FCBF OVERWRITING OF STORED DATA? TEXT MESSAGES WILL NOT BE OVERWRITTEN AS THEY DONT ENTER THE HANDSET AS SUCH, THERE IS A MESSAGE DISPLAYED TO TELL YOU THERE ARE MESSAGES WAITING TO BE READ,INDEED IF YOUR INBOX WAS FULL YOUR HANDSET WOULD NOT LET YOU READ THE WAITING MESSAGES UNTILL OTHERS ARE DELETED BY YOU,
Apologies Overwriting of deleted messages, primarily on the SIM if the "slots" arent full, and also on the handset.
Overwriting of deleted messages, primarily on the SIM if the "slots" arent full, and also on the handset.
F-c-b-f if you read the SIM first before handset you wouldn't lose deleted text messages.
I am new to the phone side of forensics so sorry if this is a stupid question. Completely understand that you would do the SIM card first, but would you not need to check the date and time setting on the phone before removing the card? and this brings us back to the requirement for faraday protection.
but would you not need to check the date and time setting on the phone before removing the card? and this brings us back to the requirement for faraday protection.
Hi pbeardmore, there is no definite position or mandatory requirement or legal enabler that prescribes that a procedure for radio dempening/barrier measures to be used or must be used.
No you wouldn't need to check the handset clock first unless the officer/defence solicitor specifically thought it had a bearing on a case. Unlike computer forensics, mobile phone forensics seeks to establish accuracy on timing matters from the clock details recorded in the mobile network records and not the user defined clocks which are invariably inaccurate. The overriding position is to deal with mobile phones on a case by case basis, using methodology best suited to the make/model under examination.
Use of radio dampening fields/barriers are not being used to be able to see the date and time stamp on a mobile phone and you wouldn't use dampening/barriers for that purpose, unless you are thinking about a particular mobile phone that is sync'd to a particular mobile network clock. In which case
a) as soon as a device is within dampening/barriers causing loss of sync with network what happens to the handset clock?
b) what about business enterprise devices sync'd clocks with servers that where a break in network connection sync timing could be critical to data being wiped?
c) in the case of mobile phones subscription, how many actually pay for a subscription for their devices to use GSM network clock and in which countries do the operators actually provide the mobile network sync clock service?
None of the above suggests any reason for the promulgated position of blanket approach always use faraday bags/barriers; which is analogous to the notion of suggesting I'll have Ketchup with eveything.
As usual, very useful advice, thanks, trewmte,
must buy you a pint if our paths cross.
PS how are you plans going for running some mobile phone forensic training, I have a grad who would be very interested
To clarify the home office issue, I dont have papers that state specifically YOU MUST RETRIEVE POST SEIZURE MESSAGES
The home office do state that there may be circumstances where the investigator or examiner determines it is appropriate in the specific circumstances of an operation or investigation for the device, to remain on and connected to a network, or to be reconnected to a network, or, if having been switched off, to be switched back on and reconnected to a network
In this way a record may be made of previously undelivered messages and their evidential value considered.???? —If you don’t know the content how do you value it? Which handsets do I decide to get post seizures from? What if the one I decide NOT to do ends up with the other side and there are messages in there that are incriminatory or exculpatory? Will I be looked at as maybe trying to pervert?? “ You do it with one handset but not another what’s your method for choosing bigjon?”
In circumstances where messages are delivered to the device after it has come into lawful possession of the investigator it is the view of the Home Office and DCG that if the device has been lawfully seized or obtained, and proper consideration has been given to the circumstances of the case, then the receipt of those messages and making record of them will be lawful. There is nothing in UK law that enables a police officer or public authority investigator to stop the delivery of a communication to an intended recipient. Equally it can be technically impossible for a communication service provider to stop the transmission of a communication or recover messages that are awaiting delivery to a device that has either been disconnected from a network or been switched off by the investigator or examiner
PS how are you plans going for running some mobile phone forensic training, I have a grad who would be very interested
Thanks pbeardmore…
There is a course coorindation meeting in April and I believe by June a series of courses will be available offering high level skillsets, knowledge and experience.
How to use the mobile telephone standards
GSM SIM - Examination
3G USIM - Examination
Mobile Phones - Examination
Smart Phones - Examination
Call Records Analysis
Cell Site Analysis
Interpretation of Evidence
However, if anyone has a particular subject matter of interest please let me.
trew, i would also like to be kept informed re the training thanks
I would appreciate any views but I am writing a paper for our department to outline the examination of mobiles guidance
my method is remove sim card and read.
Replace SIM in handset and switch on….read.
Take out SIM re read to show the differences between reads, whilst making contemperaneous notes and photographing where necessary.
No Faraday bag/box as this alters data on the SIM card which is automated data ( ie.real evidence),
There have been discussions re the wireless telegrahy act prohibiting "interference" and some examiners have placed this at the "jammers" door as the jammers are wireless tools and think it doesnt include Faraday,but,my understanding is different especially when you read heading DELIBERATE INTEREFERENCE, it states the use of ANY apparatus whether or not wireless telegrahy appartus for the purpose of interfering……
Jammers are legal - as long as no signal escapes the faraday cage.
All the PASSIVE enclosures that I have seen do fail under strong signals. I had conducted the testing close to an antenna ( it's on top of the building ).
None of the ones I could see did work.
Neutrino comes with a faraday bag that is very good - because it is active. In the bag there is a noise generator that will make the bag much more effective.
If you want to see which was the last tower that was connected to the phone, you have to stop it from being on the network.