Friday, January 28, 2011

Interview with Ben Findlay, North Yorkshire Police Hi Tech Crime Unit

"Many people are familiar with the concept and importance of validating and verifying (V&V) results (and the difference between the two), but it would be fantastic if this could be engineered into the software (perhaps through some form of fundamentals or 'first-principles' methodology). I doubt whether V&V can ever be made truly redundant by formal specifications, but the process could certainly be made far easier..."

More here

"I'm here! Now what?"

by Ken Pryor

"Working for a small police department in a rural area, my opportunities to do digital forensic work on real cases are much fewer and farther between than those who work in large departments or in the private sector. Once I had completed computer forensics training and acquired the necessary software, I was ready to go. Now what? There was no existing forensics unit in my department, so there was no caseload to jump into and no one there to work with. How to stay current and confident with my knowledge and skills, as well as my chosen tools?"

More here

Challenges of Smart Phone Forensics

by Rob Adams

"Mobile devices have become an essential component of our daily lives. These devices keep us connected and act as so much more than the cell phones and portable music players of the 1990's. It is common today for a smartphone to act as a mobile office, social tool, and an entertainment center all rolled into one. Many households have one or two computers shared by the inhabitants, but almost everyone over 16 has a cell phone and, since the device is tied more closely to the user, the data is also..."

More here

Tuesday, January 25, 2011

Test Images and Forensic Challenges

A list of sample images and forensic challenges is now available at:

Additions are encouraged and may either be sent through the feedback form or added to this forum topic. Thank you to those who helped compile the current list.

Wednesday, January 19, 2011

Evaluating Mobile Telephone Connection Behaviour - Part 1

by Sam Raincock

Examining Mobile Equipment – Ensuring Accuracy

In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence.

There are various types of examinations conducted on mobile telephones to extract the call information and SMS messages (collectively I shall refer to these as connection information). The examination of a SIM card is a fairly ‘trivial’ process with a well-defined extraction procedure. However, handset examinations may be much trickier. For standard handset examinations (those that generally only extract the information live on the handset) there is no one product that can extract all of the connection information available for all handsets. Hence, when examining handsets, it is important as a first step to ensure the accuracy of the evidence you are presenting.

When presenting your evidence it may be worthwhile considering the measures you implement to be able to ascertain both the accuracy and meaning of information you present to ascertain that:

1. The extracted information is accurate and correctly attributed. For example, that a reported SMS message has the correct content and is appropriately stated as a sent, draft or a received SMS message.

2. The information is complete and where it is not, the omissions are known (and clearly declared in the report) or manually obtained.

3. The information is unambiguously reported.

These may sound like obvious points, however, in my experience sometimes failures are found in all three areas which then lead to issues when the evidence is used to ascertain the connection behaviour of a telephone. As a mobile telephone examiner, it is important to establish appropriate procedures and to report the limitations of the data you are presenting otherwise at a later stage they may be open to misinterpretation. Omissions are particularly important since information such as duration of calls and times of calls may become crucial to resolving what occurred so it is important to make your reader aware what information may be present but remains unextracted...