Friday, May 15, 2009

Undercover Officer Down, how might SIM Access Control Class help? Part 1

PART 1: Undercover Officer Down, how might SIM Access Control Class help?
.
The following is a scenario created to help examiners and experts know more about how to determine what data in SIM/USIM elementary files can mean and to appreciate what is required to be understood before examining SIM/USIM and giving evidence. Computer forensics has made a significant contribution to data recovery that can be used for harvesting data from mobile telephones and SIM cards, however data recovery is only one element of mobile telephone evidence and is not ‘the evidence’ to be considered in isolation to everything else.
.
Moreover, an examiner and an expert are expected to usefully advise with respect to investigations where data obtained from mobile telephones and SIMs/USIMs are involved, so, here to, this scenario will hopefully open examiners' and experts' eyes to new ways of considering data. What the law of evidence wants to know is, provided the data recovered is not a problem, what does the data actually mean and how should it be interpreted.
.
Scenario
An undercover officer working has infiltrated a criminal organisation involved in drugs and people trafficking. The undercover officer needs to keep details and seek answers without blowing his cover. The situation is always life threatening. The officer is required to report back by mobile phone to Control every 7-14 days.
.
PC0001 on patrol in the Shopping Mall sees a known drug dealer in the doorway of a Supermarket with an unknown IC1 female handing over a package. PC0001 calls and waits for back up before approaching. A stop and search is then conducted using the appropriate procedures under PACE 1984. A quantity of drugs is found, large bundle of money, along with two mobile telephones which were all subsequently put into evidential containers and the two individuals are carted off in the wagon to the local nick.
.
The alleged crime of drug selling (given the quantity seized) is fairly low down the scale and the money found was £1,780.00, but compared with other crimes wasn’t high and so priority won’t be given to this case over other cases in the system. The mobile phones are sent away for examination. The person assigned to deal with the examination of the mobile telephone and SIM card conducts a quick level examination for subscriber details, mobile telephone number, SIM serial number/ICCID, phonebook and text messages. Before starting examining the mobile telephone the examiner becomes ill and doesn’t complete the work.
.
The examination would need to be passed to another examiner who would have to start from scratch as the next examiner could not possibly give evidence about someone else’s work for the new examiner would have no knowledge about the previous examination. By chance the new examiner chosen for the work had just come back from Greg Smith’s TrewMTE SIM Card training course where he had undergone deep level training into being a professional examiner and taught about ethical working practices, understanding the symbiotic relation with other mobile telephone devices and network elements, technical standards, working practices and SIM Card examination and data investigation etc (well alright, but it is only a modest promotion about me).
.
The new examiner conducted a fresh examination, starting with the SIM Card. Having been trained to look for evidence of activity and indicators about the potential user of the SIM card, the new examiner immediately contacted the Senior Officer where PC0001 was stationed. The new examiner, having been trained to identify certain data and corroborate the finding with reference material to ensure the meaning of the data, explained to the Senior Officer that he was examining a mobile telephone SIM Card that may belong to someone in the Security Services and that if he, at the local level, was examining this SIM then it could mean there was a man [undercover] down in the field?
.
Asked why the new examiner might suspect this, he referred to the recent training he had had and had identified from a mandatory data file in the SIM Card an elementary file titled EFACC (Access Control Class). The SIM had recorded Access Class 12 which is referenced as “Security Services”. The examiner also informed the Senior Officer that he had acquired from the SIM the subscriber details and mobile telephone number but was not authorised to access personal details. The examiner also mentioned that as ex-British Army he had field experience and should “intel” suggest there may be a “man down” that he would rely on all efforts to be made to rescue him, he therefore considered the user of the SIM (being examined) would equally rely on the same.
.
The Senior Officer took the details and immediately set in motion a priority search. The details the new examiner had given to the Senior Officer had proven correct and were linked to an officer on field ops. It transpired the office had not been in contact for 14 days. Because of the work involved MI5 were called in for their superior network of intelligence and, given the nature of the criminal organisation, every school boys heroes were sent in, the SAS, to conduct ground surveillance, attack, capture and rescue. The undercover officer was rescued, badly beaten, bleeding and barely alive, but alive nonetheless.
.
To clear up some loose ends to this scenario: How did the drug dealer come to be in possession of the undercover officer's mobile phone? The undercover officer had been rumbled by the gang and when running away, before the gang captured him, he had thrown it away and working on the long shot he hoped that someone would find it and hand it in. The drug dealer had found it, assumed it had been dropped by a passer-by and considered it could provide anonymity for drug dealing. There is a separate story about other evidence the mobile tied to the drug dealer, but this scenario is about saving an important life.
.
So what can be learned from the above scenario and what facts are known:
.
a) that the examiner as fact needs proper training to know what data can be significant
b) that as a statement of fact there is an elementary file in SIM called EFACC (Access Control Class)
c) that as a statement of fact the elementary file EFACC (Access Control Class) can be assigned to a User with an Access Class 12 assigned to “Security Services”
d) the examiner should know the limitations of the tools s/he works with before using them
e) the examiner to have the tools that actually reveal the information that is significant
f) that a proper and full examination of a SIM is an absolute requirement rather than merely the examiner conducting a dumbed-down check, only looking at certain data sets
g) that checking the findings immediately following a SIM read is essential
h) to communicate straightaway of the potential for life threatening situations or national security
i) that “priority” check means “speed and instantly” and not manyarna
.
In part 2 it will identify the full 16 Access Classes, look at Class 12 technical elements for Access Control Class, how it works, its uses and its limitations. What will become abundantly clear, if Part 1 and Part 2 are only dealing with Access Class 12 what can be learned about all the other Access Classes? More importantly, why has proper checking about Access Control Class and other EFs in SIM Cards not become standard practice?