Contradictory test ...
 
Notifications
Clear all

Contradictory test results:UFED vs XRY vs SIMcon

19 Posts
9 Users
0 Likes
1,305 Views
(@yunus)
Posts: 178
Estimable Member
Topic starter
 

I had a small test covering common SIM examination tools, UFED, XRY, SIMcon.

The results were more contradictory than expected, sometimes even opposing. The contents, time stamps and status of the SMS messages were different from each other.

See the results at http//www.dijitaldeliller.com/yazilar.html

Click on the link "english version the test report" on the top of the page. The report is in pdf file.

Regards,

 
Posted : 07/05/2013 10:24 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I am not familiar with any of the tools you are looking at.

Tools are only 'quick ways' to get results and can produce false positives - or just incorrect results. The ultimate test is a hex editor and a lot of knowledge. That way you may get faith in a tool, or know it limitations.

 
Posted : 08/05/2013 12:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I agree with Michael.

One of the biggest fallacies that I hear on a regular basis is analysts saying that having multiple tools to do the same thing allows you to validate your findings. This is patently incorrect.

If you understand the data structures that you're looking for/at, then you can choose the appropriate tool for the job, and then validate your findings with a hex editor.

The fact is the multiple tools can be "wrong". Some tools are not written by analysts who do the work and understand the need, but are instead written by developers who have little understanding of what's needed and do not do the actual work.

 
Posted : 08/05/2013 5:05 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

So, to expand on that - what does the raw data look like (do not post, just look)?

(A side note - your data is not anonymized sufficiently. ex. line 3 in first table, phone number ends in 55.)

 
Posted : 08/05/2013 8:08 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

You need to anonymise your data - it is trivial to get at the numbers under the white box you have layered.

The first number is +9054?????705 (added ? to protect the guilty/innocent)

 
Posted : 08/05/2013 8:24 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

So, to expand on that - what does the raw data look like (do not post, just look)?

(A side note - your data is not anonymized sufficiently. ex. line 3 in first table, phone number ends in 55.)

Oops cross post - but I would change "anonymized sufficiently" to "anonymized at all".

 
Posted : 08/05/2013 8:25 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I may, and from what I can understand, you all are saying the same thing (including the OP).

No software should be trusted "blindly", but, as I see it, Yunus did a nice job ) in highlighting a possible "real life" issue.

What is the practical suggestion?

  1. Do not use any third part software and write your own tool.
  2. Use multiple softwares and delve deeper if there are differences between results.
  3. Test as deeply as you can all available software, then choose one and only that one, because you already know which "quirks" it may produce.
  4. Other (please specify).
  5. [/listo]

    If #1, then all software houses could close down, and each forensic examiner will have to write, validate and eventually "defend" in court his/her tool against the findings of the expert witness of the other party. who also wrote his/her own tool and has exactly the same issue.

    If #2, then all forensic investigators should test the data/SIM/whatever against *all* available tools, freeware or Commercial and "hope" that no inconsistencies are found. (as one of the tools may be "right" in one specific point but "wrong" on another)

    If #3, the risk of a peculiar artifact not having being tested or tested properly seems to me rather BIG.

    I would say that all three approaches above are either very problematic or very non-productive.

    What is option #4? ?

    jaclaz

 
Posted : 08/05/2013 11:29 pm
(@trewmte)
Posts: 1877
Noble Member
 

Yunus, do you have the message header/s for the original text message/s from the target SIM Card that you can post so that we can start at the beginning.

The GSM standard reference template

Example of output message header data looks like this

More Messages To Send No
Status Report Indication No
Reply Path No
Originating Address Length 0C
Originating Address type 91
Type of number International
Numbering plan identifier E.164
Originating Address 44798021XXXX
Protocol Identifier Default
Data Coding Scheme GSM Default Alphabet
SC Timestamp 10214201358500
decoded 01/12/24 105358
Time Zone GMT+0.00H
User Data Length 4C
decimal 76

This is an obvious question but worth asking anyway. Can you also confirm whether you used one single test examination computer or whether each SIM card reader was attached to different computers at the time data was 'extracted' and 'harvested' from the target SIM card?

Can you confirm whether the original text message/s were saved directly to the target SIM card or saved in the handset and then later saved to the target SIM card (eg in terms of Message Class 0, 1, 2 and 3)?

 
Posted : 09/05/2013 12:00 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If I may, and from what I can understand, you all are saying the same thing (including the OP).

I have some thoughts that I'd like to share, but I'm going to move this to another thread…

 
Posted : 09/05/2013 9:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have some thoughts that I'd like to share, but I'm going to move this to another thread…

Which is this one
http//www.forensicfocus.com/Forums/viewtopic/t=10579/
(just to keep things as together as possible)

jaclaz

 
Posted : 10/05/2013 2:11 am
Page 1 / 2
Share: