Friday, January 28, 2011
"Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?"
"Mobile devices have become an essential component of our daily lives. These devices keep us connected and act as so much more than the cell phones and portable music players of the 1990's. It is common today for a smartphone to act as a mobile office, social tool, and an entertainment center all rolled into one. Many households have one or two computers shared by the inhabitants, but almost everyone over 16 has a cell phone and, since the device is tied more closely to the user, the data is also..."
Tuesday, January 25, 2011
Additions are encouraged and may either be sent through the feedback form or added to this forum topic. Thank you to those who helped compile the current list.
Wednesday, January 19, 2011
Examining Mobile Equipment – Ensuring Accuracy
In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence.
There are various types of examinations conducted on mobile telephones to extract the call information and SMS messages (collectively I shall refer to these as connection information). The examination of a SIM card is a fairly ‘trivial’ process with a well-defined extraction procedure. However, handset examinations may be much trickier. For standard handset examinations (those that generally only extract the information live on the handset) there is no one product that can extract all of the connection information available for all handsets. Hence, when examining handsets, it is important as a first step to ensure the accuracy of the evidence you are presenting.
When presenting your evidence it may be worthwhile considering the measures you implement to be able to ascertain both the accuracy and meaning of information you present to ascertain that:
1. The extracted information is accurate and correctly attributed. For example, that a reported SMS message has the correct content and is appropriately stated as a sent, draft or a received SMS message.
2. The information is complete and where it is not, the omissions are known (and clearly declared in the report) or manually obtained.
3. The information is unambiguously reported.
These may sound like obvious points, however, in my experience sometimes failures are found in all three areas which then lead to issues when the evidence is used to ascertain the connection behaviour of a telephone. As a mobile telephone examiner, it is important to establish appropriate procedures and to report the limitations of the data you are presenting otherwise at a later stage they may be open to misinterpretation. Omissions are particularly important since information such as duration of calls and times of calls may become crucial to resolving what occurred so it is important to make your reader aware what information may be present but remains unextracted...
Read more at http://www.forensicfocus.com/sam-raincock