Wednesday, January 19, 2011

Evaluating Mobile Telephone Connection Behaviour - Part 1

by Sam Raincock

Examining Mobile Equipment – Ensuring Accuracy

In general, all modern mobile telephones contain call information and SMS message storage which may be used as evidence. There may also be a wealth of other evidence available including browser history, sat nav usage etc. However, for the purposes of this article I am interested in discussing the accuracy and evaluation of telephone connection behaviour and hence I shall concentrate only on these two important sources of evidence.

There are various types of examinations conducted on mobile telephones to extract the call information and SMS messages (collectively I shall refer to these as connection information). The examination of a SIM card is a fairly ‘trivial’ process with a well-defined extraction procedure. However, handset examinations may be much trickier. For standard handset examinations (those that generally only extract the information live on the handset) there is no one product that can extract all of the connection information available for all handsets. Hence, when examining handsets, it is important as a first step to ensure the accuracy of the evidence you are presenting.

When presenting your evidence it may be worthwhile considering the measures you implement to be able to ascertain both the accuracy and meaning of information you present to ascertain that:

1. The extracted information is accurate and correctly attributed. For example, that a reported SMS message has the correct content and is appropriately stated as a sent, draft or a received SMS message.

2. The information is complete and where it is not, the omissions are known (and clearly declared in the report) or manually obtained.

3. The information is unambiguously reported.

These may sound like obvious points, however, in my experience sometimes failures are found in all three areas which then lead to issues when the evidence is used to ascertain the connection behaviour of a telephone. As a mobile telephone examiner, it is important to establish appropriate procedures and to report the limitations of the data you are presenting otherwise at a later stage they may be open to misinterpretation. Omissions are particularly important since information such as duration of calls and times of calls may become crucial to resolving what occurred so it is important to make your reader aware what information may be present but remains unextracted...

Read more at http://www.forensicfocus.com/sam-raincock

No comments: