Thursday, May 14, 2009

Mobile Telephone Examination Procedure

Mobile Telephone Examination Procedure
.
This discussion continues on the theme to highlight, over the last five years, the diminishing quality of the knowledge in mobile telephone evidence training and very poor understanding by those giving advice about or presenting mobile telephone forensic evidence and opinion.
.
By way of further illustration about poor understanding which was given in an advice note regarding mobile telephone examination procedure, the advice given:
.
(1) by removing the battery of certain make/model of mobile telephone can lose the date and time stamp and call history, but using a Shielding Room can prevent this because you won’t need to remove the battery.
.
(1a) the party giving the advice above then went on to suggest they did not think, by and large, the above is a better methodology that should be adopted and went on to advocate that the method of producing a clone test SIM (Access Card) appeared to them to be more appropriate.
.
A shielding room is used to prevent radio signals entering a given space that the shielding is designed to protect, and also prevent the mobile telephone from registering to the mobile telephone network; [it] cannot though prevent loss of full call history and date and time stamp irrespective of whether the mobile telephone is in a shielded room or not. Removing the battery on some older models of mobile telephone can lose the full call history and date and time stamp. To produce a clone test SIM (Access Card) the examiner is required at first instance to remove the battery to get to the SIM/USIM. So how is their recommendation shown (in 1a) that it is any better than the unsuitable Shielding Room scenario (in 1)?

.
- For the record the point I am making is not to advocate shielding rooms or faraday bags, I am just pointing out the absurdity of the advice -
.
By noting in their advice that using a Shielding Room may not be the best method (thus tacitly negativing its use) the advice then goes on to positively suggest that the examiner wouldn’t need to remove the battery because it is in a shielding room and that call history and date and time stamp on the mobile telephone would be secure. They then go on to advocate the removal of the battery which implicitly requires taking the SIM out also from the handset for the purposes of producing a clone test SIM (Access Card). Their advice is confusing as they have already admitted removing the battery can lose data.
.
An examiner will naturally have to remove the SIM/USIM out of the handset anyway (thus removing the battery first is one point; another point being removing the SIM/USIM can inevitably cause loss of data in the handset - it can't be helped) because the proper order of examination requires a full examination of the SIM/USIM to get at evidence that is not readily available and obtainable by leaving the SIM/USIM in the handset during examination.
.
I concluded from reading their advice that it contained so many mixed messages and conflicting use of methodologies which each method that would usually be used for the treatment of different issues in isolation were now being squeezed together to make them work, would leave an examiner following their advice open to and vulnerable to potentially discrediting their own evidence.

.
Moreover, if the advice note was intended to succeed in getting an examiner to use Access Cards over Shielding Rooms then in my view it failed to convince me to use one or not the other.

No comments: