Friday, July 10, 2009

Mobile Phone Flash Memory Chip Evidence

Mobile Phone Flash Memory Chip Evidence
.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is:
.
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
.
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110:
.
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
.
However under the same section in the User Guide it states:
.
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
.
As a query about forensic reliability and accuracy:
.
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
.
As a query about evidential weight and value:
.
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?