Some interesting points of view abound here, now for my misconceived (possibly) angle. I have always believed that Mobile Forensics, cannot be made "forensically sound" per se as to extract the relevant data a certain amount of "touching and button pressing" (ooh err) has, using most of the available tools, to take place.
That brings me neatly onto the realms of flasher boxes. If we are to ever draw a comparison to Computer Forensics, then the Hex download is surely it. HOWEVER try as we might I do not believe a direct comparison can ever be made notwithstanding in some quarters the use of these devices is frowned upon.
Add into the mix for example, a product that states that a certain handset can be handled, (a particularly sticky HTC Tyan 2 springs to mind) then the extraction results in approximately 1/3rd of the total data.
Is it a case then that the product should lose its certification because of this failure, or does the examiner lose his/her validation because the data wasn't extracted?
A very simple example I know but I don't honestly think that certification of a mobile phone product isnt possible due to the volatile nature of the device, whatever make firmware yada yada yada.
What I do believe in is a sound methodology in handling such devices. Also take into account that whatever side is examining, defence or prosecution, we are all in the same boat.
Thats around 2p ithink
We attach ( as Harlan has stated above ) the label of "Forensically Sound" as a standard that we must attain - it is this that is our "certification standard" - and as this is a moving target
How is a SIM Card a moving target?
Occasionally I get to demonstrate that my ignorance knows no bounds 😉
I would have thought, although I have no knowledge or evidence of the fact, that SIM cards have evolved over time ? I'm certainly aware that my "old" sim cards ( 5+ years ) held less information than my current one ( not that I actually use my current one to hold information ).
Well I never intended you to feel that way. Now I feel embarassed because my comment above has made you feel that way, because I cannot see how else I could have asked you in the clearest possible terms.
SIM Cards are not an issue. Yes they have moved on but the issue here is not to do with the exhibit itself, but the examination tool, which is under scrutiny.
When I made the statement though, I was actually thinking of phone hardware & software - most specifically my own phone, an iPhone, which I, in the last 13 months, had two different physical versions of ( a 3g and a 3gs ) and several versions of OS ( currently sitting at 3.1.2, but I remember conciously upgrading to 3.0 with the enhnaced functionality of cut and paste -) much overdue ! ) I imagine that, as phones such as the iPhone, the Palm/Symbian range and Google's Android become more prevalent, this sort of range of, and relatively quick, patch/update cycle will make the art of mobile phone forensics more of the "moving target" that I imagine it to be.
Again, with the iPhone, ( and again a chance to demonstrate my ignorance ! ) doesn't forensic examination involve "jailbreaking" the phone in some way to allow access - thus essentially being equivalent to a "live" forensic examination ?
Azrael my comments are not drawing attention to what you may or may not know and are not intended to embarass you. My concern here is, is the Poll being misunderstood. The issue as I see it; again, it doesn't relate to the device (in this case a handset) but a requirement of the human examiner to have "checked first" before (metaphorically speaking) throwing a piece of software/hardware at the exhibit. This could be viewed again as the examiner knowingly driving around in a car known to have faulty brakes. Also it continues to suggest that the whole forensics arena in this field of distinction (quite a nice quote that from an earlier poster) is being wrongly held back due to either misunderstanding or conversely it is being held back due to a lack of understanding as to what these mobile phone examination tools are actually doing.
If the Iphone jailbreaking (which is used in isolation and not for every brand-name handsets) is such a defeating matter for getting Certified/Validated products, why do I hear rumoured that the producer of a well-known piece of IPhone software is coming to the UK to see the Met (so I am told) this month or next month with revamped software that apparently over-comes difficulties associated with its predecessor.
Just as a reminder we are dealing with Certified/Validated mobile phone tools, not human beings being Certified/Validated.
Well I never intended you to feel that way. Now I feel embarassed because my comment above has made you feel that way, because I cannot see how else I could have asked you in the clearest possible terms.
Azrael my comments are not drawing attention to what you may or may not know and are not intended to embarass you.
Greg, I assure you that there is absolutely no need to appologise - I'm neither embarassed, nor made to feel inadequate - I'm merely caveating my levels of knowledge and ability to all readers of the forum where it comes to mobile phones. ( Hell, what do I know about forensics ? I work in Security -P ) I am concious of your personal standing in the industry, but I've never found you to be anything but courteous, polite and very willing to explain to me what I don't get !
Back to topic though 😉
My concern here is, is the Poll being misunderstood. The issue as I see it; again, it doesn't relate to the device (in this case a handset) but a requirement of the human examiner to have "checked first" before (metaphorically speaking) throwing a piece of software/hardware at the exhibit. This could be viewed again as the examiner knowingly driving around in a car known to have faulty brakes. Also it continues to suggest that the whole forensics arena in this field of distinction (quite a nice quote that from an earlier poster) is being wrongly held back due to either misunderstanding or conversely it is being held back due to a lack of understanding as to what these mobile phone examination tools are actually doing.
I feel that we are not debating "validation" or "verification" these, I hope, have been taken as a given by all. If it's not proveable, or demonstrably correct, we have no _right_ to submit to a court as fact, and we'd be acting very unethically to do anything that we didn't have complete faith in. In "computer" forensics - this is often clarified by the use of multiple tools, coupled with an understanding of the principles at play to ensure that these things are true. Again, as I don't do mobile exams at all, I don't know how feasible these things are in the real world - are the details of the way that tools work available for verification ? Are there multiple tools to carry out the same job to support each other ?
Moving away from that we look at the topic of "certification" - my objection to certification is that it would be impossible to keep up with the certification process as the number and variety of phones is increasing beyond the capabilites of the manufactuer to produce code to keep up. Either that, or we run the risk of the situation whereby examiners will only be willing to use versions that have been certified, irregardless of how much they might be missing with newer tools.
The only level of certification that I can envisage seeing would be to have the developer's methodology, verification and testing processes being certifed to a standard - ISO9001 perhaps or the like - so that there can be faith that these things have been done properly.
If the Iphone jailbreaking (which is used in isolation and not for every brand-name handsets) is such a defeating matter for getting Certified/Validated products, why do I hear rumoured that the producer of a well-known piece of IPhone software is coming to the UK to see the Met (so I am told) this month or next month with revamped software that apparently over-comes difficulties associated with its predecessor.
This is beyond my knowledge I'm afraid - although it's very interesting - "live forensics" isn't excluded from court, so I don't see why tools that do make changes should be excluded - provided that such changes are understood, documented, repeatable and verifiable. It just deviates from the traditional definition of "forensically sound" - e.g. no modification to the source.
Again, I'd just like to reiterate that no offence has been caused - I like debating -)
Simon
Right here we go.
The extraction for data from a mobile phone is not the same as taking an image of a hard drive and working from that image using FTK etc…. You have no choice but to go through the handset checking what data is or is not stored against the software used to extract it. The software should be write protected and if it can upload data onto the mobile, don't even bother to use it as this could lead to professional sucide!! Use another software package to check (verify) the data extraction from the first or simly put, compare it with the visable data stored on the handset. Many companies who offer 3 day courses on mobile phone extraction do not offer the years of experiance needed to carry out this work in a forensic manner. Leave it to the professionals who know what they are doing. Validation is not a dirty word….
Greg, I assure you that there is absolutely no need to appologise - I'm neither embarassed, nor made to feel inadequate - I'm merely caveating my levels of knowledge and ability to all readers of the forum where it comes to mobile phones. ( Hell, what do I know about forensics ? I work in Security -P ) I am concious of your personal standing in the industry, but I've never found you to be anything but courteous, polite and very willing to explain to me what I don't get !
Back to topic though 😉
OK, thanks.
I feel that we are not debating "validation" or "verification" these, I hope, have been taken as a given by all.
Actually Azrael, oh yes we are, along with other matters, this is exactly an element with which we are dealing.
…are the details of the way that tools work available for verification ?
Well exactly !
Moving away from that we look at the topic of "certification"
Yup, you are on the right track, just wrong set of assessments and standards.
It just deviates from the traditional definition of "forensically sound" - e.g. no modification to the source.
All so-called forensic tools do some changes to source depending on what 'source' is being referred to don't they? For instance, is it an absolute that computer forensics do not change anything on the target HDD? I raise that observation in light of that fact we now know that a complete image of all data on the HDD that is said to have been recovered is in fact not strictly true; data (user or otherwise) still can exist in bad sector and clusters.
Limitation of a forensically sound tool, perhaps?
I think the real issue here is to categorise the principle "forensically sound" in relation to each 'field of distinction' (I do like those words) to which the principle should be applied.
For students and others who want to obtain a selection of variables articles and presentations etc on mobile phone evidence should go to E-Evidence. I do like this site http//
Here is a report that is worth a read
http//
I feel that we are not debating "validation" or "verification" these, I hope, have been taken as a given by all.
Actually Azrael, oh yes we are, along with other matters, this is exactly an element with which we are dealing.
Sorry, I've re-read and I see the distinction that I didn't before.
With regard to what I said above I had assumed "verification" and "validation" to be actions carried out by the examiner, and "certification" something to be carried out by a third party ( hopefully, in the process, both "verifying" and "validating" the tool to their own satisfaction ) before issuing a "statement of compliance" or the like that would be regarded by all as evidence that the tool behaves according to the criteria laid out.
Moving away from that we look at the topic of "certification"
Yup, you are on the right track, just wrong set of assessments and standards.
Bearing in mind what I've said above, which assessments and standards do you think apply ?
It just deviates from the traditional definition of "forensically sound" - e.g. no modification to the source.
All so-called forensic tools do some changes to source depending on what 'source' is being referred to don't they? For instance, is it an absolute that computer forensics do not change anything on the target HDD? I raise that observation in light of that fact we now know that a complete image of all data on the HDD that is said to have been recovered is in fact not strictly true; data (user or otherwise) still can exist in bad sector and clusters.
Please regard the following as symantic argument, irrelevant to the point …
As always open to debate - I would argue that, whilst it isn't a "true" image, that no change has been made to the source, or to the data that has been obtained (writeblocker hardware being a well tried, tested & certified subject). It's like a crime scene photograph - it is a true representation, but you can't see the dust behind the vase on the mantlepiece. (Incidentally, I hear some reports of tools that _can_ obtain these parts -
This is however still distinct from the process discussed by webbo
You have no choice but to go through the handset …
Limitation of a forensically sound tool, perhaps?
I think the real issue here is to categorise the principle "forensically sound" in relation to each 'field of distinction' (I do like those words) to which the principle should be applied.
Absolutely agree, one works with the processes and tools that are available - ethics, documentation, reasonableness and necessity should negate any potential for argument about "forensically sound". And it is the point of "necessity" that differs from "field of distinction" to "field of distinction". ( I like it too, so I'll get it in twice 😉 )
I have got to nip out now as I have some matters to deal with. I will respond to your other points later, but this one I just want to draw attention
I think the real issue here is to categorise the principle "forensically sound" in relation to each 'field of distinction' (I do like those words) to which the principle should be applied.
Absolutely agree, one works with the processes and tools that are available - ethics, documentation, reasonableness and necessity should negate any potential for argument about "forensically sound". And it is the point of "necessity" that differs from "field of distinction" to "field of distinction". ( I like it too, so I'll get it in twice 😉 )
Your acknowledgment above really endorses Poll Question 1 and suggests that it is achieveable, therefore if most concur with your observations what really lays behind voting for a sit-on-the-fence option Poll Question 3?
Also relating to necessity regarding verification/validation (thus an element of necessity maybe), I am talking about the tool having the capability to produce at first instance identification what it has done. The human being requirement is a separate matter entirely and really is another matter outside of the scope of the Poll and the thread. If the device doesn't declare openly and honestly what it has done, how would the human being know without breaking into the tool or monitoring it in parallel and conducting the same investigate (try that for regularly getting 20 phones coming through the door) for each and every examination the tool carries out. Surely the process demands the tools play their rightful role as workhorses (another claim underpinning necessity by those saying they need tools to do the job), rather than the human being running around after a machine, so to speak.
Beside isn't the real issue here that if a tool does not produce traceability of what it has done maybe that is to avoid accountibility?
See you all later.
I didn't actually vote, as I don't think that any of the options cover what I believe to be the case, as I _don't_ think that it is achievable. I feel that the following is where my vote lies
Option 1, but I don't think that it is possible to do it, however if it is possible, it needs to be done in such a way that Option 4 isn't an issue, e.g. that the certification process doesn't cost too much or take too long, or exclude small businesses producing small products, or mean that an examiner who presents his own code in court is discounted because it isn't "certified" software.