±Forensic Focus Partners
|New Today: 1||Overall: 35880|
|New Yesterday: 7||Visitors: 136|
Part 1Back to top Back to main Skip to menu
Evaluating Mobile Telephone Connection Behaviour - Part 1
|Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.|
Examining Mobile Equipment – Ensuring Accuracy
In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence.
There are various types of examinations conducted on mobile telephones to extract the call information and SMS messages (collectively I shall refer to these as connection information). The examination of a SIM card is a fairly ‘trivial’ process with a well-defined extraction procedure. However, handset examinations may be much trickier. For standard handset examinations (those that generally only extract the information live on the handset) there is no one product that can extract all of the connection information available for all handsets. Hence, when examining handsets, it is important as a first step to ensure the accuracy of the evidence you are presenting.
When presenting your evidence it may be worthwhile considering the measures you implement to be able to ascertain both the accuracy and meaning of information you present to ascertain that:
1. The extracted information is accurate and correctly attributed. For example, that a reported SMS message has the correct content and is appropriately stated as a sent, draft or a received SMS message.
2. The information is complete and where it is not, the omissions are known (and clearly declared in the report) or manually obtained.
3. The information is unambiguously reported.
These may sound like obvious points, however, in my experience sometimes failures are found in all three areas which then lead to issues when the evidence is used to ascertain the connection behaviour of a telephone. As a mobile telephone examiner, it is important to establish appropriate procedures and to report the limitations of the data you are presenting otherwise at a later stage they may be open to misinterpretation. Omissions are particularly important since information such as duration of calls and times of calls may become crucial to resolving what occurred so it is important to make your reader aware what information may be present but remains unextracted.
To provide a level of confidence in the accuracy of the extracted connection information, it may be necessary to perform manual checks to ensure the software report correlates with the information stored on the equipment. When performing a manual examination (effectively examining the telephone via its menu system), it may be useful to video the process. This serves two purposes: firstly you can ascertain (and verify) that your examination has not caused any changes to the information and if changes have occurred you have recorded the sequence of events. Secondly, it allows you to manually transcribe information easier and to potentially revisit your examination at a later time without having to re-examine the handset.
Manual checks may be performed to either completely or partially verify the connection information stored. These may include:
1. Devising a method where all information extracted is manually checked.
2. Performing spot data checks where certain messages and call entries are selected at random and manually compared for accuracy or utilising an approach of always checking the connections that are known to be of particular interest in a case.
3. Ensuring the quantities in the listings correlate correctly. For example, totalling up the number of missed call entries manually and checking that the number extracted correlates with those on the handset.
The latter two are less time consuming but ultimately less complete, hence they may in isolation or combination not identify all of the errors that may be present.
Another method may be to use several software products to determine if they provide the same output. However, when performing validation via other products it is important to note that specific extraction weaknesses may be found in more than one package and hence the same issues may be present. Similarly, you could perform documented testing on your current product with a test handset (of the same type as that being examined). This may then allow you target any identified weaknesses via your manual examination.
So, we have extracted and verified to a certain degree the accuracy of the presented information – what’s next?
Interpreting the Information to assist with Connection Charting
The evidence in mobile examination reports is sometimes used to determine connection behaviour or associations between parties of interest in a case. This information may be interpreted and compiled by the mobile examiner or, most often in the UK in my experience, this task is performed by a data analyst/intelligence personnel (or even the lawyer themselves!)
Charting the chronological connection behaviour of telephones from extracted information may be useful when gathering patterns, however, in general, this evidence suffers from a number of possible limitations. This means it is very important mobile telephone examination reports present the meaning of the evidence as clearly as possible including that:
1. The date and time stamps of connection information (except received SMS messages) will generally reflect the date and time of the handset and hence may not accurately reflect when the connections occurred (since a user may be able to change this information).
2. Information may have been deleted either automatically by the handset or via interaction by the user, making any chart compiled potentially incomplete.
3. The meaning of the data in each of the call listings will depend on the functionality of the handset. For example,
- What does it mean when information in relation to a call is present in the received calls register? Does this mean that the handset received and answered the call? (not necessarily – some handsets place calls which have been cancelled by the telephone into the received calls register and some place them into the missed calls list).
- If a single call is in the call listing, how many calls/attempted calls occurred? You are unlikely to be able to answer this question using just the handset evidence since entries may have been deleted by a user or due to the behaviour of the telephone’s call listings (for example, only storing a predefined number of entries for each telephone number).
- Dialled numbers are often stored regardless of a connection with the recipient telephone. Some handsets may assist in resolving this by providing duration information. However, this still does not imply the call has been answered by the recipient telephone since it could have been forwarded to another number (including answerphone).
In my experience of evaluating the accuracy of compiled connection charts, the first point, although simple, is often overlooked by those embarking on connection charting. If not considered, it makes compiling connection charts somewhat meaningless unless the time accuracy for each of the telephones is established and all of the information is presented in the same timeframe. Overlooking this ‘minor’ limitation may mean the resulting connection chart contains duplications and/or contradicting information (e.g. where one telephone makes a call at time A but this connection is recorded in the recipient telephone as being received at time B).
It may be also worthwhile for a mobile telephone examiner to note other areas that may be open to misinterpretation and explain them carefully to prevent them propagating through a case as an assumed fact. In my experience, the last dialled numbers of a SIM card is a good example of where people may interpret this lists to mean the erm….last dialled numbers. Of course the last dialled numbers of the SIM card may not reflect the last dialled numbers of the SIM card!
Part two to follow next month...
Click here to discuss this article.
Read Sam's previous columns
Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.
Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, [email protected] or http://www.raincock.co.uk.