Mobile Telephone & Communication Evidence

  • 413 views
Uploaded on

Tracking mobile phones, to identify the position and movement, is known as 'Cell Site Analysis', and allows an investigator toe establish the geographical location of a handset when calls, SMS …

Tracking mobile phones, to identify the position and movement, is known as 'Cell Site Analysis', and allows an investigator toe establish the geographical location of a handset when calls, SMS messages or downloads were sent/received. This evidence can be used to tie a suspect to the scene of a crime and may be presented in court by an Expert Witness.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
413
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Communication Evidence AFENTIS FORENSICS Computer & Communication Analysts www.afentis.com - A Powerful Weapon -
  • 2. Communication Evidence Ross Patel BSc(Hons),MCSE,CISSP,MCP CCNA,CISA,CHFI,CISM,ACFE,ISEB [email_address] - A Powerful Weapon -
  • 3. Briefing Structure R v STEELE Primer Q & A Defence Evidence Communication Evidence Sources of Digital Evidence Defence Perspectives & Challenging Evidence Discussion of future trends Golden Copy & Mappings Cell Site analysis and the evolution
  • 4. Rettendon Murders
    • December 1995
      • Murder of three persons
      • Farmyard lane in Essex
    • Phone Records
      • Activity pre-murder
    • Cell Site Analysis
      • BT engineer provides assistance
      • Considers masts used by phones
    • Trial Proceedings
      • Maps and schedules evidenced
      • ‘ State of the art’ investigation
  • 5.  
  • 6.  
  • 7. Relevant Legislation
    • .
    Computer Misuse Act 1990 Telecommunication Act 1984 Data Protection Act 1988 Regulation of Inv. Powers Act 2000 Anti-Terror, Crime & Security Act 2001 EU Data Retention Directive 2006 [Article 6] Member States to ensure that communications providers retain, for a period of no less than 6 months and no more than 2 years, all relevant data.
  • 8. Data Retention
    • Home Office agreement
      • Voluntary arrangement
      • Approx 12 months archived data
    • EU Data Retention Legislation
      • Home Office Final Phase Consultation
      • Based on ‘02 UK’ processes
      • 12 month minimum archival
    • Anti-Terror, Crime Security Act XXXX
      • Purpose of retention arguments
    • Regulation Inv’ Powers Act 2000
      • Forcible disclosure keys (Part III)
  • 9.
    • Subscriber Identity Module
      • Account detail tied to phone number
      • Approx 128kb memory
    • Stored Data
      • Unique serial number (IMSI)
      • Last dialled entries
      • Calls last received
      • SMS (text) content
      • Preferences & settings
    • Security Features
      • PIN code to lock access
      • Over-ride using PUK
    SIM Card
  • 10.
    • Mobile Handset
      • Default storage location for data
      • Approx 128mb memory
      • Volatile memory!
    • Stored Data
      • Unique serial number (IMEI)
      • Last dialled entries
      • Calls last received
      • SMS (text) & Multimedia content (e.g. photo)
      • Alarms, Tasks & Calendar entries
      • Preferences & settings
    • Security Features
      • PIN code to lock access
      • Bypass using direct memory access
    Telephone Handset
  • 11.
    • Billing Records
      • As per monthly statements
      • Contact form, recipient, duration, cost
    • Call Data Records (CDRs)
      • Date, Time, Type (voice/data)
      • Duration (mins)
      • A number (originator)
      • B number (recipient)
    • Extended CDRs
      • Cell references (ID or Hex)
      • SMS Mobile Switching Centre (MSCs)
      • Network specific data
    Network Records
  • 12.
    • Volume of exhibits
      • Thousands of pages (billing records)
      • Production of indexed DVD
    • Empirical Data
      • Overall contact levels
      • % of contact vs co-conspirators
      • Text / Voice / Data volumes
    • Mapping of contact
      • Spider diagrams
      • Time delimited charts
      • Time / Event overlays
    Data Mining
  • 13. Attribution
  • 14.
    • Geographic positioning of ‘sessions’
      • Location of cell handling communication session
      • Appreciation of coverage and range
    • Live Assessment
      • ‘ Active trace’ during real-time investigation
    • Post-mortem Assessment
      • Historical records and archived network data
    • Value in criminal investigations
      • Ties individual to location at specific time
      • Relative to scene of crime?
    Cell Site Analysis
  • 15. Circular Assessment Cell Site Analysis Peer Review of prosecution submissions , statements and technical evidence Field Assessment of key locations, specific cell sites, and regions relating to scene of crime Historical Analysis using archived telecommunication records and related signal/network data
  • 16.
    • No action by law enforcement should change data held upon a computer or storage media;
    • Forensic evaluations must be performed by someone competent to undertake such assessments;
    ACPO Guide Principles
    • An audit trail and record of performed actions must be made;
    • The person in charge of the investigation has ultimate responsibility for ensuring the law and these principles are adhered to ;
  • 17. Roles & Concepts ACPO v3 & Home Office CoP DESIGNATED PERSON investigator or agent seeking access to privileged data or communication records GOLDEN COPY permanently preserved data in tamper resistant form (R v SAYER, 2001) SINGLE POINT OF CONTACT identification of relevant material, application proportionality, case support
  • 18.
    • Extended CDRs
      • Date, Time, Type (voice/data)
      • Duration (mins)
      • Tariff & Contract Rate
      • A & B numbers (orig vs. recipient)
      • Cell references (ID or Hex)
      • SMS Mobile Switching Centre (MSCs)
      • Network specific data
    • R v SAYER [2001]
      • Permanently preserved / tamper resistant
      • Underpin attribution, schedules, and cell site
      • Absence = no independent agreement
    Golden Copy Records
  • 19. Cell Site Sectors
  • 20. Start vs End Cells
  • 21. R v GUNN – Cell Sites
  • 22. Position Attribution
  • 23. Radio Spectrum Signal strengths dBm - ‘02 UK’, ‘Orange’, ‘Vodafone’, & ‘T-Mobile’ Note: RED / BLUE cells not available for public use GREEN cells provide service for GSM voice & data (SMS)
  • 24. Non-Dominance
  • 25. Cell Foot-printing
  • 26. Cell Foot-printing
  • 27. Cell Foot-printing
  • 28. Key Considerations GSM Spec’ Repeaters Layers Exchanges Coverage / Topology
    • Operational coverage vs expected range. Natural & man-made obstacles
    • Handover / termination of communication services
    • Tiers of coverage – picocells and upper/lower layering
    • Moving beyond ‘line of sight’ and standard propagation range
    • Interpretation of standards and protocols for operation
  • 29. Handovers & Termination
    • GSM Standard 04.08
      • Cause 0 – Normal event
      • Cause 1 – Abnormal release
      • Cause 5 – Released for priority
      • Cause 8 – Handover impossible
    • GSM Standard 04.08 Annex G
      • Cause 4 – IMSI unknown
      • Cause 13 – Roaming not allowed
      • Cause 17 – Network failure
      • Cause 22 – Congestion limited
  • 30. Cell Layering
  • 31. Repeaters & Propogation
    • Enhancing Coverage
      • Relay or bounce signal coverage
      • Low cost technical solution
      • Based on feasibility & service economics
    • Beyond ‘line of sight’
      • Force signal beyond standard range
      • Overcome topology black-spots
      • Coverage skew and focus
    • Indoor / underground coverage
      • Fibre optic cabling
      • Shopping precincts and tunnels
      • Misinterpret cell location and range
  • 32. Future Trends Active Convergence Counter Magic Bullet Civil Counter-forensic techniques and greater criminal appreciation of capability Real-time tracing of signals/suspects Mobile & static computing/ communication devices Managing expectations CSA techniques in civil proceedings
  • 33. Thank You ! AFENTIS FORENSICS Computer & Communication Analysts www.afentis.com
  • 34. Find out more… afentis AFENTIS FORENSICS Digital Evidence Experts, specialists in complex fraud and high technology crime WWW Guides exclusively for Advocates Additional forensic reports and reference materials are available online at: www.afentis.com/legal eMail Register today for early notification on future CPD briefings and seminars: [email_address]