Hi there I am currently studying on a computer forensics course and my career aim is to get into the mobile forensics sector as I have always had a love for computers and electronics and aspects such as cell site analysis and new technologies emerging such as android phones e.t.c. really intrigue me, but basically my question is other than applying for a placement in a company that deals in this area is there any specific topics I should research into to broaden my knowledge which is very very small on a technical level currently.
Thanks in advance, Tom.
Others may disagree with this but I think that your best option is to consider trying to find work with a company that already does this. While there is a good deal of literature out there regarding cellphone forensics, making it an occupation is a far different beast. For example
1. There are literally thousands of different cell phone models out there and not all (read "no") cell phone forensic tools can handle every one of them.
2. Aside from a few open source tools such as BitPM, the technology can quickly get to be expensive, especially if you require multiple tools. Unlike computer forensics, where you can get by with one or even no commercial tools, it would be dangerous to do this on a practical level for cellphone forensics. If you want to practice, fine, as long as you don't mind dealing with the possibility that you may brick the device.
3. There is a lot of information out there on how to hack various cellphones for various purposes. Many of these are not forensically sound and could damage or destroy the media. That is not to say that you shouldn't practice, but you should realize that using these techniques may make your work inadmissable as evidence.
I'm not trying to discourage you but I am trying to say that I think that if you want to learn something about the field, buy some used phones on eBay and get an open source tool and hack away to your heart's content. We frequently buy used phones like this to test our tools and get our practitioners experienced before dealing with a specific model which could be used as evidence.
Or, sign up for one or more courses/bootcamps on cellphone forensics and get training from those who are experienced.
There is a great deal that you can teach yourself from what is available in the literature and on the Internet but moving into practice is a different thing and for that, you really want some formal training or experience or at least the watchful eye of someone who has done this, professionally.
I pretty much go along with the good advice from seanmcl.
Some additional information, which is entirely compatible with seanmcl comments are
For all the areas of interest you raised above you will need at least 212 (approximately) different GSM Mobile Telephone Standards in addition to manufacturer standards and guidelines, regulatory requirements and legal requirements.
If everyone were faced with that many documents running to tens of thousands of pages no one would even start in mobile telephone examination and evidence.
At a beginner entry-level can I suggest you obtain GSM standards first. The resaon being if you jumped into using 3G, at the outset, when reading those documents you will find the content includes GPRS and GSM technical and technology requirements also. Thus you will have three technologies to learn at the outset - that is not an easy feat by any means and I have to find anyone who has mastered it in that way. 23-years on and I still find the more I learn the more I have to learn. Continuous learning is required if you intend to be the best, as opposed to an also ran.
There are a couple of BIG UK firms that you could go to work for, I started with not a great deal of knowledge about mobile phones but an extensive background in computer maintenance and picked things up quickly. I have been in the job for 2 years now and consider myself to be in the top 25% of technically apt people within the 30 analysts strong mobile telephone lab I work in.
The main pieces of software we use are .XRY, XACT, SIMCon, Oxygen, Aceso and Cellebrite. No tool is perfect but with that set (there are multiple in house tools we use for decoding data that is 'flashed' from devices) we can handle most handsets that get thrown up. Another useful site is fonefunshop.co.uk. They sell flash boxes which will allow you to bypass handset locks/perform memory dumps/identify the last SIM details of handsets however these are not forensically sound.
however these are not forensically sound.
But are generally accepted techniques because of their wide use (and in the case of LE the case officer has the last say), and it's when the deeper understanding of what you are doing comes into play (and of course notes notes notes notes and also some notes!)
thanks for all the helpful comments I am definately going to take a look into some of the open source software and practice on some cheap market phones to get an idea of the workings behind it all and study some standards to get a deeper knowledge of it all.
however these are not forensically sound.
But are generally accepted techniques because of their wide use (and in the case of LE the case officer has the last say), and it's when the deeper understanding of what you are doing comes into play (and of course notes notes notes notes and also some notes!)
I wanted to share some observations. I do not think the conclusion here is one that would find favour in a court of law.
The so-called "generally accepted techniques" is simply incorrect. If those using the techniques decide to use it that doesn't make it "generally accepted techniques" it means the examiner is openly admitting s/he is knowingly driving around in a car with no working brakes.
The fact of this matter is none of these products have been peer reviewed or endorsed. Having x number of people using tools or getting law enforcement to buy the tools and use it is not tacit authority to use the tool in evidence or claim a waiver "because of their wide use". The question will always arise have you an independent record that can show what the tool was doing?
This brings me onto the next matter of "and in the case of LE the case officer has the last say". The case officer is not a waiver of responsibility and is not to blame, you are. That arises because of leading the case officer to believe your claimed status as a "person skilled in the art". There is a case of the skilled soil specialist who was given authority by the case officer to examine the defendant's trainers for soil tests and trainer impressions. The skilled soil specialist then went onto to place a trainer into soil from the scene of crime contaminating the evidence and reports that the defendant's trainer was at the scene of crime. I am sure you can work out what happened next. Also the defence that the case officer having the last say gave a waiver to responsibility didn't get very far.
however these are not forensically sound.
But are generally accepted techniques because of their wide use (and in the case of LE the case officer has the last say), and it's when the deeper understanding of what you are doing comes into play (and of course notes notes notes notes and also some notes!)
I wanted to share some observations. I do not think the conclusion here is one that would find favour in a court of law.
The so-called "generally accepted techniques" is simply incorrect. If those using the techniques decide to use it that doesn't make it "generally accepted techniques" it means the examiner is openly admitting s/he is knowingly driving around in a car with no working brakes.
The fact of this matter is none of these products have been peer reviewed or endorsed. Having x number of people using tools or getting law enforcement to buy the tools and use it is not tacit authority to use the tool in evidence or claim a waiver "because of their wide use". The question will always arise have you an independent record that can show what the tool was doing?
This brings me onto the next matter of "and in the case of LE the case officer has the last say". The case officer is not a waiver of responsibility and is not to blame, you are. That arises because of leading the case officer to believe your claimed status as a "person skilled in the art". There is a case of the skilled soil specialist who was given authority by the case officer to examine the defendant's trainers for soil tests and trainer impressions. The skilled soil specialist then went onto to place a trainer into soil from the scene of crime contaminating the evidence and reports that the defendant's trainer was at the scene of crime. I am sure you can work out what happened next. Also the defence that the case officer having the last say gave a waiver to responsibility didn't get very far.
I think you're taking my case officer comment out of the context which it was meant (I think that was my fault though, I wasn't clear). What I was refering to in this case wasn't a 'waiver' but simply permission. Of course the wieght of responsibility for the use of the tool lies with the examiner, and you are right, to my knowledge, these tools haven't been independantly peer reviewed* (but this is something I would gladly, welcome, support, be a part of, etc.).
I would hope however that that any analyst using these tools would have first conducted their own tests and weren't simply clicking blindly into the abyss!
* As a number of these tools are seen as "generally accepted" it is clear that they are in wide enough use for such a review to take place - so let's do it!
I think you're taking my case officer comment out of the context which it was meant (I think that was my fault though, I wasn't clear). What I was refering to in this case wasn't a 'waiver' but simply permission. Of course the wieght of responsibility for the use of the tool lies with the examiner, and you are right, to my knowledge, these tools haven't been independantly peer reviewed* (but this is something I would gladly, welcome, support, be a part of, etc.).
I would hope however that that any analyst using these tools would have first conducted their own tests and weren't simply clicking blindly into the abyss!
* As a number of these tools are seen as "generally accepted" it is clear that they are in wide enough use for such a review to take place - so let's do it!
OK, on that basis I had misunderstood what you were saying. Apologies. But am I now right to think the 'permission' issue is in fact a negligible reference in context with TomP comments; because the use of "not forensically sound" tools has nothing to do with the case officer?
Maybe I am repeating myself, but I do understood we need tools as part of the work we do. I am still not convinced that just because tools are put out to be widely used it is a qualifier for anything. Even if I have to stand alone on this point to argue it. I see no qualification in claiming many people use a particular (not forensically sound) tool so you have to accept whether you like it or not, which is exactly what is proffered at the moment.
Another aspect is the 'stagnation effect'. The suggestion these tools are widely used (having been in circulation for two years or more) has not shown any substantive improvement to make these tools forensically sound. That is to be able to show traceability as to what the tool has done in programming the device under test (DUT) to which it is connected during examination and what effect the user, operating the tool, has done to programme the device under test (DUT) when conducting examination?
If anyone can demonstrate any of the tools being used having been peer reviewed (and the identity of those that did that) then please publish the list here.
peer reviewed* (but this is something I would gladly, welcome, support, be a part of, etc.).
AlexC there will be the opportunity for this and I would welcome your support to promote this as an absolute requirement.
Another aspect is the 'stagnation effect'. The suggestion these tools are widely used (having been in circulation for two years or more) has not shown any substantive improvement to make these tools forensically sound.
This is an interesting point, because, of course in most cases these devices were never designed with what we do in mind (save for a couple, Qmat/PSAS comes to mind - they tend to be both helpful and open about what is actually going on).
At first I thought it would be fruitless trying to persuade the makers of the "flash boxes" to aim for our market (when the bulk of their sales must come frm the unlocking side of things), but perhaps a validated/certificated flash box would be a "must-have" item and boost their sales enough to make it worth their while?