Cellphone Examination and Myths
There are still, surprisingly, many who still promulgate myths by unwittingly conducting examinations in a particular way or use a product/device for cellphone examination to combat a particular perceived problem.
I am launching this discussion thread, which will be updated from time to time, to identify cellphone examination myths. In doing so, it is not aimed at a criticising an individual, manufacurer's product or someone selling a service. The point of the discussion is to allow people to make informed decisions as opposed to buying into a particular mythology. Do remember, I am not telling you what you should or should not do, it is your choice, my comments are only intended as helpful observations.
CELLPHONE CLOCKS
There is a claim the examiner should examine the cellphone first before examining the SIM Card. Two myths that are still circulating today (a) is that by removing the SIM Card from the phone that is switched OFF the handset clock will be lost, (b) and using a Faraday shield or RF dampening field can help prevent that. I find this rather surprising to apply these myths as a reason for creating a universal principle that handsets should be examined first and using Faraday/RF is the optimum choice for containment and examinations. To me these myths are nothing more than over exaggerated examination procedures. They transfer the skills away from the human to expecting the device and postulated procedure to be capable of coping with everyday common scenarios.
Most mobile phones today have a memory system with an on-board battery to keep data live for period of time after the external battery has been removed or the clock data along with an offset stored in flash to calculate the clock upon power up and intialisation to give the time. It is true that there are some phones (but not every phone) that can lose the clock setting when the SIM is removed, so the use of a particular examination procedure should be on a case by case basis. User-defined clocks can be quite unreliable as well and in most cases (but not all) does the clock setting of the handset ever feature as a prominent piece of evidence.
Additionaly, Faraday/RF Dampening do not influence the clock at all unless of course as is becoming more popular the user has activated the handset to use the mobile network clock, in which case Faraday/RF Dampening would have a detrimental effect by losing the clock timing on the handset whilst the handset in an isolation containment.
Any special procedures needed for very serious crime or terrorism, it is understandible that the use of a particular containment field might be needed. Majority of mobile phone seizures and recovery are pretty bog-standard occasions, so why would anyone leave a mobile phone switched ON in a containment bag where there is a high degree of chance that the bag could be knocked and potentially a key being pressed generating and/or altering data on the phone.
FARADAY/RF DAMPENING - LOSING DATA
For road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.
FARADAY/RF DAMPENING - WIPING DATA
Many of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.
FARADAY/RF DAMPENING - IMSI
SIM cards have the ability to store up to a number of IMSIs, which are commonly used where countries have multiple network operators on a State by State basis. Roaming users may have a choice to use one or several IMSIs whilst roaming in another State or Country. Activating a particular IMSI can require selection of a profile and pressing the "SEND" key to inform the network of an altered state of subscriber identity, a response from the network can be requird for that change to take affect. The protocol in some handsets has been designed to wait for the response from the newtork to be received before the IMSI change takes place inside the SIM releasing the profile to the handset. Consequently, revealing data for a particular IMSI profile might not be possible.
FEEDBACK
If anyone wants to contribute to this myths discussion with your observations or you want to debunk my debunking then by all means do so, I am always willing to learn.
trewmte,
I have heard that leaving certain mobile devices powered on for an extended period of time inside a shielded container (Faraday/RF) can cause overheating and battery failure. As a result, those responsible for evidence seizure are being instructed to remove the battery before placing a device inside such a container.
Is this battery meltdown possible or based on speculation? Has anyone experienced this? Mobile Myth or Advisable Action?
csericks, thanks for your comments.
In response to your question I haven't heard of the overheating battery meltdown before but I cannot say it never has happened, it's just I do not any personal knowledge of such an event.
The "instruction" about removing the battery appears to be a contradiction in terms of the desire behind the use of isolation/shielding. Isolation containers / shielding bags are promoted on the basis that the mobile phone is left switched ON. If the battery is removed the mobile phone will have no power, so it is not ON, so what is the point of using a shield bag at first instance at the point of seizure?
I think this is good to discuss these anomalies as hopefully it may lead to you formulating the type of procedure or procedures you considered are suited to the task that is before you. And that is how it should be, you having the knowledge and skills as opposed to being reliant on and limited to a machine/device making the decisions based upon trying to fit a quart into a pint pot for each case.
I agree that it seems contradictory/illogical to put a powered off device in a shielded bag. That was why I threw it against the wall in this forum to see if it would stick. wink
I look forward to reading more in this Mobile Myth thread. I know that my fellow examiners and I have seen demand ramp up for mobile device exams. The diversity of platforms and manufacturers presents quite a challenge to keep up with changes and identify the correct methods for each device. I want to avoid those wild goose chases, as much as possible.
Frequently, an APB will go out via internal email "Anyone ever analyze a <insert device name here> before? What did you do/use to examine it?" It seems that, almost invariably, one of the responses will incorporate a "mythical" practice.
"Grandma always cut off the ends of the ham, before she roasted it." Well, Grandma had a small roasting pot…
US perspective -
Most non-intelligent cell phones (that is non-PDA, non-Win Mobile, non-crackberry, non-Symbian, etc.) do use network clocks, although the clock continues to function if there is no power interruption.
For example, the Verizon Vireless network in the US by default does not allow clock changes on "dumb" cell phones, and synched to the towers. This becomes very evident when crossing time-zone borders.
Shielded bagging may not overheat a cell phone, but will drain the battery very rapidly as the phone continues to expand huge amount of juice searching for towers.
Shielding as far as GPS data - Hmm… Again with dumb phones, this is a non-issue since most often is stored in volatile memory in my experience.
Data wiping - poison pills can be set up as you describe it, and is available on win mobile and iphone too. Although this is a rare occasion, to auto-wipe on inactivity. (Go to bed at 9pm, wake up late Saturday 9am, find phone wiped?!? lol )
Just my personal experiences with US cell phones.
My reasoning for leaving cellphones ON & using the faraday bag is to prevent getting locked out if user has his PIN code enable.
My 2 cents.
MC
jhup these are all good observations and important to clarify to keep a balanced view about isolation containment.
My observations
Regarding dumb-type phones if they are that dumb then why use isolation containment? The idea of faraday/RF bag was and is sold (as in principle not monetary gain or goods) because certain smart phones would reveal important data in RAM, the clock was paramount etc etc. That foreseeability at the outset on possible issues has failed to material as a common source of important evidential data. Most certainly for dumb phones and even smart phones, bog-standard seizure has been over-developed by use of psychological induced fears. The procedure for the officer to record what is on the screen of the handset (including clock setting) and switch OFF provides for a sound procedure.
In many instance, the growth in downloaded third party apps that support features not included in the model when sold new is a massive market. A conventional view of GPS recorded in non-volatile memory whilst switched ON may not bear fruit, for some third party GPS apps simply uses buffer memory which is regularly refreshed. When the isolation containment is applied the GPS may be lost and the buffer memory refreshed with a null value. The balance is which cellphones have that third party app and how does the seizing officer know this? It is impossible to know every make and model and its features. Examples like this, and there are many, lead to questions, such as
- Does the officer simply switch OFF the mobile?
- Does the seizing officer stand there interrogating the handset before making a decision to put the device into isolation containment?
- Who stands in the witness box and gives evidence about loss or altered data?
- Or, for the UK, is the device evidence even getting to our courts of law to be tested?
As for Blackberry and intellisync supported devices how does the officer/examiner know what security profile is in operation? Which is a BES device and which is a BIS? If its BES then password might not be a problem, but security profiles according to Blackberry BES document indicate loss of communication etc etc can lead to lock out and validity period for data wipe. Intellisync devices can also implemented security policies with similar outcomes. So again, who makes the arbitrary call to use isolation containment? Who is the one who will not take responsibility if it all cocks up?
Playing devil's advocate, the PIN (password) issue raised by mc02 is another good observation. Here again though, in the UK we do have work arounds
- PIN/PUK
- SIM/USIM level security access
- handset engineer release codes
- manufacturer access codes
- work-arounds using handset PIN rigs
- removing flash memory chips
- etc
[And credit where it is due, there are a few in law enforcement (the non- glory hunters) who have worked to introduce techniques and share the knowledge. No names, no pack drill, just respect.]
So, here again, whilst you choose what you think is best for you, at what stage does this random and arbitrary decision come into play to use isolation containment?
To answer your question regarding dumb phones, and why bag them - although the devices are dumb relative to an iPhone, Windows Mobile or RIM device, they still can have applications on them from the carrier.
For example some of the US carriers allow a phone book synch loaded. It allows synching the contact list from/to a web site. If the phone is set to synch daily (which by default they tend to), it is possible to remove or add contacts from the web site, and if the phone is available, duplicate the action.
I hear there are also similar services that does similar with SMS, but I have not ran across that.
As to your last question - "at what stage does this random and arbitrary decision come into play to use isolation containment", if it is I can prove it without much effort to a jury that it is not necessary, I won't use one. If I think it take some serious technical talk, I use one.
So, when it is technically not necessary, it really is not used because it is necessary, but because it is easier to explain how a Faraday bag works…
mc02
"My reasoning for leaving cellphones ON & using the faraday bag is to prevent getting locked out if user has his PIN code enable"
I am not too familiar with the statutes and rules of your country so forgive me but I guess the approach to phone forensics would be "universal" in that-
If one can get information from any device without altering "any" data then this should be done first, if a SIM is P.I.N. protected you can obtain the P.U.K. and also gain a whole host of other information (subscriber details, calls, CDR etc) all this without even picking the card up.
Further more I have heard that the Faraday cage method only alters data on some handsets and not others??
I was of the understanding that EVERY MS goes throuh the same activation method-
SIM passes IMSI and ICCID to MS
MS to network with IMSI and ICCID-
network back to MS with same plus Ki-
MS to SIM with same-
SIM to MS with this plus signed response and finally (phew) network authenticates, how then does this Faraday issue only suffer data loss with some handsets? how do the "ones that get away" authenticate and switch on without the ritual being confused as there is no communication with network then SIM must overwrite as its not getting languaged responses that its programmed to receive
For example some of the US carriers allow a phone book synch loaded. It allows synching the contact list from/to a web site. If the phone is set to synch daily (which by default they tend to), it is possible to remove or add contacts from the web site, and if the phone is available, duplicate the action.
So have I understood correctly on the basis of your response above that is a reason for you to use isolation containment during examination?
Does that cover seizure as well or are you not at the seizure and get the goods, so to speak, down the line (as most technical support units do in the UK)?
So, when it is technically not necessary, it really is not used …….
That is your skill and experience and calls for your judgment on a case by case basis, so I support that because it advocates the use of a tool in controlled approached as opposed to using it on every occasion because someone said so, which is a bit like advocating having Ketchup with everything.