Jonathan Clark MBE
-
Upload
dominque23 -
Category
Documents
-
view
380 -
download
3
Transcript of Jonathan Clark MBE
FS 74524
ISO 9001
Jonathan Clark MBE
Advanced Cell (Mobile)
Phone Forensics
FS 74524
ISO 9001
Mobile Phone Forensics
GPS, PDA’s & Hi-Tech Devices
Cell Site Analysis & Expert Witness Services
Computer Forensics
Training Services
HEX Extraction & Translation
Agenda
• Services and capability – service enhancements.
• Specialist abilities - updates
• Managing the data
• New for 2008
About F.T.S.
FTS Ltd. :
• Founded in 2000
• 80 Employees
• 12 Cell Site eng.
• 36 Examiners
• 7 R&D Staff
• 5 UK Forensic Labs
• 3 International Offices/Labs
Customers:
• UK Law Enforcement.
• Customs & Excise
• Internal Security
• Legal Services
• Corporate Services
• International Clients.
About F.T.S.
• 6 UK Forensic Labs
• 26,000+ Phones pa
• 200+ Cell analysis pa
• STA System Implemented over whole UK
• Free Advise from experienced ex Investigators with Telecoms training and back up technical resources.
Mobile Phone Forensics
“BASELINE” Evidence
Phone Data, Call Registers & SMS
MSISDN, Make, Model, IMEI, SIM S/N. IMSI
Last Numbers Dialled (handset)
Last numbers Received (handset)
Missed calls (handset)
Phone Book Contact Numbers (handset)
Time & Date of Last Numbers Dialled
Time & Date of Last numbers Received
Time & Date of Missed calls
Text Messages stored on handset
Calendar data stored on handset
Picture messages (SMS)
“Enhanced” Level Evidence
WAP URLs
To do reminders
Audio clips
Voice memos
Images associated with ADNs
Emails
Word documents
FAX
Pictures and photo messaging (MMS)
Personal information management
Video Clips
Service profiles
Where is the evidence?
Memory Microchip
32MB Typical
SIM Card
64KB Typical
Memory Card
64MB Typical
• Three Memory Areas
“Logical” Handset Examination
• We have a SIM with no PIN Lock
• We have a SIM with PUK code from provider.
• There is no Handset PIN lock active.
• The handset is working.
LOGICAL : Describes a normal examination.
We can extract the data through the phone normally,
using a set of various software tools and techniques.
• It is the fastest (cheapest) way to examine a phone.
• It is the best way for 80% - 90% of all examinations
• It will not reveal deleted data.
Smoking Gun Evidence..
Does not
happen often
but is difficult to
argue against.
What about the other 10 to 20 %
• It is the fastest (cheapest) way to examine a phone.• It is the best way for 80% - 90% of all examinations• It will not reveal deleted data.
• What is there is NO SIM at all?
• What if the handset is PIN Locked?
• What if the handset is damaged?
• What if you KNOW there is deleted important EVIDENCE
Before we said:
Logical Examination of Mobile Phone & SIM
SIM Card Reading
2G – 2.5G (Dual Tech) – 3G
Enhanced SIM Reading Technology
SIM Reading & Cloning
• FTS has developed in house software for SIM reading & Cloning.
• The 3rd party readers where not extracting all the data.
• FTS wanted complete Forensic evidence including enhanced data
• SIM Cloning is extremely important in Phone Forensics.
• 1. It replaces Jammers and allow radio dead examinations.• 2. It allows FTS unique capability to examine certain locked
devices.
Standard vs FTS Enhanced ReadICCD [even if PIN locked] & SIM S/N. ���� ����
Service Provider & Preferred list [SIM card] ���� ����
Last dialled numbers [SIM Card] ���� ����
Fixed dialled numbers [SIM Card] ���� ����
Text messages & Delete SMS [SIM card] ���� ����
Phone Book / Speed Dials [SIM card] ���� ����
Phone Book - Long number support for all f ields ����
3G Phone book - Additional numbers (Home, Mobile Work etc) [SIM Card] ����
3G Phone book - E-mail Address and Contact Categories (Friend / Family /Work) [SIM card] ����
Full support of all Unicode characters Chinese, Japanese, Russian, Polish, Arabic, Greek etc. ����
Support for decoding EURO € symbol and extended character set. ����
Full LAC (Location Area Code) Support - 2G (3G w here possible) and GPRS ����
Roaming Netw ork List - Indicates connections to netw orks outside the USA. [SIM Card] ����
Last IMEI (some SIM cards only) ����
SMS Text Message - Validity period (outgoing messages only) ����
SMS Text message - Concatenated message. ( Indicates a long message sent over several texts.) ����
SMS Text Message - Names in receivers number area ����
Virtual Operator indication (Virgin mobile on T-Mobile backbone for example) ����
Current Data
Provided
Additional Data to be supplied from
Febuary 2008
SIM Card Cloning
Full SIM Imaging read.
Full data clone with Radio Data removed.
SIM Cloning
• NIST recommends the use of Cloned SIMs to deny the device access to network during
examination.
• SIM Clones represent the most robust way to ensure denial of service, but you have to do
them well.
Making sure a clone is a clone…
• FTS supports 2 types of SIM reading.• Evidential read which extracts specific fields• Clone read which extracts almost everything!
• The Clone read includes null data files in case they are read by the handset.
• A Clone read also represents a full forensic image and is used when a long term record is required.
HEX Data Translation.
Not a LOGICAL Mobile Phone ExaminationNot a LOGICAL Mobile Phone Examination
When To Use FTS Hex?
�Phones with PIN Locked SIM cards
�Phones with the security lock set
�Phones without a SIM Card (inserting a different SIM may cause loss of data)
�On damaged or broken phones (by smashing, water or fire)
�To recover deleted evidence
�Where SIM cards have been swapped
It works where other techniques fail:It works where other techniques fail:
What Evidence Can Be Recovered?
�Phonebook
�Call Register
�Handset Locks
� IMSI/SIM Serial Numbers
�SMS
�Pictures
�Video & Audio
�Calendar Entries
�To Do List
�Other Data e.g. Email
In Most CasesIn Most Cases……
ALLALL of these data types of these data types can be recovered if can be recovered if
deleteddeleted
BASELINE DATA and IMAGES…
Handset Memory Extraction - HEX dump
Software
Binary File
Interpreter
Report
Chip
Logical
How do Criminals Damage Phones?
• Burning
How do Criminals Damage Phones?
• Water• Saltwater
• Freshwater• Chemicals
• Mud
How do Criminals Damage Phones?
• Physical• Snap Phone in Half
• Smashing
• Breaking SIM
• Accidental
Is HEX Translation Successful?
• YES
• We have designed dedicated readers for Motorola & Samsung as well as using other readers.
• We are adding 10 to 30 phones to our supported phone list every 3 months
• This evidence is being used to prosecute criminals &
solicits regular guilty pleas. ( the cheapest type of prosecution)
The final resort…
• When a logical examination is not possible…
• When the phone cannot be HEX read.
• When the phone is so damaged the PCB is broken.
• Then we remove the MEMORY CHIP!
• We read the CHIP directly & translate.
Removal of Memory Chips
~ 1 mm~ 1 mm
BGA ChipBGA Chip• We have developed the facilities to
remove and read Ball Grid Array (BGA) memory chips from the mobile phones.
• BGA is very small technology used in the manufacture of mobile phones and electronics.
• This is the latest development in mobile phone forensic technology.
Is CHIP reading successful?
• Mainly…….. YES!
• We are researching how to repair the chip connectors to increase readability.
• If we can make a connection we can read the chip.
• If we read the chip then we can nearly always provide some evidence.
• It is expensive and only used in extreme cases: Terrorism, Multiple Murder, Drugs & Cartels
Do we only examine Mobiles?
PDA BlackBerry
GPS (TomTom)
Hi-Tech Devices
PDA & BLACKBERRY
Main use is e-mail & organisation:
• Use complex operating system.
• Combine internal & high capacity external RAM
• Mobile Phone capability varies.
• Require Hybrid techniques to extract data.
• 1st Computer Forensic Techniques
• 2nd Mobile Phone Techniques
• 3rd Direct Memory Reads
GPS Systems
New area of Forensics – very few tools
• > 2 million units per year
• Market is growing 50 to 100% / year
• Individuals – tracking movement boats / cars
• Smuggling – complex routes on sea & land
• Fleet & asset management – Illegal use / theft
Allows the tracking of crime between different areas of the UK
FTS is developing direct reading techniques to allowdetailed data extraction from GPS devices & receivers.
Managing the Data - Casework
3rd Party
Media Tools
3rd Party
Handset Tools
FTS Tools
HEX Tools
Exhibits Handling and Continuity
Examination Timing & Turnaround
Interpreter
CASE WORK
HTML/XML
HTML/XML
FTS
FTS RAW
Management
Data
Standardized
Reporting
Format
Managing the Data – Analytical Tool
• Casework creates a standard data format.
• Very few complex cases involve 1 phone.
• One principle use is for association / attribution.
• Analytical Tool collates multiple exhibit data sets and
automatically shows associations and linked data
between each exhibits.
Solution – Benefits
• Automated process (time efficient)
• Consistent and reliable
• Reveals links between data items
• Searchable for specific data e.g. phone numbers
• Capable of handling high data volumes
FTS Analysis – Stage 1
• Database files are imported from multiple cases.
FTS Analysis – Stage 2
• Data displayed in tabular format
FTS Analysis – Stage 3
• Links checked across all exhibits
FTS in the USA
Coming to America…
• On 1st January FTS USA will be officially open.
• It will be based in Tulsa, OK
• It will provide the full-service range of Cell Phone Forensics.
• Staffed by FTS trained US Citizens.
Transferring our experience…
• Investigators currently being trained in the UK
• Experienced UK phone examiners will be based at the US laboratory for support and peer review where needed.
• Working closely with Federal Agencies to ensure standards and external auditing of examination & evidential Best Practice.
Any questions?