MOBILE FORENSICS AN...
 
Notifications
Clear all

MOBILE FORENSICS AND EVIDENCE DEGREES/CHALLENGE

5 Posts
2 Users
0 Likes
596 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

MOBILE FORENSICS AND EVIDENCE DEGREES BSc, MSc and PhD

The introduction of academic qualifications (at the levels of BSc, MSc and PhD) in the forensic analysis of mobile devices is, in my opinion, long overdue. The issues presented by wireless technologies are sufficiently different from those related to "traditional" computer forensics that I strongly feel the time has come to address them in greater depth than the forensics community has done to date.

A Bit of Background
Mobile telephone forensics and evidence has not developed overnight but has been developing from the earliest building blocks of scientific discovery back in the nineteenth century. Below are some of the historical developments from which mobile communications has roots in scientific history

- 1868 James Clerk Maxwell postulates EM wave phenomenon ethereal wind theory
- 1886 Heinrich Rudolf Hertz establishes proof of EM wave (Hertz cycle)
- 1893 - Gugliemo Marconi first use of wireless and first patent of wireless communications
- 1905 Reginald Fessenden first transmission of speech and music via a wireless link
- 1908 Nathan B. Stubblefield invented and patented the first mobile telephone 100-years ago
etc
etc

Of course, those who see the above as relevant to devices that took advantage of a waveform that is analogue by nature should not overlook mobile telephones' use of digital waveform that has roots, too, in scientific history going back to the early nineteenth century - to the work of French physicist Jean Baptiste Joseph Fourier and the method known as Fourier Synthesis and Measurement that was named after him. His method showed mathematically that “any periodic waveform could be represented as the sum of sine waves with the appropriate maximum amplitudes, frequencies, and phases” (Noll(4)284-ch04). This gave birth to the notion of sine wave being squared off and introduced the notion of Square Wave.


Fourier's Theorem - Image 1

Fourier’s foundation theorem, set out in Fourier series, was a masterpiece of mathematical calculation but contained a small flaw and that was the square was not perfect at the edges - as first observed by Wilbraham in 1848 as “bumps” at the edges creating a square shape with non-uniformity. Albert Michelson (in 1898) built a machine that calculated Fourier’s coefficients and from his re-synthesized results noted “….wiggles around the discontinuities appeared, and even as the number of Fourier coefficients approached infinity, the wiggles never disappeared” (Radaelli-Sanchez; Baraniuk).

In 1899, the phenomenon was first explained by J Willard Gibbs who went on to demonstrate in his mathematical calculations that, in effect, the square wasn’t square at the edges, so to speak, and subsequently his extrapolation of the problem came to be known as Gibbs Phenomenon. The phenomenon can be removed with the Lanczos sigma factor.


Lanczos sigma factor applied Image 2

There is more to the intriguing discovery above, but for now, if you haven’t guessed, the purpose of discussing square wave is that it is the waveform that can be used to represent positive polarity and negative polarity which can be presented in another format called binary ones (1) and zeros (0). Binary is a basic building block which is used in digital signalling and communications. The GSM mobile telephone system is a fully digital mobile communication system. Digital signalling and communications are used in GSM handsets and SIM cards.

So we can see the link between mobile devices having roots in scientific history, but how does that correlate to digital mobile telephone forensics and evidence today? Well, forensically we need to understand digital communications sent by and received at the handset by understanding the ‘radio DNA bracelet’ and any discovery that can be made from it leading to evidence. Of equal importance is how an examiner gets to this information that provides the building blocks of mobile telephone forensic evidence. Furthermore, we need to know how digital communications occur in the handset and SIM card, as well as how to examine the devices to understand the various formats and coding schemes used for data that are stored, in order to appreciate, once decoded or decrypted, what the content yields as evidence.

Policies, practices and procedures combined with examination tools are needed to obtain the evidence above. Some are being developed and some have been developed. I had raised spirits recently when Paul Sanderson of Sanderson Forensics launched his RevEnge and PMExplorer tools, designed to decode and extrapolate the data imaged from particular mobile phones. These tools make the examiner (in an educational way) explore the raw data, define its format and type, and corroborate the information that the data reveals to determine, if the same data were to be read through a mobile phone, would the data be identical?

Those of you who know me know that I worked with Quantaq Solutions' USIM Detective (my details should still be in the help file in USIM Detective) to include forensic aspects to the software and enable analysis of the raw image from GSM and USIM cards, which has proven itself to good effect.

I have been quietly partnering with radio test measurement manufacturer Anite (UK division), who produce Nemo Handy, with the specific aims and objectives to produce a 'de facto' standard for cell site analysis. That is because mobile telephones are predominantly wireless telecommunication devices and covered by primary legislation in the UK (e.g. Wireless Telegraphy Act, Telecommunications Act, Communications Act etc). Indeed wireless devices also come under Regulations such as, Telecommunications Terminal Equipment (TTE) Regulations and Radio and Telecommunications Terminal Equipment (R&TTE) Regulations etc. And as important are the technical standards containing mandatory requirements.

So where is this taking all of us in our branch of forensic science? It is taking us towards what I believe are needed and that is BSc, MSc and PhD degrees in Mobile Forensics and Evidence. We should have had these four years ago but have been held back, but the time is now right for degrees specific to our area of work. Importantly, those who have completed modules in Computer Forensic (BSc and MSc) degrees can use those module passes as credits towards one of these Mobile Forensics and Evidence degrees. The feedback from several Universities I have spoken to so far, in the UK, has been positive. It is appreciated QAA will be required for the degrees, showing that the foundation is right and that the Universities can deliver the training.

TEST YOUR SKILLS
Do you think you could have sufficient knowledge and experience to undertake a degree in this area? To see whether you think you could undertake a Mobile Forensics and Evidence degree at BSc level have a look at the diagram below. It provides a representation of a model about establishing not only past mobile telephone usage but also looking to determine, as far as possible (in time and space), what evidence can be determined about future usage too.

Primer
(C now) = Point in time and Space (which is a constant reference point) in the present tense when the examiner is contacted for an investigation and which the examiner uses to look back at the past and into the future regarding mobile telephone evidence.

(T) = Time is the timeline, limited by how far the examiner can see into the past and future based upon discovery.

(S) = Space is the space line that is used as a constant reference point from which all other events occurring in space can be considered based upon discovery (seizure of device, chain of custody of an exhibit etc)

(F) = Future relates to things that have yet to happen (future events). This is based upon things that may be discovered from the time the examiner is contacted

(F d) = F d represents, as far as possible, thus not set to a specific period of time, how far into the future the examiner can identify events beyond which no further discovery is possible.

(PU usage) = Past User usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)

(PR usage) = Past Record usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)


Smith Diag 1

The proposition in the diagram above (Smith Diag 1) is intended to represent by use of visualization how mobile telephone usage can be investigated. The diagram tests your powers of observation and, more importantly, your depth of knowledge. Do not be fooled by what you believe to be my poor graphics skills! I deliberately intended that (PU usage) area to be shown larger than the (PR usage) area in order to suggest more data may be found in the mobile telephone than may be obtained from the network records. That is because not all activity on a mobile telephone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore issues associated with cell site analysis also need to be considered. It does not automatically follow there will be parity between data obtained from the mobile telephone and the network records and vice versa. The diagram below (Smith Diag 2) represents a number of data elements commonly considered during an investigation.


Smith Diag 2

The third diagram (Smith Diag 3) uses the classic representation of Time (T) and Space (S). Use of a Time line may be obvious but the Space line may not be so obvious. The point of using Space is as a determinate for e.g. the seized exhibit in the examiner's possession. Let's say the examiner receives the mobile telephone exhibit on the 30th March 2008 at 3.00pm. The exhibit was seized 10th March 2008 at 11.00am. So, the examiner has two facts to work with (a) the exhibit in the laboratory (in time and space) and (b) the exhibit seized at a location from premises or person (in time and space).

So at the point the examiner has initial Contact (C now) with the exhibit, which is a constant reference point, past events can now start to be determined. By way of illustration, following examination let’s say the examiner finds that the data recovered from the device reveals activity not connected with Space where the mobile telephone was seized at (b). Space would therefore be highly relevant, because (i) the examiner would need to demonstrate that as a fact and (ii) to demonstrate the separation in Space between each of the locations (a) laboratory, (b) the seizure, and the intervening factor between (a) and (b). This may be supported, for instance, by the last location and frequency details stored on the SIM card or maybe the handset has GPS or one of the newer mapping systems (Nokia Maps etc) that might be set to automatic logging.


Smith Diag 3

A visualization of this discussion is represented in the diagram above. To distinguish the two events Space lines have been added representing seizure (dashed Black line) and intervening event (dashed Orange line), to the already existing (C now) constant Space line.

So the general discussion above should assist in understanding how the model works with past events. But what may be possible to determine in the future, as far as possible, in Time and Space, has not been discussed at all. That question is for the Test that has been set at the end of this discussion.

Some points to remember. Not all activity on a mobile phone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore cell site analysis should not be excluded when you are considering this model. It does not automatically follow there will be parity between data obtained from the mobile telephone and the network records and vice versa. Do remember a mobile telephone is a common term; Mobile Station (MS) is the correct term, meaning a GSM mobile equipment (ME) and SIM card operating together or 3G* Universal Equipment (UE) and USIM card operating together. *In some countries 3G means that the UE and USIM card, as WCDMA devices, may be profiled also with a chipset/module to work in a GSM radio environment.

Finally, do remember to look carefully at the diagram as your powers of observation are also being tested.

The Test
This test is open to individuals, companies, forensic firms and University students.

Discuss, supported by equations if necessary, to either prove or disprove whether the model is correct at first instance.

If you do not believe the Diagram is correct then submit a diagram that you have designed to represent past and future mobile telephone usage.

Identify, using the above diagram, what events in Time and Space you think an examiner might be able to determine about future usage of a handset and SIM card following examination of them. It may assist if I provide some clues when discussing future events.

- Remember that radio signals travel at the speed of light and you may wish to consider whether a 2W mobile telephone or less than 2W could generate radio signals propagated at that speed
- International time zones vis-à-vis international boundaries
- Proactive SIM
- Calendar/Alarm
- Battery
- Subscription
- Also, think along the lines of kidnap cases and death cases

The correct responses that have been emailed to me in acrobat .pdf format will be published at my blog and at Forensic Focus. Please remember to identify who you are in your document so that the author gets recognition for their work. The Test closes soon. From your submitted paper to me, which will be reviewed by a Board of Assessors, you will be able to know from your marked paper whether you have a sufficient skillset to undertake a BSc Mobile Forensics and Evidence degree.

Good luck.

 
Posted : 18/01/2009 8:00 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I have received a question about the Degrees and whether there is sufficient educational material for them.

Q Is there 10 years worth of educational material for a Degree?

A Yes, I have been dealing with GSM for over 15 years and I have reference material and standards going back to 1991 and books that discuss GSM going back to 1988. There are, at mimimum, 100 academic books on GSM. If a starting point for the Degrees were needed then I would probably suggest 1992 as the best reference point to start.

With reference to GSM Standards, there are over a million pages of standards. For instance for GSM there are standards that originate from GSM Phase 1 (1991-1995), GSM Phase 2 (1995 onwards), GSM Phase 2+ (known as Releases R96, R97, R98 etc). To give an illustration how GSM is still going strong, the latest GSM 11.11 standard for SIM cards was published in June 2007.

 
Posted : 20/01/2009 3:47 pm
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

Pleaes note The Test closes 27th March 2009.

 
Posted : 19/02/2009 8:35 pm
(@ivalen)
Posts: 30
Eminent Member
 

Er great wall of text? I'm sure I can learn in a week everything I need to know about the practical side of mobile phone forensics. Everything else comes from experience. Not sure of the value of an entire degree on the forensic analysis of mobile phones; not all electronic devices, but just phones, and then not how phones are made, but the forensic analysis of it.

How long does the degree last? Why does everything have to have a theoretical model behind it?

 
Posted : 23/02/2009 4:34 am
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

I'm sure I can learn in a week everything I need to know about the practical side of mobile phone forensics.

Ivalen, I am saying this with good intentions.

That is a very bold statement you have made. How courageous. I admire your confidence. I am not convinced though you could learn "everything I need to know" in the time frame you specify. For instance, the SIM PIN challenge which had been running for 6 weeks and has a fair degree of practical associated with it.

http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3349

You could have picked up the standards and conducted practical SIM tests by now. What did you learn from that?

What about the various mobile phone power supplies (batteries, chargers, connectors etc) - I assume you already know that using a power supply wasn't just about buying one off the shelf and plugging it in?

What about 5-volt, 3-volt or 1.8-volt SIM Card technology and their practical application and uses?

So just three issues out of the many you need to know….

Why does everything have to have a theoretical model behind it?

Not everything has a theoretical model behind it with mobile telephone forensics and evidence. Theoretical models are used from time to time to test your analytical and practical skillsets that you would need to put into practise/practice in order to provide the responses to the Test. I am not testing you, it is you, the reader, testing yourself. And what better motivation could you have. The work you do and submit can assist others to form a view that someone may lose their liberty, home, marriage and children. I am sure a shivver must run down your spine if you thought poor forensic standards and evidence helped bang up your mum or dad, brother, sister, wife or partner, your child.

The model used here is so that you can show your skillsets to an audience Worldwide looking at Forensic Focus.

 
Posted : 23/02/2009 3:40 pm
Share: