Evaluating Mobile Telephone Connection Behaviour - Part 1
by Sam Raincock
In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence…
Please use this thread for discussion of Sam's latest column.
A good article, looking forward to Part II.
There is, however, one bit that I can't wrap my head around.
Of course the last dialled numbers of the SIM card may not reflect the last dialled numbers of the SIM card!
Umm… what? I am probably just reading that sentence wrong.
Are you referring to the simple fact that those numbers found on there are not necessarily the last ones that were last dialled? Please, explain!
Regards,
Tim
Tim
Thank you for your comment. Part II will be discussing connection records and starting to combine the two sources of connection evidence.
The last dialled numbers I am referring to is the LDN storage on the SIM card. This storage may not reflect the numbers last dialled by the SIM card since some handsets do not utilise this storage space. However, since it is called "last dialled numbers" and may be presented as such in the mobile telephone examination report, those performing connection charting and/or legal persons may assume it means this. I have certainly come across this incorrect assumption in the cases I have worked on. However, what you may find is that the SIM card's LDNs may reflect its last use in a previous handset (or many handsets ago).
Sam
To provide a level of confidence in the accuracy of the extracted connection information, it may be necessary to perform manual checks to ensure the software report correlates with the information stored on the equipment….. This serves two purposes firstly you can ascertain (and verify) that your examination has not caused any changes to the information and if changes have occurred you have recorded the sequence of events.
If I am reading this correctly, you are suggesting that you conduct your manual verification after you have applied your forensic tool of choice to the device? How can this "ascertain that your examination has not caused any changes to the information"? Surely any (potential) changes would have already been made by the software, and you would have no reference data to use as a comparison to tell you otherwise?
Regards.
Unicron
I was referring to the video captured of the manual examination.
When performing a manual examination (effectively examining the telephone via its menu system), it may be useful to video the process. This serves two purposes firstly you can ascertain (and verify) that your examination has not caused any changes to the information and if changes have occurred you have recorded the sequence of events. Secondly, it allows you to manually transcribe information easier and to potentially revisit your examination at a later time without having to re-examine the handset.
Examining the video footage of the manual examination assists in verifying that the examiner hasn't accidently deleted something by pressing the incorrect button etc. This is sometimes a concern when performing manual examinations. Likewise, it allows you to go back and check the manual examination in the event you need to transcribe information or revisit the exam without needing to check the handset again.
Kind regards
Sam Raincock
Many thanks for the clarification, looking forward to part 2!
[The date and time stamps of connection information (except received SMS messages) will generally reflect the date and time of the handset and hence may not accurately reflect when the connections occurred (since a user may be able to change this information).
I have found even this is unreliable
EG message sent to a blackberry at 2100 hrs 1/1/2011
opened the next day (when phone switched on at 0730) inbox will state received at 0730
same message sent to nokia 8800 (again opened next day at 0730 hrs)
inbox will state received at 2100 hrs
Bigjon
If you examine the standard format of the received message, it should be in a format conforming to the SMS technical specifications (PDU format). This in general is the information that is extracted by most mobile examination software and is what I was referring to in this article. The received date and time stamp as part of the specification is the Service Centre Time Stamp reflecting receipt of the message by the SMSC.
The handset software can of course choose to display the received SMS message information as it wishes to the user. Some handsets do display other dates - such as the date of receipt, date of opening, date of forwarding/replying etc. These additional date and time stamps often require manual transcription but can provide very useful evidence depending on the requirements of the case.
Kind regards
Sam