Notifications

Clear all

Cellphone Examination and Myths

trewmte · 2009-07-31T15:27:22Z

Cellphone Examination and MythsThere are still, surprisingly, many who still promulgate myths by unwittingly conducting examinations in a particular way or use a product/device for cellphone examination to combat a particular perceived problem.I am launching this discussion thread, which will be updated from time to time, to identify cellphone examination myths. In doing so, it is not aimed at a criticising an individual, manufacurer's product or someone selling a service. The point of the discussion is to allow people to make informed decisions as opposed to buying into a particular mythology. Do remember, I am not telling you what you should or should not do, it is your choice, my comments are only intended as helpful observations.CELLPHONE CLOCKSThere is a claim the examiner should examine the cellphone first before examining the SIM Card. Two myths that are still circulating today (a) is that by removing the SIM Card from the phone that is switched OFF the handset clock will be lost, (b) and using a Faraday shield or RF dampening field can help prevent that. I find this rather surprising to apply these myths as a reason for creating a universal principle that handsets should be examined first and using Faraday/RF is the optimum choice for containment and examinations. To me these myths are nothing more than over exaggerated examination procedures. They transfer the skills away from the human to expecting the device and postulated procedure to be capable of coping with everyday common scenarios. Most mobile phones today have a memory system with an on-board battery to keep data live for period of time after the external battery has been removed or the clock data along with an offset stored in flash to calculate the clock upon power up and intialisation to give the time. It is true that there are some phones (but not every phone) that can lose the clock setting when the SIM is removed, so the use of a particular examination procedure should be on a case by case basis. User-defined clocks can be quite unreliable as well and in most cases (but not all) does the clock setting of the handset ever feature as a prominent piece of evidence.Additionaly, Faraday/RF Dampening do not influence the clock at all unless of course as is becoming more popular the user has activated the handset to use the mobile network clock, in which case Faraday/RF Dampening would have a detrimental effect by losing the clock timing on the handset whilst the handset in an isolation containment.Any special procedures needed for very serious crime or terrorism, it is understandible that the use of a particular containment field might be needed. Majority of mobile phone seizures and recovery are pretty bog-standard occasions, so why would anyone leave a mobile phone switched ON in a containment bag where there is a high degree of chance that the bag could be knocked and potentially a key being pressed generating and/or altering data on the phone.FARADAY/RF DAMPENING - LOSING DATAFor road traffic accidents, using containiment bag methodology for seized or recovered switch ON cellphones can be problematical because location data can be lost by isolation in a containment field whether that be mobile network data and/or where GPS data.FARADAY/RF DAMPENING - WIPING DATAMany of the high-end, sophisticated smart phones like Blackberry may have security policies in place whereby a prolonged absence from the radio network can force a lock and/or data wipe.FARADAY/RF DAMPENING - IMSISIM cards have the ability to store up to a number of IMSIs, which are commonly used where countries have multiple network operators on a State by State basis. Roaming users may have a choice to use one or several IMSIs whilst roaming in another State or Country. Activating a particular IMSI can require selection of a profile and pressing the "SEND" key to inform the network of an altered state of subscriber identity, a response from the network can be requird for that change to take affect. The protocol in some handsets has been designed to wait for the response from the newtork to be received before the IMSI change takes place inside the SIM releasing the profile to the handset. Consequently, revealing data for a particular IMSI profile might not be possible.FEEDBACKIf anyone wants to contribute to this myths discussion with your observations or you want to debunk my debunking then by all means do so, I am always willing to learn.

Page 2 / 5 Prev Next

General (Technical, Procedural, Software, Hardware etc.)

Last Post by trewmte 14 years ago

42 Posts

11 Users

0 Reactions

3,536 Views

RSS

trewmte

(@trewmte)

Noble Member

Joined: 19 years ago

Posts: 1877

Topic starter 01/08/2009 8:49 pm

MS to network with IMSI and ICCID

It is theoretically possible to send ICCID to network, whether networks call for the serial number maybe operator/switch specific. The GSM Standards do not call for the transmission, mandatory or otherwise, of ICCID.

I asked back in 1998 whether transmission of ICCID was possible most UK operator said they did not do it. Mind you in those days masked ROM was used for SIM, but as new SIMs/USIMs use flash and the way in which the new sillicon has been adapted OTA (over the air) updates are possible and there is more flexibility to fetch ICCID for transmission. Indeed with OTA capability it is possible, if an opeartor implements the technology, to update an IMSI OTA saving the customer the need to get a new USIM and re-recording Phonebook etc.

ReplyQuote

bigjon

(@bigjon)

Estimable Member

Joined: 17 years ago

Posts: 159

02/08/2009 4:49 pm

trew, my mistake I meant actually just IMSI this is what happens when the industry that one is in is teaching you one thing and your own research is actually telling you something else

ReplyQuote

trewmte

(@trewmte)

Noble Member

Joined: 19 years ago

Posts: 1877

Topic starter 02/08/2009 5:36 pm

trew, my mistake I meant actually just IMSI this is what happens when the industry that one is in is teaching you one thing and your own research is actually telling you something else

bigjon, I knew you are aware of how the process worked, but I didn't want to edit your post, I wasn't sure when you had time in your busy schedule to get back and make corrections, so I added my comments to help those forum members who are new to mobile forensics and evidence.

Thanks for updating.

ReplyQuote

mc02

(@mc02)

Eminent Member

Joined: 20 years ago

Posts: 20

03/08/2009 4:45 pm

Playing devil's advocate, the PIN (password) issue raised by mc02 is another good observation. Here again though, in the UK we do have work arounds

- PIN/PUK
- SIM/USIM level security access
- handset engineer release codes
- manufacturer access codes
- work-arounds using handset PIN rigs
- removing flash memory chips
- etc

===========

Handset engineer release codes, manufacturer access codes, work-a-rounds using handset PIN rigs …. All these are great! Is there a website/forums/whitepapers with these type of information i can look at?

Wonderful discussion.

Mc02

ReplyQuote

csericks

(@csericks)

Trusted Member

Joined: 18 years ago

Posts: 99

03/08/2009 7:15 pm

Using isolation containment is all well and good as long as the time between seizure and analysis does not exceed battery life. If the device is kept on a charger, no worries. But, this is impractical for an evidence vault that might have a few hundred active exhibits on any given day.

I have to note that each and every mobile exhibit I have analyzed has needed a battery charge. I'm wondering if, as mentioned in someone's earlier post, the best method is, indeed, to snap a picture of or manually record the screen data and remove power and the battery at time of seizure. Then, when analysis time comes, use PIN/PUK, other tools, etc. to unlock, if possible.

I can see using isolation containers for those cases in which time from seizure to analysis is short or where devices can be continuously powered/charged. Otherwise, I don't see the point in faraday bagging. (Of course, one would use containment or "airplane" mode during analysis.)

Thanks for all the interesting information and perspective. I enjoy and learn so much from this discourse.

ReplyQuote

trewmte

(@trewmte)

Noble Member

Joined: 19 years ago

Posts: 1877

Topic starter 03/08/2009 7:59 pm

Playing devil's advocate, the PIN (password) issue raised by mc02 is another good observation. Here again though, in the UK we do have work arounds

- PIN/PUK
- SIM/USIM level security access
- handset engineer release codes
- manufacturer access codes
- work-arounds using handset PIN rigs
- removing flash memory chips
- etc

===========

Handset engineer release codes, manufacturer access codes, work-a-rounds using handset PIN rigs …. All these are great! Is there a website/forums/whitepapers with these type of information i can look at?

Wonderful discussion.

Mc02

Handset engineer codes - direct from manufacturer/service repair agents
Manufacturer access codes - direct from handset manufacturer
Handset PIN Rigs - from the hacking forums Nokiafree, IPMart, XDA-developers etc

ReplyQuote

trewmte

(@trewmte)

Noble Member

Joined: 19 years ago

Posts: 1877

Topic starter 03/08/2009 8:03 pm

I get the impression from this thread that we are well on our way to creating a procedure for one aspect of seizure procedure.

ReplyQuote

bigjon

(@bigjon)

Estimable Member

Joined: 17 years ago

Posts: 159

03/08/2009 8:43 pm

Using isolation containment is all well and good as long as the time between seizure and analysis does not exceed battery life. If the device is kept on a charger, no worries. But, this is impractical for an evidence vault that might have a few hundred active exhibits on any given day.

csericks,
if mobile seized and the need to keep the power on then OK, I can see some officers working ports airports etc would need the power kept on as PUK may be impossible from other countries (although notes of exactly where you seized it need to be sorted as you will lose your LAC ironically even if your bag doesn't work correctly you will still lose this particular LAC as you will update all the way back to the lab)
NO this is not the issue-
There are some who are receiving the handset into the lab switched off and when they get around to examination (say two days later) then the handsets are being switched on in the cage to record the time date??

ReplyQuote

csericks

(@csericks)

Trusted Member

Joined: 18 years ago

Posts: 99

03/08/2009 9:02 pm

bigjon wrote

NO this is not the issue-
There are some who are receiving the handset into the lab switched off and when they get around to examination (say two days later) then the handsets are being switched on in the cage to record the time date??

Thanks for your comment. Please, forgive me. I'm a little confused. Would you be so kind as to re-phrase/re-state?

(BTW, I would be shocked to receive a device within two days of seizure, here. ) )

ReplyQuote

bigjon

(@bigjon)

Estimable Member

Joined: 17 years ago

Posts: 159

03/08/2009 10:48 pm

CSERICKS,
people have stated that they would put the handset into a Faraday so they could keep the handset on but not allow it to contact the networks, and I thought that was where you were coming from (ie you dont think that its such a bad idea) my point was that we have some examiners that are receiving the handset,switched off (in this state there is potentially a lot of valuable-AUTOMATED-data ) then they would switch on the handset,within the Faraday,just to record the time and data stamp.
Ifg the SIM was done first all the automated data is collected (at the risk sometimes of losing the time date??)
of course every case has its own quirks but secureing location based automated real evidence should,except in certain bespoke cases,always be the consideration over the time which can be altered either maliciously or by some owner with a penchant for just "playing" with his/her phone (i have lost count of the amount of videos I have seen on handsets that are just the living rooms of individuals pointing at the TV or one of their pals watching TV, and its this, almost compulsion with some people that has them constantly messing with the handset)

ReplyQuote

Page 2 / 5 Prev Next

Podcast: Well-Being In Digital Forensics And Policing: Insights From Hannah Bailey

Hannah Bailey shares her journey from frontline policin...

By Zoe , 3 days ago
RE: Android Forensics

Hi, Try decompressing the file using zlib in python. ...

By Dexter4n6 , 4 days ago
Interview: Neal Ysart, Co-Founder, The Coalition of Cyber Investigators

Neal Ysart shares how The Coalition of Cyber Investigat...

By Zoe , 4 days ago

8 Forums
15.7 K Topics
92.3 K Posts
32 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed