Hashing call detail...
 
Notifications
Clear all

Hashing call detail records.

7 Posts
5 Users
0 Likes
444 Views
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

The idea for my question came out of another post concerning authentication of records. Whether or not you refer to CDR's as call or communications detail records I was wondering if anyone was hashing these records when they receive them.

Any ideas or opinions on it?

Thanks!

 
Posted : 17/03/2012 5:23 pm
(@miket065)
Posts: 187
Estimable Member
 

Not exactly, but I do hash all content extracted on cell exams. This could easily be done on cdr's. I use md5deep and a simple batch program I wrote. After I get all the files into one directory, I run the .bat and it calculates md5's on all the files and writes the output to a text file in the same directory.

 
Posted : 17/03/2012 5:56 pm
(@crosser)
Posts: 56
Trusted Member
 

I typically put records like this into a LEF in EnCase where I have them hashed and preserved.

 
Posted : 18/03/2012 4:09 am
(@trewmte)
Posts: 1877
Noble Member
 

Hi Ed

The call records you receive from the operator are not 'the' original records, but copies of them (maybe?). An *assumption* might be the defence may request a copy direct from the operator in order to cross-reference that with the records you worked with and served.

That said, it may have good standing or be good practice to hash the inbound unopened electronic file from an operator (where the file extension is say .txt, .doc, .csv, .xls, .mdb and so on) at the outset if only to protect yourself, should you need to, to be able to provide some comfort to the Court or DA of "..this is the original file containing the copy records…..that I received from the operator….at the [sic] material time….before I started examination and analysis of the file's content….."

From previous experience

1) For an appeal case I was instructed to examine a number of records from an operator's computer. In viewing the records, on first blush, there was 'disparity' and 'inconsistency' between the records served. Unless the operator's staff member randomly made selection and choice of content (fields of data), then the staff member was most likely directed by someone to provide content in the records presented. This led to questioning of 'who' 'what' 'where' and 'why'. This maybe relevant to the 'someone' who requests particular data, thus directing the staff member of what s/he wanted and, perhaps with good intention, but had guessed at what the fields of data actually meant and unilaterally decided what s/he thought was not relevant. Hashing a generated file where the content is directed to staff members seems to add little by way of supporting the accuracy of the meaning of the data, but just that data may not have been altered after hashing a received file.

2) A series of .xls spreadsheets served by the pros to the defence some of the spreadsheets contained cells that appeared to contain no data. However, when highlighting each cell call data could be seen in the 'formula bar' in excel relating to mobile calls. Mistakes by someone formatting the spreadsheet can happen, but it caused the defence a huge resource to cross-reference back to the paper records to understand why missing calls were occurring. An impact assessment on the hashing value needs to be considered before and after formatting.

3) An expert's word.doc report requested from the pros was emailed by the police, when it was learned the expert had sent it by email to the police because it was over 200 pages and megabytes in size. When opened, the word.doc displayed a range of corrections to 'words' and 'paragraphs' made by an individual (and not the expert's secretary etc) who was not the expert who produced the report. I sent screen shots to the defence of my findings and the defence checked with their copy of the same file sent to them. I do not know the outcome of that particular matter as my work finished on that particular part of evidence assessment. I suspect a hash value including the material time of receipt and prior to the file being examined might be useful if 'someone' is the person some way down the line.

4) Formatted (or non-formatted) files or content in files can be a pain at times and consideration of the value of obtaining a hash value can mean adopting a policy on a case by case basis. There are discussions here at FF about how certain types of formatting impact on data.

5) Having the original copy remaining intact and hashed and produce two working copies of the original may be useful.

Some other observations. Would you hash winrar, winzip files etc? Would that be for the similar reasons, as above, or would you not hash because compression is involved?

If the records are received in paper form, are you hashing the scan of each page or one hash of the entire scanned pages you generated?

I'm not suggesting your thoughts on hashing are wrong or right, merely I am raising some thoughts you may wish to consider how relevant they might be to your question; on the basis, of course, that you haven't already considered them previously.

Additional details of hashing tool here http//trewmte.blogspot.co.uk/2012/03/hashing-call-records.html

 
Posted : 18/03/2012 12:36 pm
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
Topic starter
 

I am raising some thoughts you may wish to consider how relevant they might be to your question; on the basis, of course, that you haven't already considered them previously.

Greg,
Believe me, there are plenty of things I've not considered so thanks for the reply. One issue that I could see possibly coming up is whether or not the Telco still had the records they originally provided in the first place. "You can't do a hash comparrison on what you don't have."

Here in the US there is currently no Federal Law regarding the retention of records. Now, once the records are provided to law enforcement I wonder how long they save them? It's just a question I've never thought to ask. (putting it on the list right now)

I've called in reference to records that were 2 years old and an analyst was able to pull up the records, but what if the records were 4 or 6 years old? Is there a point when the Telcos purge the archived records from their systems?

Most criminal cases seem to be settled between 1 and 3 years. What about a case that has been cold for about 7 years? Would they save them longer if they were associated with a charge of Murder vs. Harassment?

How is it on your side of the pond? Once the records are provided to law enforcement do the Telcos archive the records for a specific period of time?

 
Posted : 18/03/2012 5:43 pm
(@trewmte)
Posts: 1877
Noble Member
 

In the UK, the operators tend to vary their approach to data retention made available to law enforcement and data subjects running between weeks and a couple of years. However, data retention governed by the Directive and Legislation may go beyond that period, for instance in commercial disputes.

There are many confusing and contradicting issues associated with retention of mobile call information. The legislation appears to create a brickwall blocking unnecessary data retention. Under analysis exclusions or argumentative approaches are revealed that can give the impression that the brickwall has so many holes that it appears to have more holes than a Jeyes Cloth (J-Cloth).

For instance, the operator can give to law enforcement a Gold Copy of the records - a suggestion of the title that it contains everything, but can actually mean it is the only copy remaining. However, given the original raw data may still with the operator, then what do all these rules really mean?

Law enforcement keep data records for considerably longer than is perceived, but that seems rather obvious when considering 'cold case' reviews.

Solicitors keep records for years in case there is an Appeal/dispute.

Both the Data Protection Act 1998 and 1984 contain requirements associated with 'processed data' and the legal position regarding a processed state and, thus, data rention periods. However, raw data that is untreated is not subject to the DPA in the same way and therefore in a raw data state may remain for many years in an unprocessed state in archive. National Security therefore could have access to archived raw data processed years after the archive was first made, but equally in a processed state data can linger on than most specified periods.

Preservation is not new of course and historically some, prior to digital archiving, had their records recorded to microfiche and as banking records were important some used inventive methods to preserve material and purchased old mines and stored their data in micorfiche format deep in the vaults of the earth in order to main a cold temperature, which if temperature increased (heat) it degraded preservation of the microfiche material. Some figures for storage were 90 years, particularly health and safety records for employees who may have been exposed to working where pervasive toxic conditions existed but weren't fully recognised at the material times.

Digital archiving today uses a range of storage media from optical disks to various data storage containment. It has been said that because of the recording properties of a SIM card data can be retained on a SIM card without degradation for upto 100 years; 50 years may be good though. So SIM maybe used under certain conditions for archive.

For mixed principles of data retention timescales the following provides useful guidance

<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>

DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 15 March 2006
on the retention of data generated or processed in connection with the provision of publicly
available electronic communications services or of public communications networks and amending
Directive 2002/58/EC

Article 6
Periods of retention
Member States shall ensure that the categories of data specified in
Article 5 are retained for periods of not less than six months and
not more than two years from the date of the communication.

Download http//tinyurl.com/83mjky9

<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>

Directive 2002/58/EC of the European Parliament and of the Council
of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

(23) Confidentiality of communications should also be ensured in the course of lawful business practice. Where necessary and legally authorised, communications can be recorded for the purpose of providing evidence of a commercial transaction. Directive 95/46/EC applies to such processing. Parties to the communications should be informed prior to the recording about the recording, its purpose and the duration of its storage. The recorded communication should be erased as soon as possible and in any case at the latest by the end of the period during which the transaction can be lawfully challenged.

[Note retention of data for commercial disputes is considered to be custom and trade, and this can be equivalent to six years]

weblink http//eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX32002L0058enNOT

<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>

Anti-terrorism, Crime and Security Act 2001
102 to 105 Codes and agreements about the retention of communications data

[Note allows for retention periods longer than Directive on privacy and electronic communications and the Data Protection Act (http//www.legislation.gov.uk/ukpga/1998/29/contents)

weblink http//www.legislation.gov.uk/ukpga/2001/24/part/11

 
Posted : 18/03/2012 7:52 pm
(@larrydaniel)
Posts: 229
Reputable Member
 

Here in the US the cellular providers keep their call detail records for varying amounts of time. Unless they receive a preservation letter, they will delete the records based on their retention schedule, whether they were requested at some point by LE or anyone else for that matter.

The retention policies range from a rolling 12 months to about 36 months. This information is readily available.

This is true only for call detail records. SMS content is kept for a very short time. Usually less that 5 days.

 
Posted : 01/04/2012 4:56 am
Share: