Saturday, July 08, 2017

What's happening with Contemporaneous Notes

Contemporaneous note (CN) taking is an essential process and procedure. The title is often used as a widely applied statement to include other associated processes and procedures, such as Simultaneous Notes (SN), etc.; as some of you know CN, SN, IN and VN are covered in my training courses for e-Discovery, (forensic) examination and evidence E3.  

I have taken the opportunity to bring on board Robert Merriott, Founder of Forensic Notes, to provide an overview of some of the methods and tools out there for preparing and producing Contemporaneous Notes. From Robert's well informed discussion (below) this clearly is a subject where strong opinions are held and a subject which we will return in future discussions.

Robert Merriott
Digital Forensic Examination Notes

The purpose of this post isn’t to provide a singular and definitive answer to the question of what ‘examination notes’ should look like.   In fact, every country or region will have its own accepted practices developed to satisfy the laws of the land.   Instead, this article is presented to discuss the many facets of this important subject and to help you find a solution that will best meet your needs.
A recent discussion regarding Contemporaneous Notes on Forensic Focus showed that there are differing views on how strict guidelines should be in relation to examination notes.  This difference of opinion reveals how much the process of conducting digital forensic examinations can vary from one office to the next.

Importance of Documentation

The importance of documenting your examinations can not be understated.  Although you may never need to defend your case in court, you should complete every case as if you would be testifying as an expert in Supreme Court.
Recently, experts and influential leaders in Digital Forensics provided quotes on the Importance of Documentation.
As Greg stated…
“Contemporaneous Notes are unavoidable, thus inescapable, when it comes to examining evidence and are akin to the standard of Ethics.
They hold the examiner to their own account of conduct when no one else is around to witness what is happening.”

Examination Notes – Current Solutions

Investigators dealing with digital evidence will document their examinations in one of several ways:
-          Traditional paper notebook and pen
-          Word processors such as MS Word or OneNote
-          Purpose built electronic note-taking system
-          Scrap pieces of paper
-          Do not document!

Paper Notebook and Pen

The classic way of writing contemporaneous notes. 
This form of documentation has been relied upon in law enforcement and scientific labs for decades and has continued to standup to the scrutiny of the courts when properly completed.

Although widely accepted in courts, writing your notes in a paper notebook can be slow and result in notes that are illegible and incomplete.  For many young examiners that can quickly type out long messages on a virtual mobile keyboard, the idea of handwriting notes seems like a step back in productivity.
Attempts to correct spelling and grammatic mistakes only further complicate the process of writing and disclosing notes.

MS Word or OneNote

Electronic documentation is becoming more common even in traditional settings like law enforcement were only paper notebooks and pens were previously trusted.
Electronic documentation offers many advantages including the ability to edit and modify the content of the notes as required.
Being able to edit the content of an electronic note allows the examiner to correct any spelling, grammatical errors or omissions. As a result, some examiners feel electronic documentation provides a more professional form of their notes as they are able to correct these issues prior to providing them to colleagues or the courts.
But if notes can be changed at a later date with no previous history of the contents originally entered, can they really be considered contemporaneous?
And does this open up Pandora’s Box for defense lawyer questioning? 
If you admit you modified some of your notes for “grammar” and “typos”, will defense begin to argue you changed other aspects of your notes as well?  And what if you did change something else for reason beyond simple grammar or typos, how will you explain that change in court?
Criminal courts would never allow a law enforcement officer to wite-out® portions of his notes in a paper notebook and then overwrite that information with new information. So why should the courts trust electronic notes to be a true representation of your thoughts at the time stated if they can be edited without including the previous entries?
Although many Digital Forensic Examiners are using MS Word and OneNote successfully in courts throughout North America and Europe, we as examiners know that the majority of courts have failed to keep up with the complexities of digital data and how easily files can be manipulated.
Of course, there are ways to make electronic notes immutable with the use of Digital Signatures and digital timestamps, but few organizations are properly setup to implement this solution.
Will you be able to defend the authenticity of your MS Word or OneNote examination notes in court if questioned?

Electronic Note-Taking Application

Electronic Note-Taking applications offer the best of both worlds if designed and used properly.  But remember, not all applications are created equal.
When deciding on what electronic note-taking application you want to use, you will have to consider your specific needs and requirements not only now, but in the future when your cases finally go to trial.
-          Can you easily print notes in sequential order for court?
-          Can you edit existing notes while retaining the original note for Full Disclosure?
-          Can you arrange your notes in a logical manner during the investigation to keep your information organized?
-          Can you search through your notes to find answers quickly?
-          Is your information securely saved and encrypted?
-          Do Audit Logs exist allowing you to clearly see who else accessed a particular note or notebook?
-          Is the application able to timestamp individual notes from a trusted and independent Timestamping Authority (TSA)?
-          Will the courts be able to authenticate your notes if required without calling in another expert?
-          Can you access your notes on multiple devices, including mobile, so that you can take notes outside of your office such as during live analysis at the scene or meetings with other investigators?
-          If you include screen captures and images in your notes, will you be able to print the image in a high-quality format at a later date if it becomes a key piece of evidence?
-          Are the owners of the application trusted members of the digital forensic community?
When choosing an Electronic Note-Taking Application, you should select an application that works the way you work instead of being forced to work within the constraints of the application they provide.

Scrap Pieces of Paper

Although it’s common to use scrap pieces of paper to quickly jot down information, they should not be used as a place to write notes during an examination unless other options discussed above are not available.
If scrap pieces of paper are used to document important information, this should be transcribed into your proper notes as soon as possible. Often, if done in a reasonable time frame, these transcribed notes will be considered contemporaneously written.

Do Not Document Examination

Some examiners do not see a need to document their examinations. This is often as result of poor training, inexperience or laziness. If your examination involves criminal or civil litigation, then it’s imperative that you conduct your examinations in a professional manner.   Poorly documented investigations can lead to bad caselaw that affects us all.

Should Standards Exist for Examination Notes?

Preston Coleman provides a valid and well thought out response to the idea of standards for examination notes.
As Preston points out, if standards were to be created for examination notes, then they should be general in nature to allow for the flexibility needed within most examinations.  At a minimum, the following “universal elements should be observed”
-          Contemporaneous Notes
Document actions and results sequentially as they occur
-          Timestamp Notes
Include Date & Time with every note made
-          Immutability
Notes should be fixed and non-editable upon completion of the examination
-          Available
Provide to others, including the courts, if required
Depending on your particular circumstances and the types of files that you are investigating, you may decide on more stringent requirements for your own note taking.

Odds n’ Ends

Now let’s discuss a few more questions regarding examination notes…

Simultaneous Notes

As discussed within the “Forensic Chip Off – Notes in Progress” post, Greg asked the question “how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?”
If Simultaneous Notes (SN) were required during a technical hands-on examination, then a video of the examination (as shown in the blog post) could be used to allow the examiner to concentrate on the task at hand while still properly documenting the actions being taken. Upon completion, the video file could be hashed with the resulting hash being noted within your Contemporaneous Notes.
A purpose-built forensic Electronic Note-Taking application would allow you to attach the original video to the note and automatically Hash and Timestamp the video in only a couple steps.

Destroy Notes After an Examination Is Complete?

In some American states, it is apparently common practice to destroy both paper and electronic notes once a final examination report has been written.
If the destruction of examination notes is currently allowed where you work, you should ask yourself:
-          What happens if the accuracy or credibility of the report is questioned?
-          What reasoning will you provide if questioned on why you felt it was necessary to destroy your notes?
o   The opposing party may ask “What were you trying to hide in those notes that it was so important that you destroy them prior to court?”

Restrictive Warrants

In many regions, warrants authorizing forensic examinations are becoming restrictive with respect to the type of data that can be analyzed and included in forensic reports.  In practice, you may observe other evidence in plain view (eg: Child abuse material) that does not fit within the restrictions of the warrant.
In this case, it is suggested that you immediately stop your current examination and re-apply for a warrant that includes the evidence you observed in plain view.
If you fail to take proper contemporaneous notes or destroy your notes upon completion of a report, would you be able to properly articulate how you came to observe the images or data that you weren’t authorized to have searched which resulted in a more comprehensive warrant being sought?
If not, you risk having all your evidence excluded from the trial.
Many investigators fail to recognize that obtaining a new warrant is easy in comparison to defending the merits of the new warrant at trial. Are you willing to lose all that hard work due to a lack of proper documentation?


The digital forensic community needs a “Best Practice” guideline in creating contemporaneous notes during an examination. Without a clear guideline, Digital Forensic Examiners are left to rely on potentially false or misleading information from fellow members who do not fully recognize the need or value in creating proper notes during an examination.
At a minimum, all professional Digital Forensic Examiners should use the following list as the current “Best Practice” guideline:
-          Contemporaneous Notes
-          Timestamp Notes (Date & Time)
-          Immutability
-          Available
By continuing to discuss this important subject, we as a community can further improve “Best Practice” guidelines that will help ensure existing and new examiners take the necessary steps during digital forensic examinations.
After evaluating the “Best Practice” guidelines, you can make an informed decision on what is the best solution for recording Examination Notes given your particular circumstances and needs.
Will you stick with the classic pen and paper, utilize a word processing application such as MS Word or OneNote or go with a more forensic solution such as a purpose-built electronic note-taking system like Forensic Notes?
About Author:
Robert Merriott founded TwiceSafe Software Solutions Inc. (Forensic Notes) after realizing the need for a digital note-taking application that would meet the high standards of digital forensic evidence in the courts. Robert has a Degree in Computer Information Systems and obtained both Microsoft MVP and ASPInsider status during the infancy of ASP.Net. He now works as a Digital Forensic Examiner.
DISCLAIMER: This article is not meant to provide legal advice or information. Legal statements made are only provided as guidance for the reader to seek professional legal advice within their jurisdiction. No information contained within this article should be acted upon without discussing the merits of such information with a legal professional. The author of this article is NOT A LAWYER and takes no legal responsibility for the information presented. In addition, the information provided is based on personal beliefs and ideas and does not represent his employer.


Wednesday, June 28, 2017

IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics -
Whisper Signal WhatsApp -

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well - - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?
The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here: .
As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.
Deobfuscator.cpp file
To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.
One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."
The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) :
CD's directory structure is:
-  data
- Telegram source code
-  src 
- Telegram Deobfuscator
- Telegram Extractor
- Trudy Go module
- LaTeX source codes
- diagrams
source codes
- text
- appendices
- thesis.pdf
Excellent research and discovery!

U-N-I update on posts

- Diameter - Online Charging Systems (OCS)
- Big / Fresh / Deep - Data : Huaewi overview
- Hot technologies to know about
- ARP.pcap
- bgp.pcap
- https.pcap
- ICMP-ARP-OpenFlow1.0.pcap
- Russians target Telegram App
- Wireshark
- Protocols Relevant to U-N-I
- Industrial Networks Hit By WannaCry
- IM Telegram Replay Attack - Android
- Whisper Signal WhatsApp
- Subpico Intelligent Appication Layer Software
- Subpico LI with evidential integrity
- TraceWrangler
- old_GUTI_IMSI_Critical_Reject (updated)

Whisper Signal WhatsApp

Following on from this post WhatsApp network forensics 2017/06/whatsapp-network-forensics.html you may know WhatsApp changed the protocol to 'Open Whisper System's Signal Protocol end-to-end encryption'. A useful analysis of "Signal" can be found here regarding capturing the “ratcheting” key update structure:

A Formal Security Analysis of the Signal Messaging Protocol

Vulnerability attacks have already started to determine Signal weaknesses. The "last resort key" looks interesting as does internal messaging attacks that have produced some results:


WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages

Friday, June 23, 2017

Universal Network Investigations

Just started a new LinkedIn group called 'Universal Network Investigations (UNI)'. It is a group only for those involved in the wider area of fixed, mobile and large-scale computer networks. The group exists to assist cyber, forensics and fault-finding investigations: to exchange observations and sharing 'intel' in a closed forum discussing fixed and mobile network investigations - trace data and other forms of evidence (including but not limited to PCAP, CDRs, traffic logs, exchange and switch data, cell details, dumps, etc.) If you are a member of LinkedIn and want to participate in the group here is the link:

Sunday, June 18, 2017

Mobile Forensic Metamodel

Previous studies have mostly discussed mobile forensics only in data acquisition terms and only in a problem solving scenario, as a subset to computer forensics. These studies did not take mobile forensics beyond the paradigm that is known as computer forensics. Additionally, they have not addressed the elements of MF comprehensively, and the previous research in the MF domain did not focus on modeling the case domain information involved in investigations.

This paper develops a Mobile Forensic Metamodel (MFM) in order to clarify all the necessary activities required by investigators for conducting their task. In addition, it creates a unified view of mobile forensic in the form of a metamodel that can be seen as a language for this domain. A metamodeling approach is applied to ensure that the metamodel which is the outcome is complete and consistent.

A metamodel for mobile forensics investigation domain

Thursday, June 15, 2017

WhatsApp network forensics

With many companies allowing employees to use their own smartphones in the workplace it has been noted confidential information maybe being unwitting leaked as users take to using their smartphone cameras to take photos of Whiteboard content, potentially risking disclosure (mentioned by the Information Security Community). Smartphones can also scan data, reducing the need for organisation to require Whiteboard printouts (thus saving money?). Whilst a user might not intentionally leak information, WhatsApp does provide for exchange of information during in-party calls, potentially allowing confidential data to be circulated.

However, let us avoid that scare story of sending confidential information and the story at work with the situation where a WhatsApp user has called another WhatsApp user and discloses Global Organisation X is in talks with World Dominant Corp. B to take them over. Both are on the Stock Exchange and both hold Worldwide Patents used in the medical industry. Such a leak could wrongfully 'influence' the markets. Could a WhatsApp call leak be possible? Maybe, but is that relevant to WhatsApp network forensics and this article? No. Finding out potential avenues where information leakage might take place enables pre-planning, handling risk and helps in designing a rescue plan.

Screen from my desktop using Wireshark

What is relevant is that for those conducting network forensics, accordingly to F. Karpisek, I. Baggili, F. Breitinger (ISSN 1742-2876, they were able to "...decrypt the network traffic and obtain forensic artifacts that relate to this new calling feature which included the: a) WhatsApp phone numbers, b) WhatsApp server IPs, c) WhatsApp audio codec (Opus), d) WhatsApp call duration, and e) WhatsApp's call termination." From a network investigators point of view essential information producing evidential artifacts of identifying network activity. Taking this further, PenTesters might even find this information useful, also. Even where security flaws get updated, doesn't stop modified attacks occurring creating further vulnerabilities; so learning is the name of the game. 
Often we read from articles/reports about vulnerabilities etc. but only the content in the articles/reports are available. What is extremely helpful here F. Karpisek, I. Baggili, F. Breitinger have made available 'trace data' so that when combined with the tools referred to in 'WhatsApp network forensics: Decrypting and understanding the WhatsApp call signaling messages', enables Investigators and PenTesters to gain experience and refine testing approaches. Access to the trace information is here: . You may want to get a copy soon as often with dropbox downloads they get deleted by the dropbox user after a time.

Wednesday, June 14, 2017

iPhone - TDEL034 Tool Testing

Many discussions take place during training which unearth useful guidance for practices and procedures. Also, tips and tricks are also revealed. From the MTEB Tool Testing training papers 2015 - iPhone TDEL034 (test device entry level) strategies and pre-planning - it is used to illustrate potential stages for obtaining images that produce a baseline test data to enable repeated testing to identify possible changes in the working operation of forensic tool suites importing a pre-existing test image.

However, TDEL034 is, as stated above, for strategies and pre-planning. Acquisition tools and Analysis (reader/reveal) tools are dealt with later in the training. What is uncovered during discussions are peoples perceptions given their involvement within the examination process. 

It is in these sessions during training the reality dawns as to the time and expense it takes just to deal with one brand-name 'Make' of smartphone and then adding into the equation the various models that have been created and may be created in the future. If that isn't enough, there is then the various versions of OS implemented in various models (

The discovery doesn't end there. Tasks involving removal of barriers and revelation equally may impact when discussing discovery (

Digital forensics is a reality and not a junk science. This field of endeavour is unlike traditional sciences incl. many forensic sciences. How many traditional sciences can you identify evolve and update rapidly e.g. every 6mths-12mths? It is against this backdrop that digital forensics is expected to function and operate across a digital arena of many makes/models of devices and services. Understanding the fantastic job that people do working in digital forensics and battling with constant change illustrates how digital forensics is highly unique.

Generic standards do not work as well with digital forensics as would 'specific' standards. That is because with generic standards they are tantamount to informing everyone this is what has been created and it is your responsibility to make it work. This is analogous to an organisation purchasing a SATNAV and Driving Route System which when operational fails to inform the driver of 'No Entry' roads, dead end roads, instructing a driver to take the action even when the sign states 'No Left Turn' or using as-the-crow-flies navigation so the driver is placed at a point e.g. x-miles from true destination, because the system doesn't understand vehicles cannot drive through people houses, gardens or buildings to get to the other side. The organisation then expects the driver to workout the problems so that when reaching the destination it looks like the SATNAV and Driving Route System was working correctly.

This is why training is essential not just at the tool level, but also at the conceptual level to assist in the design of an examination approach that fits the need of the device and at the same time relieve the pressure placed on the tools that are expected to, alone, get it right. Having the right digital forensic standard should provide the baseline and should define process approach to assist achieve results.

I will return to this subject to offer observations a little later, but for now other matters are now pressing and need attention.

Sunday, June 11, 2017

Do Cyber Events Follow A Philosophy

I was intending to raise this point some months back but due to other pressing issues I had forgotten to do so. It relates to a quote used in a presentation from Nokia 'The known unknowns of SS7 and beyond: Evolution of Telco Attacks'.

 Are cyber events such as DDoS, Malware, SS7 attacks, Dirty/Nasty USSD, dirty data_ark  and so on following some sort of noble objectives to be comprehended from quotes e.g. Sun Tze's philosophy "The supreme art of war is to subdue the enemy without fighting"?

Even if that were correct or true how does it help define which events are isolated and which events are or have characteristics of intended aggregation to bring about a sustained campaign of subjugation?

Tuesday, June 06, 2017

Not Comfortable Fit for Digital Forensics - ISO17025

Within the digital forensics arena there is discomfort amongst labs, academia, businesses and practitioners that ISO/IEC 17025 'General requirements for the competence of testing and calibration laboratories' is not a comfortable fit for digital forensics. Very few digital forensics laboratories and businesses have been accredited so far. To get an understanding of concerns obtained from a pretty good base-data of opinion from replies to UK ISO 17025 Digital Forensics Survey 4/24/2017 created by Professor Peter Sommer, the results have been published and are available here .

Not to second guess the Forensic Science Regulator (FSR) there is , of course, the October 2017 deadline looming and the outcomes of that deadline might impact on the way forward. However, I regularly keep an eye on Lab Accreditation and Best Practice Guides (as you can see from some of the pdf tabs open in the above screen shot) in context with digital forensics in order to note the changing approach to digital forensics. The new breeze appears to suggest digital forensics blowing towards ISO standards e.g.

ISO/IEC 27042: 2015. Information Technology - Security Techniques - Guidelines for the Analysis and Interpretation of Digital Evidence.

ISO/IEC 27037: 2012. Information Technology - Security Techniques - Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence.

Currently, but this may change, these standards are not substitutes for accreditation. That does not mean though digital forensics may not branch off and have its own unique accreditation and standards. It may well be the British Standards Institute (BSI) may need to produce an equivalent standard for the UK based upon an example of the old BS5750 approach. BS5750 and ISO9000 do enable the UK Government's requirement to be met for "inclusion" of single-person organisations and SMEs to play apart in the economy and not be excluded from it due to globalism or restraint of trade practices or over-burdensome control measures.

Previously, I drew attention to how in the US, Karin Athanas, Program Manager at the American Association for Laboratory Accreditation (A2LA), produced an article titled "Accreditation for the One-Person Organization - The smallest laboratories can teach us the biggest lessons.". This article defined that smaller business entities could achieve accreditation to ISO/IEC17025:

The UK ISO 17025 Digital Forensics Survey 4/24/2017 isn't the first time attention has been drawn to ISO/IEC17025 that it should works for all, not the few. If the latter accreditation doesn't work then maybe another route will need to be found.

Sunday, May 28, 2017

Forensic Chip Off - Notes in Progress

Thanks for those who have taken the Survey for Digital Forensics Tool Testing so far. For those who haven't taken the 4-mins survey which only has 15 easy to read questions to answer, please do so ( digital-forensics-tool-testing.html ). The larger the pool of anonymous answers being returned to the Faculty of Computer Science University of Sunderland for Dr. Graeme Horsman to analyse the better the feedback to you and the digital forensics community, as a whole, will be when Graeme publishes the findings.

Below are two youtube videos. Watch them both as they provide an interesting account of removing iPhone 5 ICs. These are general repair services for iPhone and not promoted as forensic chip off.  In particular, pay attention to whether there are any good working practices and whether the operator's manner is acceptable for handling an exhibit?

Three observations I will share are (1) should the operator be wearing anti-static glovers?; (2) how would you keep contemporaneous notes (CN) simultaneously whilst removing a chip?; and (3) should you be testing chip off tools to understand their limitations before using them for chip removal and chip reading?

Please use weblinks 

Wednesday, May 24, 2017

Survey: Digital Forensics Tool Testing

Following on from the post "Study into Carving Validation" - ,Dr Graeme Horsman from the Faculty of Computer Science University of Sunderland has produced a questionnaire designed to acquire industry consensus on the wider vista associated with tool testing in the field of Digital Forensics. Responses are anonymous and the results will form part of research into the design and implementation of tool testing in the field, and will also be used as part of the production, publication and dissemination of research in this area.

As the survey responses are anonymous Dr. Horsman requests any questions or comments you have should be posted at the LinkedIn Group "Institute for Digital Forensics" - as all questions and comments made are under Chatham House Rules  ( )

This survey contains 15 questions. Estimated time to complete - 4 minutes.

Thursday, May 18, 2017

Study into Carving Validation

At the LinkedIn Group "Institute for Digital Forensics" ( ) we are pleased to announce Dr Graeme Horsman PhD, BSc (Hons), MJur (Dur), PGCertHE, SFHEA from the Faculty of Computer Science University of Sunderland has joined the Group and wants to seek assistance from practitioners, in-house test and examination departments and laboratories regarding thoughts on testing in terms of the tools that are used. This is in terms of strategies etc., given the importance (albeit it has always been important) with ISO standards etc. Do IDF members have their own "test data and strategy that they roll out on new software/releases"? This is in relation to potential value of an automated test data generator for known good content from which to evaluate parsing/carving algorithms. This would be with respect to "carving validation" so test data would be geared towards such algorithms. Dr Horsman would appreciate as much feedback as possible and wants to engage in discussions to facilitate this study.

Access to content and discussions is open to LinkedIn members who request and are approved for membership to the Group "Institute for Digital Forensics.

Sunday, May 14, 2017

Contaminating Evidence SIX

The original question (in Part ONE) I believe was asked by someone starting out in mobile forensics. I tend to find it is easier to start with the 2G technology [SIM Application CLA (0xA0) / 2G context], which is still predominant in certain countries; although market research shows 2G falls below 30% globally by 2020.

Furthermore, law enforcement and security still seize and find 2G SIM cards (globally speaking) associated with criminal activity - drug dealing, SIMboxing, trafficking, etc. - so any observations to assist examination may help improve outcomes, assist generate "quality in work" but without expending large quantities of capital.

Equally, with 3G and 4G SIM cards the examiner can still SELECT and ReadBinary etc. re: GSM Access. Also, it is helpful to let examiners see basic script commands and responses as the basic commands can still be issued under [USIM Application CLA (0x00)]:

Select 6F07

To make the following a little more interesting than merely showing a screen image of USIM Application returning the SIM Card's IMSI, does the mobile network IMSI match the network to which the IMSI was last latched?

For privacy and security purposes the IMSI has been obscured, however it is confirmed the IMSI for this discussion is a subscriber to the EE network. As an examiner you may consider looking to the last network and location the subscriber was camped.

Select 6F7E (e.g. location area)

Select 6F73 (packet switched location area)

Observations, at first instance: the LOCI and PSLOCI screens reveal that the subscriber's account has been latched to the T-Mobile network; not EE or Orange network. Who would provide feedback to the investigating office on what that means? Both of these screens show "updated" for location and routing area, yet the P-TMSI Signature Value has been unchanged FFFFFF. What significance, if any, would that import into interpreting the data?

The key point of using commands and getting responses can assist an examiner refine searches made to (U)SIM and the (U)ICC and also respond to "time-is-of-the-essence" requests in cases of device seizure at the point a trafficker is stopped and searched. Combining precise information searches can help examiner's do this.

Moreover, with enhanced scripting and script variables we can do so much more and a matter that will be considered in another blog discussion post/s soon regarding examination, evidence and validation:

Select 3F00
Select 7F20
Select 6F07
If (GoodStatus = True)
 If (GoodStatus = True)
Select 3F00
Select 7F10
Select 6F3A
Set $recNum = 1
While ($recNum <= $totalRecords)
 ReadRecord $recNum
 Increment $recNum

The tool USIM Commander is a SIM evaluation and programming tool available from Quantaq Ltd and can be found here:

Hope you find this helpful.

Contaminating Evidence ONE  -
Contaminating Evidence TWO -
Contaminating Evidence THREE  -
Contaminating Evidence FOUR - 

Contaminating Evidence FIVE -

Thursday, May 11, 2017

Contaminating Evidence FIVE

To refresh, these discussions (links at foot of this article) originated because someone asked a question e.g. should I put a seized damaged SIM card into a seized mobile phone (handset), where both items have been found placed into the same Exhibit bag? The discussions have been to highlight helpful observations about what can be involved and learning the lesson to keep a damaged SIM card separate from the handset and conduct tests independently from combined forensic suites; hence the need for Test A Damaged SIM Card SOP.

Yes, you can run a test single APDU (application protocol data unit) command to select particular data from a SIM card, as you can run a script containing multiple test APDU commands. For example, what follows is an example of multiple APDU command to SELECT and GET RESPONSE  from the SIM card requesting the SIM's IMSI (international mobile subscriber identity). Invariably, investigating officers and security may only require just that little piece of information; and whether extracted and harvested from a working SIM or a damaged SIM. Where a damaged SIM Card is involved it wont be clear at the initial examination stage whether (a) the SIM will respond to any test or fully-blown image? and (b) if it does, could there be only chance to retrieve any data from it (the card)?

APDU Commands
We know that the standards identify commands as follows and therefore these would most likely assist the examiner when reading the SOP. Remember in part FOUR it referred to the SOP should assist examiners by identifying the short form title and clause. So here is one exercise you can do now. Go and download ETSI GSM11.11 (Release R1999) and 3GPP TS 31.102 latest release and identify the short form title and clauses relevant to the APDU commands below:

- Select
- VerifyCHV
- ReadBinary
- ReadRecord
- UpdateBinary
- UpdateRecord
- Status

Test APDU - IMSI Request
The next step is to select and chosen the statements needed to issue commands for the SIM card to reveal the IMSI:

- 2GMode
- Select 3F00
- Select 7F20
- Select 6F07
- ReadBinary

USIM Commander GUI Image

The IMSI has been doctored in the above image for privacy and security reasons. However, the three windows panes above illustrate how to validate commands issued to a damaged SIM card. The left pane shows the commands. the top right pane shows the status and harvested data of the commands issued. And the bottom right pane confirms the translated APDU trace and the Raw APDU trace. Thus proving the process and procedure the examiner adopted and applied during testing. This information can then be logged into the examiner's Contemporaneous Notes. 

Training and Discovery
Before jumping into conducting the tests, training and exposure to different types of SIM cards and their conditions should be the first priority. Even the best APDU scripters make mistakes. The screen images that follow illustrate mistake and correction (can you find the mistake?) and following that the importance of the learning curve an examiner needs, which is only possible base upon discovery using training SIM cards to see what might be revealed.
Examiner need to be encouraged to extend search investigation beyond the template. The images below, identifies CHV1 and CHV2 discovery might reveal. This discovery helps examiners to uncover if unknown CHV1 and CHV2 can be revealed.

Contaminating Evidence ONE  -
Contaminating Evidence TWO -
Contaminating Evidence THREE  -

Contaminating Evidence FOUR -