Greg, can you tell us a little bit about your background and how Trew & Co. came into being?
I had just completed an apprenticeship when I went to a consumer electronics show at the beginning of the 1980s…
At that time in the UK most customers of the GPO (General Post Office), which later went on to become British Telecom, used rotary dial telephones and some push button telephones were available too. On the whole, the supply and choice of phones in the UK was suboptimal in the 80s, with designs and colours that rather gave the impression of being production line manufactured.
Seeing the brilliant new choices for telecommunications devices on exhibitors’ stands I happened to mention, as an off-the-cuff comment, that I was interested in working with telephones. An exhibitor asked me if I could read a circuit diagram which I was able to do fairly easily as I was already required to do that as part of my apprenticeship. I read the circuit diagram and rather surprised the exhibitor, I think, when I observed that one of the diagrams used a spark-quench. I referred to the fact that there were similarities in circuits used on white goods speed modules to drain interference connected with back-emf.From that point on, I started to get part time work in Type Approvals of telecommunications devices in the UK until I could get sufficient work to work full time. The work dealt with telephone handsets at the outset but stretched to other products – cordless and cellular phones, fax machines, payphones and answering machines. Eventually I had a consultant engagement to assist Canon UK with a project to bring the first type approved facsimile machine (Canon 110) with handset to the UK marketplace.
A contract dispute solicitors firm working for Canon UK approached me back in 1987 and asked if I could assist them with a case, related to the lease purchase of fax machines, in which a customer disputed payment due to faulty goods. Discovering that coffee spilt onto the electronic boards at the rear of the machines or poor programming by the users meant the fax failure was customer induced and not due to goods of unmerchantible quality or goods not matching description obviously bode well for my start in forensic evidence!
Successes early on in this area of my work led to me using skills I had learned from Type Approvals for payphones and mobile phones for other legal cases that were offered to me. So I came into the field of forensics and evidence purely by chance and accident. I did not set out to academically build for a career in forensic science and I did not apply to join a forensic science organisation.
Trew & Co. developed in the early 1990s and continues today as the consolidation of a trading name based upon the various forensics and evidential work that I was undertaking. ‘Trew’ is in fact an acronym and stands for ‘Technical Response Expert Witness’.
What does your role involve? Can you describe a typical day?
My role typically involves dealing with the instructing party (solicitors), identifying the case alleged against their client/s and the client/s assertion that there is no case to answer. It equally requires identification of the technical elements in the case that either support or detract from the prosecution’s case. The range of mobile phone evidence covers everything from the seizure procedure right through to the evidential technical bundle containing ‘compilation’ documents the prosecution or their expert have prepared. My job, when it is for the defence, is to request ‘original’ evidence which avoids any issues related to the prosecution’s compilation interpretation of what they think the technical evidence means. When I work for the prosecution it is informing the investigating officer of evidence they can have and must get – something which sometimes leaves the officer totally overwhelmed because he/she had been led to believe none of the evidence existed. The range of data evidence can sometimes extend from SIM/USIM cards and handsets to radio network information and radio test measurements.
What do you feel are the greatest forensic challenges posed by mobile devices? How should these challenges be met?
a) Keeping up with the continual development and product changes, are two major factors that impose challenges.
b) Research is another area that continually pushes the boundaries of understanding in forensics.
c) Developing skillsets in order to understand the important distinction that forensic preparation & procedure and evidence acquisition are supposed to be partners, not competitors.
d) Forensic comprehension and analysis – they should be complementary, but invariably become separated.
I think forums provide very useful support but members can slip into the trap of being too heavily reliant upon them to provide free training; forums should only be the doorway to information dissemination, possibly leading to training, and should not be used as the alternative to proper training. Only this way will the challenges be met because:
i) It is reasonable for examiners not to expect the products they use to manage forensic processes and procedures when that is the responsibility of the examiner to make sure those tasks have been performed.
ii) It is reasonable for examiners not to expect the product manufacturers to tell them what to do when it is the examiner’s duty to understand their science in order to know whether or not a product is to be used and that it will perform the processes and procedures needed for the DUT (device under test) that are required.
iii) It is reasonable for examiners to be able to interpret the data acquired to know whether the data are corrupted or not.
We all face these challenges and we must all meet them head on.
Many members, particularly those in the UK, will have seen you interviewed on the BBC's Panorama program last year – how was that experience?
Unreal, in many ways. The dim light background and the halo of light on the walls behind me looked fairly sinister on television – in fact the lights were simply turned down in the recording cabin, an overhead light was placed above me and the halo of light was a standard lamp set behind Perspex! John Ware, the interviewer, nice guy, sat in darkness when asking questions, yet on the television you see his face and see him asking questions. His viewed questions were in fact re-recorded later on.
During my research, I did uncover aspects about GSM that I hadn’t appreciated before (when considering interception) – that discussion of a man-in-the-middle attack isn’t just about whether a fake base station is used for an attack. More importantly the capability for a man-in-the-middle attack to happen occurs because there is no requirement within the Standards mandating a mobile phone to authenticate that the Mast from which it receives or sends communications actually belongs to the operator. Apart from the network broadcast radio identities, there is no hard coded identity recorded into a mobile phone’s lookup table to specifically enable the mobile to corroborate that a particular Mast with which it is in communication is in fact a Mast that belongs to the subscriber’s network. Indeed, the network also does not broadcast an integer of information that a mobile phone could use to assess against a look up table regarding the physical Mast itself.
The above largely re-enforces my belief about GSM, and 3G for that matter, and that is the more you know the more you need to know. It is simply not enough to acquire data; you have to know what it is, why it is there and what it means.
I made it clear from the outset that my conclusions for the Panorama opinion were derived from documents and standards available in the public domain going back to 1993 and I gave my opinion, based upon those documents and standards I had read and my technical understanding of GSM, as to what all that information combined together meant to me in aggregate. It is important to stick with what you know and understand. Do not speculate. I think that is good advice, because as is known, a Government Inquiry took place following the programme and the conclusion from the Commissioner supported what I had stated about GSM and the possibility to intercept communications in 1998.
Over the past few years we've seen an increase in software solutions for mobile device forensics (either as part of an existing suite or as standalone packages). How do you rate the current offerings?
Comparing today’s software with the programs available in the 1990s and early 2000s, there has been a substantial improvement. I do think though that there is a tendency to add features that are superficial and time-limited, whereas other features that would be standard do not appear in some products.
For instance, some programs having read file headers for SMS text messages don’t distinguish between a message sent from a mobile phone and a message sent via the Internet. Or a status notification is not given to the examiner that they are about to acquire an unread SMS text message from the phone. But these issues are not the problem of the product manufacturers, in my view I think they have done quite to bring stability to retrieving data from mobile handset. The SIM/USIM software producers have equally done well.
However, the decision to implement some of the requested superficial features and the absence of features that are actually needed reflects the confused state of thinking in mobile telephone forensics and evidence today. I strongly believe that attending a training course with people who know what they are talking about is the only way to address these types of problems and properly prepare those wanting a career and vocation in this incredible branch of the forensic sciences.
As someone who is called upon to give evidence in court, how knowledgeable do you find both jurors and legal professionals with regard to computer forensics, and in particular mobile device forensics?
I think in this country we treat our Juries quite badly and do not give them the praise they deserve. I do not support the idea of losing our Juries. I must therefore qualify the former point with an illustration. In a criminal case I gave my evidence for the defence responding to the prosecution evidence. I was not there for the prosecution expert testimony and I hadn’t seen all the material given in the Jury bundle; a jury member asked a question. It was “could the mobile phone still handle mobile calls when it was locked?” After establishing that “locked” meant “key locked” I informed the court I had two responses to the question, which was No and Yes. You can imagine the look the Judge gave me!
A mobile phone that is key locked is designed that way to stop accidental calls, so answering ‘No’ was one limb of my reply. The second limb, ‘Yes’, was that it is equally possible, dependent upon make and model, for a user to receive a call and answer it with the key lock still on. So Juries, whilst they may not want to delve too deeply into the laws of physics, they do comprehend very well many issues which involve mobile phones. However, they do equally expect that the factual technical basis of the evidence should have already been corroborated in the material served to court. The latter point gives rise as why there can be so many challenges on the evidence at court.
With the legal profession it varies, not so much about the understanding of pushing keys on mobile telephones, but they are also exposed to the technical law of physics nitty-gritty as well. If a legal professional has had prior exposure to this s/he knows what to expect and can stockpile Gaviscon and Paracetamol for the onslaught ahead. As for the uninitiated legal professional? Well, it is all rather a bit of a shock, as you can imagine, when they find out the full colour report that looks like Vogue magazine that they have been given doesn’t equal accuracy. A picture may paint a thousands words, but if the painted words are not the right words in the first place, what’s the point?
On the whole I think the legal profession gets to grips with the technical side and do very well considering that in the same case they may have to also understand and deal with DNA, blood samples, footprints, fingerprints, weapons evidence etc.
A controversial question this one! How knowledgeable do you find "traditional" computer forensics practitioners when it comes to mobile forensics (e.g. mobile phone examination, cell site analysis, etc.)?
What an outrageous question, Jamie! Computer forensics has played a significant part and made a significant contribution to data recovery in the mobile phone evidence field. That contribution should not be undervalued. What we have to realise though is that having achieved, with great accomplishment, the recovery of the data, the task with mobile phone evidence doesn’t stop there but requires interpretation and opinion about the data. Some in the computer forensics arena seem to believe that a general guess as to the meaning of the data is acceptable. It is at this point where the cool, safe surroundings of the lab have to be disregarded by the computer forensics examiner, the reading devices get put away and the examiner now has to stand up and demonstrate what knowledge, skill and experience s/he really has when dealing with the meaning of mobile telephone data.
To illustrate the point, the computer examiner goes to court, her/his report already served. The question gets asked – you are an expert are you not in mobile telephone evidence? Two events usually take place:
y) The computer examiner states – No, I am not an expert in mobile telephone evidence, I specialise in data recovery in computer forensics, mobile devices have a computer and memory storage.
y1) Kerr-ching! Opens the door to questioning him/her, why then did the computer examiner state an opinion about the meaning of the mobile telephone data? Opinion evidence is for experts, not examiners.
z) Yes, I am an expert in mobile telephone evidence.
z1) Kerr-ching! Oh good, well perhaps you could help the court here by bringing your considerable experience to bear upon this matter and tell the court why you arrived at the opinion that the text message at Index Number 110 in the bundle was, according to you, “received on such and such a date sent from party B’s mobile number.”? Before you answer, would it also interest you to know I have a witness statement here from the person who actually sent the text message and he did not send it from the mobile phone number – it was spoofed and sent from a spoofing website by way of the Internet?
Importantly, recovered data is just one contributing technical element in the chain of elements used in convictions or acquittals that involves mobile telephone evidence, along with call records etc. It is though the interpretation of the data overall, once it is known that the data was acquired safely, that the court and jury are really seeking to know and the prime reason for being stood in the witness box.
Is the analysis of mobile devices a viable career in itself? What advice would you give to someone wishing to specialise in this field?
Yes, it is viable. Where it becomes non-viable is where people over-stretch themselves.
Get training first. Make sure those offering training are from a very experienced background. Make sure the training (which can be graduated in knowledge and skill over a number of modules or courses) actually gives you a strong foundation across all areas. If you are not sure about someone or a company offering training for mobile telephone evidence, then ask here at the Forensic Focus forum.
The training should also give you the foundation knowledge to know which products will give you the data you are seeking. None of the product manufacturers and/or their software promise to do everything for you. They rely on you to know what you want and what you are doing. Remember the old saying, “a bad craftsman always blames his tools”.
Understand what your obligations are to the client for whom you are undertaking the work. What rules/regulations govern the work that you are about to undertake? Know the standards and understand the requirements that influence or mandate how the mobile phone works, the evidence it produces, how it should be handled, how the data can be read or interpreted. Have good business terms and conditions. Also do not be pressurised into cutting your prices, because that leads to compromise in workmanship/workwomanship for time/materials.
What would you most like to see changed or improved in the field of mobile forensics?
Changed, I would like to see stopped the totally unnecessary dumbing-down of mobile phone evidence. Improved, I would like to see reports and statements that use less or remove completely the use of psychological babble to suggest accuracy and far more substantive technical evidence underpinned with reference to the Standards and Requirements, shown in reports/statements.
What is the most rewarding part of your job? What aspect do you find most challenging?
The most rewarding aspect for me is seeing my work achieve the right result, where it matters most, at court. Also, if my work can be useful for other examiners to follow then that is a good thing. I genuinely like to hear or read about other experts or examiners who have used the mobile phone standards or developed a methodology that worked in a case and shared the results. Equally, those who come to the mobile telephone forum here at Forensic Focus and show what they have discovered. I do learn from my professional colleagues, which is rewarding.
Challenging is keeping up with constant changes in technology and standards.
What are your plans for the future, both personally and professionally?
Becoming a millionaire by winning the big one on the lottery will do me fine! Other than that finalising the Mobile Telephone Forensic and Evidence degrees I’ve been creating; develop products that I think the forensic community would enjoy using; write a series of books extensively dealing with mobile telephone evidence.
What do you do to relax and unwind?
When I am not working or researching, my family are obviously important to me and are my main relaxing time. We get to see my grandson every week and spend lots of time together, which is brilliant. I am a footie fan and have supported Crystal Palace (Eagles) since 1968. Music I find very relaxing, closely followed by a good measure of Irish whiskey and a Cigar (from time to time).
Greg can be reached as follows: