Monday, September 17, 2012

France Car Shootings and Mobile Evidence

France Car Shootings and Mobile Evidence

It is well known by now that the team investigating the shootings in the French Alps discovered two mobile phones: http://news.sky.com/story/982481/alps-shootings-police-find-two-phones-in-car. The following has nothing to do with the French authorities investigation and does not seek to speculate on what might be. However the case is very useful in that it provides a useful example to apply a conceptual method to seeking out evidence originally discussed in my thread back in January 2009: http://www.trewmte.blogspot.co.uk/2009_01_01_archive.html.

The diagrams below illustrate one method of taking a crime scene event and postulating the possibilities of mobile phone evidence and mobile events that might occur prior to and after e.g. a murder. Yes, it is quite possible that activity on a victim's switched ON mobile phone may still occur after the victim's death. This is in addition to evidence that can accrue when it is switched OFF.  





To assist the investigation to make it a more managable task for this case scenario discussion the investigator/examiner can separate, but without severing the links, the case into four stages:

 i) possible evidence before and leading upto the crime
 ii) possible evidence at the approximate time of (a)shooting, (b)death
iii) possible evidence when attending the scene of crime
 iv) possible evidence that might still be collated post scene of crime 

The depth and breadth of mobile evidence has substantially increased given the evolving and fast developmental pace of mobile technology and services. To try and discuss all of them would over-complicate this discussion, so the discussion will consider the diagram below and highlight possible mobile evidence and events iv).

The previous 2009 discussion (link given above) needs to be read to understand the diagram below, after which an examiner/investigator then begin to recognise where possible post crime mobile evidence might be generated/occur and create a check list of those possibilities.   


Using the 'C now' constant this could represent the position of the investigation in physical space, say where the two mobiles have been recovered but still at the scene of crime. Time is important, too, and therefore the investigator (hypothetically, of course, for this discussion) records a time one-hour after mobile phones recovered at the crime location. This is important for timeline because anything occurring before that time have one set of evidential/event values (prior to approximate time of death) and evidence/events occurring after have another set of evidential values (post approximate time of death). By way of illustrating the latter, the dead victim wont be operating the handset his/herself so that fact is important, but that doesn't exclude the possibility the victim, prior to death, having pre-programmed the handset to do something (e.g. send a birthday text, set an alarm and so on).  

The perpetrator/s fled the crime scene and therefore the time delay occuring between that and the discovered mobile phones could be minutes/hours/days. The race is on to catch up if the investigation is not to be caught up on the tide of diminishing returns. 

The use of text messaging is prolific and therefore knowing which material to discard and which is important evidence is not an easy task. Commonly, texting is perceived on the basis that a user:

- sends and receives texts
- known or unknown called/calling party  
- content based upon 'familiarity' of communicating parties

There is a whole host of investigative information that may need to be practically assessed as to possibility of text occuring on a mobile phone after a victim's death, such as:

- text generated by mobile phone as opposed to text generated on PC sent via the internet e.g: check the SMS header details:

Originating Address type: 91
Type of number: International
Numbering plan identifier: E.164
Originating Address: 44798021XXXX

and where you see 'Originating address' that does not contain the commonly understood mobile telephone number (E.164) but it contains an hex-decimal representation then it might indicate the message originated from the internet. Example

Originating Address type: 91
Type of number: International
Numbering plan identifier: E.164
Originating Address: 35fac2457c0be2008

To start with go back to basics (this is necessary due to the requirements of backward compatibility) and check out GSM standards GSM-0340; 0338, 0411, 0902 etc

- text maybe generated due to a set-calendar event e.g. check user profiling relevant to proactive SIM, STKs and handset calendar

- text may appear as an SMS but what if it is Wi-Fi direct data e.g. depending make/model of mobile phone check settings such as 'wireless and network'

What can happen when received test messages arrive later than the date the text was originated and sent? - http://trewmte.blogspot.co.uk/2007/10/conflicts-call-records-sms-delivery.html - Local and roaming issues maybe relevant?

Check also SMS 'validity period' for sent text messages, thus messages can be held in 'escrow' by a network operator. See GSM 11.11; 3GPP 31102



Additional time values for 'Validity Period' can be found in GSM03.40



There can be other aspects of post-crime related mobile evidence activity on a victim's mobile phone, such as voicemail. Moreover, cell site analysis can have a role here too for a switched ON mobile phones and post-crime generated evidence.

Determining possible evidence and events on a mobile phone or mobile account,, for that matter, which may occur post-crime might be highly beneficial in death, kidnap or missing person cases. 

No comments: