Saturday, September 22, 2012

Threats and Forcing SMS delay

Following my article France Car Shootings and Mobile Evidence http://www.trewmte.blogspot.co.uk/2012/09/france-car-shootings-and-mobile-evidence.html an investigator, previously working with a well-known cellular and fixed network manufacturer, confirmed to me the results of an internal forensics investigation which he conducted.


An employee had made threats to a Director. The employee had been found to use a 'prepaid sim' card to send theat messages but added a delay period for the sent messages of 2-hours. The employee then switched OFF the handset and inserted the company SIM card into the same handset which had previously held the prepaid SIM that had sent the threat messages. The handset with the company SIM card in it was then switched ON; the employee claimed not to have been responsible for the threats sent from a different IMSI (SIM card).  The intention of the employee was to mask any connection with the threats. However, tracing the IMSIs of the prepaid SIM card and the company SIM card found both to have been operating in the same handset (IMEI). Such trace capability can be made from enquiries of network databases such as BTS, HLR etc. Moreover with high levels of text messaging that are sent and received whilst roaming there is trace capability that can be made by interrogating CAMEL.

There is also useful data that can be obtained for linking with cell site analysis (CSA), which is a bonus although there appears to be some confusion occuring in the US at the moment as to the value of CSA evidence http://www.forensicfocus.com/Forums/viewtopic/t=9679/ and how the material may be applied on a case by case basis. I am not convinced that licenced operators with highly developed as they are in the US cellular networks simply could not/would not sufficient call record/cell data available to know what is happening when an MS has been active in their networks, about the arrangement at a particular mast (cell tower) as used by an MS, the configuration of the radio network operating at the time an MS has been used and so on.

No comments: