Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Telephone & Communication Evidence


Published on

Tracking mobile phones, to identify the position and movement, is known as 'Cell Site Analysis', and allows an investigator toe establish the geographical location of a handset when calls, SMS messages or downloads were sent/received. This evidence can be used to tie a suspect to the scene of a crime and may be presented in court by an Expert Witness.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Mobile Telephone & Communication Evidence

  1. 1. Communication Evidence AFENTIS FORENSICS Computer & Communication Analysts - A Powerful Weapon -
  2. 2. Communication Evidence Ross Patel BSc(Hons),MCSE,CISSP,MCP CCNA,CISA,CHFI,CISM,ACFE,ISEB [email_address] - A Powerful Weapon -
  3. 3. Briefing Structure R v STEELE Primer Q & A Defence Evidence Communication Evidence Sources of Digital Evidence Defence Perspectives & Challenging Evidence Discussion of future trends Golden Copy & Mappings Cell Site analysis and the evolution
  4. 4. Rettendon Murders <ul><li>December 1995 </li></ul><ul><ul><li>Murder of three persons </li></ul></ul><ul><ul><li>Farmyard lane in Essex </li></ul></ul><ul><li>Phone Records </li></ul><ul><ul><li>Activity pre-murder </li></ul></ul><ul><li>Cell Site Analysis </li></ul><ul><ul><li>BT engineer provides assistance </li></ul></ul><ul><ul><li>Considers masts used by phones </li></ul></ul><ul><li>Trial Proceedings </li></ul><ul><ul><li>Maps and schedules evidenced </li></ul></ul><ul><ul><li>‘ State of the art’ investigation </li></ul></ul>
  5. 7. Relevant Legislation <ul><li>. </li></ul>Computer Misuse Act 1990 Telecommunication Act 1984 Data Protection Act 1988 Regulation of Inv. Powers Act 2000 Anti-Terror, Crime & Security Act 2001 EU Data Retention Directive 2006 [Article 6] Member States to ensure that communications providers retain, for a period of no less than 6 months and no more than 2 years, all relevant data.
  6. 8. Data Retention <ul><li>Home Office agreement </li></ul><ul><ul><li>Voluntary arrangement </li></ul></ul><ul><ul><li>Approx 12 months archived data </li></ul></ul><ul><li>EU Data Retention Legislation </li></ul><ul><ul><li>Home Office Final Phase Consultation </li></ul></ul><ul><ul><li>Based on ‘02 UK’ processes </li></ul></ul><ul><ul><li>12 month minimum archival </li></ul></ul><ul><li>Anti-Terror, Crime Security Act XXXX </li></ul><ul><ul><li>Purpose of retention arguments </li></ul></ul><ul><li>Regulation Inv’ Powers Act 2000 </li></ul><ul><ul><li>Forcible disclosure keys (Part III) </li></ul></ul>
  7. 9. <ul><li>Subscriber Identity Module </li></ul><ul><ul><li>Account detail tied to phone number </li></ul></ul><ul><ul><li>Approx 128kb memory </li></ul></ul><ul><li>Stored Data </li></ul><ul><ul><li>Unique serial number (IMSI) </li></ul></ul><ul><ul><li>Last dialled entries </li></ul></ul><ul><ul><li>Calls last received </li></ul></ul><ul><ul><li>SMS (text) content </li></ul></ul><ul><ul><li>Preferences & settings </li></ul></ul><ul><li>Security Features </li></ul><ul><ul><li>PIN code to lock access </li></ul></ul><ul><ul><li>Over-ride using PUK </li></ul></ul>SIM Card
  8. 10. <ul><li>Mobile Handset </li></ul><ul><ul><li>Default storage location for data </li></ul></ul><ul><ul><li>Approx 128mb memory </li></ul></ul><ul><ul><li>Volatile memory! </li></ul></ul><ul><li>Stored Data </li></ul><ul><ul><li>Unique serial number (IMEI) </li></ul></ul><ul><ul><li>Last dialled entries </li></ul></ul><ul><ul><li>Calls last received </li></ul></ul><ul><ul><li>SMS (text) & Multimedia content (e.g. photo) </li></ul></ul><ul><ul><li>Alarms, Tasks & Calendar entries </li></ul></ul><ul><ul><li>Preferences & settings </li></ul></ul><ul><li>Security Features </li></ul><ul><ul><li>PIN code to lock access </li></ul></ul><ul><ul><li>Bypass using direct memory access </li></ul></ul>Telephone Handset
  9. 11. <ul><li>Billing Records </li></ul><ul><ul><li>As per monthly statements </li></ul></ul><ul><ul><li>Contact form, recipient, duration, cost </li></ul></ul><ul><li>Call Data Records (CDRs) </li></ul><ul><ul><li>Date, Time, Type (voice/data) </li></ul></ul><ul><ul><li>Duration (mins) </li></ul></ul><ul><ul><li>A number (originator) </li></ul></ul><ul><ul><li>B number (recipient) </li></ul></ul><ul><li>Extended CDRs </li></ul><ul><ul><li>Cell references (ID or Hex) </li></ul></ul><ul><ul><li>SMS Mobile Switching Centre (MSCs) </li></ul></ul><ul><ul><li>Network specific data </li></ul></ul>Network Records
  10. 12. <ul><li>Volume of exhibits </li></ul><ul><ul><li>Thousands of pages (billing records) </li></ul></ul><ul><ul><li>Production of indexed DVD </li></ul></ul><ul><li>Empirical Data </li></ul><ul><ul><li>Overall contact levels </li></ul></ul><ul><ul><li>% of contact vs co-conspirators </li></ul></ul><ul><ul><li>Text / Voice / Data volumes </li></ul></ul><ul><li>Mapping of contact </li></ul><ul><ul><li>Spider diagrams </li></ul></ul><ul><ul><li>Time delimited charts </li></ul></ul><ul><ul><li>Time / Event overlays </li></ul></ul>Data Mining
  11. 13. Attribution
  12. 14. <ul><li>Geographic positioning of ‘sessions’ </li></ul><ul><ul><li>Location of cell handling communication session </li></ul></ul><ul><ul><li>Appreciation of coverage and range </li></ul></ul><ul><li>Live Assessment </li></ul><ul><ul><li>‘ Active trace’ during real-time investigation </li></ul></ul><ul><li>Post-mortem Assessment </li></ul><ul><ul><li>Historical records and archived network data </li></ul></ul><ul><li>Value in criminal investigations </li></ul><ul><ul><li>Ties individual to location at specific time </li></ul></ul><ul><ul><li>Relative to scene of crime? </li></ul></ul>Cell Site Analysis
  13. 15. Circular Assessment Cell Site Analysis Peer Review of prosecution submissions , statements and technical evidence Field Assessment of key locations, specific cell sites, and regions relating to scene of crime Historical Analysis using archived telecommunication records and related signal/network data
  14. 16. <ul><li>No action by law enforcement should change data held upon a computer or storage media; </li></ul><ul><li>Forensic evaluations must be performed by someone competent to undertake such assessments; </li></ul>ACPO Guide Principles <ul><li>An audit trail and record of performed actions must be made; </li></ul><ul><li>The person in charge of the investigation has ultimate responsibility for ensuring the law and these principles are adhered to ; </li></ul>
  15. 17. Roles & Concepts ACPO v3 & Home Office CoP DESIGNATED PERSON investigator or agent seeking access to privileged data or communication records GOLDEN COPY permanently preserved data in tamper resistant form (R v SAYER, 2001) SINGLE POINT OF CONTACT identification of relevant material, application proportionality, case support
  16. 18. <ul><li>Extended CDRs </li></ul><ul><ul><li>Date, Time, Type (voice/data) </li></ul></ul><ul><ul><li>Duration (mins) </li></ul></ul><ul><ul><li>Tariff & Contract Rate </li></ul></ul><ul><ul><li>A & B numbers (orig vs. recipient) </li></ul></ul><ul><ul><li>Cell references (ID or Hex) </li></ul></ul><ul><ul><li>SMS Mobile Switching Centre (MSCs) </li></ul></ul><ul><ul><li>Network specific data </li></ul></ul><ul><li>R v SAYER [2001] </li></ul><ul><ul><li>Permanently preserved / tamper resistant </li></ul></ul><ul><ul><li>Underpin attribution, schedules, and cell site </li></ul></ul><ul><ul><li>Absence = no independent agreement </li></ul></ul>Golden Copy Records
  17. 19. Cell Site Sectors
  18. 20. Start vs End Cells
  19. 21. R v GUNN – Cell Sites
  20. 22. Position Attribution
  21. 23. Radio Spectrum Signal strengths dBm - ‘02 UK’, ‘Orange’, ‘Vodafone’, & ‘T-Mobile’ Note: RED / BLUE cells not available for public use GREEN cells provide service for GSM voice & data (SMS)
  22. 24. Non-Dominance
  23. 25. Cell Foot-printing
  24. 26. Cell Foot-printing
  25. 27. Cell Foot-printing
  26. 28. Key Considerations GSM Spec’ Repeaters Layers Exchanges Coverage / Topology <ul><li>Operational coverage vs expected range. Natural & man-made obstacles </li></ul><ul><li>Handover / termination of communication services </li></ul><ul><li>Tiers of coverage – picocells and upper/lower layering </li></ul><ul><li>Moving beyond ‘line of sight’ and standard propagation range </li></ul><ul><li>Interpretation of standards and protocols for operation </li></ul>
  27. 29. Handovers & Termination <ul><li>GSM Standard 04.08 </li></ul><ul><ul><li>Cause 0 – Normal event </li></ul></ul><ul><ul><li>Cause 1 – Abnormal release </li></ul></ul><ul><ul><li>Cause 5 – Released for priority </li></ul></ul><ul><ul><li>Cause 8 – Handover impossible </li></ul></ul><ul><li>GSM Standard 04.08 Annex G </li></ul><ul><ul><li>Cause 4 – IMSI unknown </li></ul></ul><ul><ul><li>Cause 13 – Roaming not allowed </li></ul></ul><ul><ul><li>Cause 17 – Network failure </li></ul></ul><ul><ul><li>Cause 22 – Congestion limited </li></ul></ul>
  28. 30. Cell Layering
  29. 31. Repeaters & Propogation <ul><li>Enhancing Coverage </li></ul><ul><ul><li>Relay or bounce signal coverage </li></ul></ul><ul><ul><li>Low cost technical solution </li></ul></ul><ul><ul><li>Based on feasibility & service economics </li></ul></ul><ul><li>Beyond ‘line of sight’ </li></ul><ul><ul><li>Force signal beyond standard range </li></ul></ul><ul><ul><li>Overcome topology black-spots </li></ul></ul><ul><ul><li>Coverage skew and focus </li></ul></ul><ul><li>Indoor / underground coverage </li></ul><ul><ul><li>Fibre optic cabling </li></ul></ul><ul><ul><li>Shopping precincts and tunnels </li></ul></ul><ul><ul><li>Misinterpret cell location and range </li></ul></ul>
  30. 32. Future Trends Active Convergence Counter Magic Bullet Civil Counter-forensic techniques and greater criminal appreciation of capability Real-time tracing of signals/suspects Mobile & static computing/ communication devices Managing expectations CSA techniques in civil proceedings
  31. 33. Thank You ! AFENTIS FORENSICS Computer & Communication Analysts
  32. 34. Find out more… afentis AFENTIS FORENSICS Digital Evidence Experts, specialists in complex fraud and high technology crime WWW Guides exclusively for Advocates Additional forensic reports and reference materials are available online at: eMail Register today for early notification on future CPD briefings and seminars: [email_address]