Switch On, Update, ...
 
Notifications
Clear all

Switch On, Update, Lose Evidence

4 Posts
2 Users
0 Likes
410 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Switch On, Update, Lose Evidence

The focus of this article relates to what can happen when switching on a mobile telephone and how data can change on a SIM Card. Essentially how a mobile telephone updates a SIM card relating to location data is down to how each make and model of mobile telephone has been programmed. When dealing with location data in SIM Cards it should not be assumed that every make/model updates location data immediately or within a prescribed period. Certain events trigger location update data and therefore it is important to determine on a case by case basis how a mobile telephone and its SIM card should be examined.

I have received several comments from different sources saying that they found location data was not updated when the mobile telephone was held within a shielded device or bag. This is fine, but it has been found that data can change in such environments and it is not the case that it was only a few times, but the fact that it happend at all can mean unilaterally ignoring that such an event (lose of data) might occur may mean losing vital evidence.

A best practise methodology has been outlined in the article for those that wish to follow it and the justification for using such a stated methodology.

http//trewmte.blogspot.com/2006/11/switch-on-update-lose-evidence.html

If like these articles and they are of interest to Forensic Focus I have others that are available (below). Just drop a message into this thread at Forensic Focus and I shall post here.

- Master Password for Nokia Mobile Phones
- Deleted SMS Messages
- Cell Site Analysis Pt1

 
Posted : 30/01/2007 1:25 am
(@mindsmith)
Posts: 174
Estimable Member
 

Thanks for the post; I found the paper very interesting and informative.

One question though, as I am new to mobile forensics - is that although the mobile was switched on & location info updated; thereby meaning that the mobile has since changed since it was acquired; as only some data has changed & the rest of the data on SIM and handset has remained the same - what is the likelihood of the evidence obtained still being admissible under UK Law under such circumstances? Are there any precedents on this?

Thanks & Regards,

 
Posted : 30/01/2007 1:50 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Thanks for the post; I found the paper very interesting and informative.

One question though, as I am new to mobile forensics - is that although the mobile was switched on & location info updated; thereby meaning that the mobile has since changed since it was acquired; as only some data has changed & the rest of the data on SIM and handset has remained the same - what is the likelihood of the evidence obtained still being admissible under UK Law under such circumstances? Are there any precedents on this?

Thanks & Regards,

You ask a very good question. Under these circumstances a possible important track and trace data for investigation is lost- which was unnecessary at first instance. Evidentially speaking, the data in other elementary files (EF) may not have changed and on that basis the SIM data may be served as evidence. I do take your point the EF files for location data do not materially affect user data in other files in SIM.

The assumption here is the honesty of the examiner to mention up front the changes to location data etc - lest it be picked up by the defence.

The view in other, different cases may consider the location data is unimportant. However, do not think it ends there for whatever case is relevant.

It is likely, anyway, that the examiner's work would be scrutinised even more at court to see whether the examiner can show no other data has changed due to examination methodology. By way of illustration, say at the time not only the EFLOCI and EFBCCH files up date, but an SMS text message sent three days before (device seizure) is received at the handset and stored in EFSMS in SIM. As is known the incoming stored message can overwrite previously deleted data, which may have been recoverable and could be vital to the defendant's case. The examiner could bluff and say nothing. However, with GSM there are ways of finding out when a message is received, so it would be better for the examiner to admit also to any SMS messages received during examination.

Finally, serving evidence does not automatically guarantee it is admissible, merely it is served and will be scruntised. So we can only speculate how the Court might consider the evidence and which argument persuades it most.

Having said all that s133 Criminal Justice Act looks for 'original, part of an original or copy of an original no matter how many times removed' and providing the Court is satisfied by the evidence then the Court may allow its admissibility. Seeking confirmation of the data originality and genuineness (R .v. Robson 1972) is likely to be a pillar of the defence inquiries and to determine whether the handling of evidence caused corruption to evidence due to carelessness (R .v. Mahon 1988) would undermine fairness (s78 Police and Criminal Evidence Act 1984) at trial.

You could of course talk to a lawyer…(which I am not). I am only able to highlight cases etc having spent 20 years (this year 2007) dealing with wireless examination and evidence. I was commissioned back in 1998 by Dr David Bambridge Aston University to write on computer evidence, which resulted in my work "Admissibility of Computer Evidence in Criminal Proceedings". This too helped me get a handle how the law may consider technology evidence.

 
Posted : 30/01/2007 2:56 pm
(@mindsmith)
Posts: 174
Estimable Member
 

Trewmte, excellent. Thanks for sharing your insight & experince on this subject. As in most cases I can see the defense trying to pick 'holes' in the examiner's evidence handling, verification, and chain of custody, before even attempting to try & discredit or dispute the evidence that has been presented.

I guess in view of everything at the very least the mobile should be switched off and only switched on again in a shielded environment, as it would solve any issues relating to some info changing but also; I guess from an anti-forensiscs perspective; a suspect could get someone (pre-arranged) to bombard their mobile number with a series of 'nonsense' SMS messages once they have been arrested, in an attempt to try to overwrite any previously deleted messages that may be incriminating, just a thought.

Thanks for the very informative matter & responses.

Regards,

 
Posted : 31/01/2007 1:00 pm
Share: