Slightly off topic included in this thread, but the observations raised are intended to be helpful.
When recovering data using flasher box devices it may be useful to support the notion of obtaining a detail (IMSI/ICCID/etc) about a previously inserted paricular SIM Card in a particular mobile telephone that the notion about storing such data in memory is
- not new
- not clandestine shady black-box technology
- not a security breach by the handset manufacturer
In fact the entire process of maintaining a SIM List in the phone was designed to allow a user with more than one SIM Card to gain access to previously held memory data associated with each particular SIM Card.
In order to support that statement it would be helpful to see practitioners using authoratitive statements about the forensic 'reliability' and 'accuracy' of recovered data being obtained using flash reading devices and the evidential 'weight' and 'value' to be given to the data.
To assist, here is a statement from a 1996 published Electronic User Guide for the Nokia 2110
SECURITY LEVEL (Menu 5 2) Page 71
"The phone keeps a list of the SIM cards which are used with the phone. This list may contain the information on up to five different SIM cards."
However under the same section in the User Guide it states
"Regardless of the selected security level, all temporarily stored phone numbers are erased when a new SIM card is installed. On the other hand, these phone numbers are not erased when a previously used SIM card is inserted, regardless of the selected security level."
As a query about forensic reliability and accuracy
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data themselves, at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
As a query about evidential weight and value
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?
Greg,
When I was in the job, information such as this was always submitted to the enquiry officer as intelligence (ie. not hard-fast reliable evidence) and had careful wording attached to any report, which would allow the officer to submit appropriate forms to the service providers for evidential output.
I don't know if things have changed since, however.
Steve
I think those are fair points you raise . My comments arise from seeing evidence submitted in the form of a witness statement containing alleged deleted data from an exhibit handset and submitted with no qualification about uncertainty or questioning accuracy of the data.
IMSI that relates to mobile calls over two years ago when no call records exist is one worrying aspects but evidence is being generated just because a record of the IMSI may still be retained by the operator and deleted call logs recovered from unallocated shareable memory in the flash.
If those concerns were set aside and a guide produced identifying those data that can be established, then this gives a basis to the procedure being credible evidentially.
This is why I am endeavouring to make helpful observations.
The point this morning is that there is a history to certain data being found in non-user accessible memory - that to me seems a positive point. The fact that the IMSI can be established at first instance with respect to its structure and format and then established by issue of it by a particular operator are further positive points.
Historically, dealing with deleted or permenant data in memory that is not accessible by the user is not new either. Below is an image from my training courses for the police in 2001. To avoid using data from a genuine exhibit, simulated material was used but based upon data found in images. The trainees were asked to analyse the simulated material and identify any flaws. How to look at formatting, reverse nibble for security reasons, bit, nibble, byte and so. Even to the extent of making deliberate mistakes in translating the data.
Back then people were more comfortably dealing with saved user accessible data on SIMs and handsets, aim for a water-tight examination procedure and having someone tell them how the machinery worked and provide interpretation of data and the evidence. We have moved on today and the challenges of today require re-establishing all those boundaries that have largely been left without any reinforcement and are or have fallen over.
Image/hex dump is being used as part of the examination process and therefore it is not unreasonable to expect to see a guide on it that has been tested by the examination community as a whole.
Yes it is possible to extract the handset lock, previous sim cards used in the device (model permitting) and historic data, which, can be, and is used as fully validated evidence in court.
Good Afternoon,
I am trying to find the location of the security code to see whether its encrypted in the physical memory tables of a Nokia 5800d. Anyone have any experience with PM?
FcbF
I have a white paper that is associated to the training I do that may point you in the right direction, feel free to contact me via PM is that is of interest to you. Most GSM/cdma phones can be accessed with flasher boxes if they are password protected. There are some exceptions.
Bob