, but using a Shielding Room can prevent this because you won’t need to remove the battery.
.
(1a) the party giving the advice above then went on to suggest they did not think, by and large, the above is a better methodology that should be adopted and went on to advocate that the method of producing a clone test SIM (Access Card) appeared to them to be more appropriate.
.
A shielding room is used to prevent radio signals entering a given space that the shielding is designed to protect, and also prevent the mobile telephone from registering to the mobile telephone network; [it] cannot though prevent loss of full call history and date and time stamp irrespective of whether the mobile telephone is in a shielded room or not. Removing the battery on some older models of mobile telephone can lose the full call history and date and time stamp. To produce a clone test SIM (Access Card) the examiner is required at first instance to remove the battery to get to the SIM/USIM. So how is their recommendation shown (in 1a) that it is any better than the unsuitable Shielding Room scenario (in 1)?

.
- For the record the point I am making is not to advocate shielding rooms or faraday bags, I am just pointing out the absurdity of the advice -
.
By noting in their advice that using a Shielding Room may not be the best method (thus tacitly negativing its use) the advice then goes on to positively suggest that the examiner wouldn’t need to remove the battery because it is in a shielding room and that call history and date and time stamp on the mobile telephone would be secure. They then go on to advocate the removal of the battery which implicitly requires taking the SIM out also from the handset for the purposes of producing a clone test SIM (Access Card). Their advice is confusing as they have already admitted removing the battery can lose data.
.
An examiner will naturally have to remove the SIM/USIM out of the handset anyway (thus removing the battery first is one point; another point being removing the SIM/USIM can inevitably cause loss of data in the handset - it can't be helped) because the proper order of examination requires a full examination of the SIM/USIM to get at evidence that is not readily available and obtainable by leaving the SIM/USIM in the handset during examination.
.
I concluded from reading their advice that it contained so many mixed messages and conflicting use of methodologies which each method that would usually be used for the treatment of different issues in isolation were now being squeezed together to make them work, would leave an examiner following their advice open to and vulnerable to potentially discrediting their own evidence.

.
Moreover, if the advice note was intended to succeed in getting an examiner to use Access Cards over Shielding Rooms then in my view it failed to convince me to use one or not the other.