Saturday, March 19, 2016

Emergency Cases - Smartphone Examination


Capturing the target subject's smartphone activities is not as easy as is thought, as we are all finding out with the current Apple and law enforcement debacle.  The Apple case though is not the norm as the two opposing sides are fighting about the "right to access". The public are engaged with this story that continues to unfold as to what "Privacy" actual means, should terrorism enjoy the comfort of privacy and so on. However, there is a sub-text going on here (as well) concerning examination procedures for smartphones and methodology in emergency cases. Having been involved with mobile phone evidence in criminal and civil proceedings for over 30-years I can tell you it isn't as easy at all.

Consider the current Apple case (and the articles still keep coming) and mistakes that are said to have occurred. The - TECH INSIDER - reported (http://www.techinsider.io/apple-the-fbi-screwed-up-san-bernardino-investigation-2016-2)

"The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents."

It is the words "password hadn't somehow" that has significance for me because in those words it doesn't take account of the intense situation people are operating under, speed of investigation operations, timescales, prevention for potential further attacks and pressure to resolve the case etc.  So the sub-text here is learning from adverse outcomes in emergency cases. Put on hold demands for back-door access as the golden cure because, in itself, it is not. There can be a plethora of superlative elements that will be sifted, considered and discarded where found not  to be relevant. For elements that may be relevant they still need to be sifted, considered and conceptualised.

From a range of materials I use in my training courses I use the following which I originated back in 2006 (and I published it back in 2010).


Primer(C now) = Point in time and Space (which is a constant reference point) in the present tense when the examiner is contacted for an investigation and from which the examiner uses to look back in time at and into the future regarding mobile telephone evidence.
.
(T) = Time is the timeline, limited by how far the examiner can see into the past and future based upon discovery.
.
(S) = Space is the space line that is used as a constant reference point from which all other events occurring in space can be considered based upon discovery (seizure of device, chain of custody of an exhibit etc)
.
(F) = Future relates to things that have yet to happen (future events). This is based upon things that maybe discovered from the time the examiner is contacted
.
(F d) = F d represents, as far as possible, thus not set to a specific period of time, how far into the future the examiner can identify events beyond which no further discovery is possible.
.
(PU usage) = Past User usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)
.
(PR usage) = Past Record usage (below Blue line represents past recorded events, and below the red dotted line events unfolding during and after investigation)

The proposition in Smith Diag 1 is intended to represent, by use of visualization, how mobile telephone usage can be investigated. The diagram tests your powers of observation and, more importantly, your depth of knowledge. So do not be fooled by what you believe to be my poor graphics skills. I deliberately intended that (PU usage) area to be shown larger than the (PR usage) area in order to suggest more data may be found in the mobile telephone than maybe obtained from the network records. That is because not all activity on a mobile telephone leads to activity in the radio and fixed mobile network. Network records are not limited to billing records therefore issues associated with cell site analysis also need to be considered. It does not automatically follow there shall be parity between data obtained from the mobile telephone and the network records and vice versa. The diagram below (Smith Diag 2) represents a number of suggested data elements commonly arising during an investigation.


The third diagram (Smith Diag 3) uses the classic representation of Time (T) and Space (S). Use of a Time line may be obvious but the Space line may not be so obvious. The point of using Space is as a determinate for e.g. the seized exhibit in the examiner's possession. Let's say the examiner receives the mobile telephone exhibit on the 30th March 2008 at 3.00pm. The exhibit was seized 10th March 2008 at 11.00am. So, the examiner has two facts to work with (a) the exhibit in the laboratory (in time and space) and (b) the exhibit seized at a location from premises or person (in time and space).. So at the point the examiner has initial Contact (C now) with the exhibit then past events can now start to be determined. By way of illustration, following examination let’s say the examiner finds that the data recovered from the device reveals activity not connected with Space where the mobile telephone was seized at (b). Space would therefore be highly relevant, because (i) the examiner would need to demonstrate that as a fact and (ii) to demonstrate the separation in Space between each of the locations (a) laboratory, (b) the seizure, and the intervening factor between (a) and (b). This may be supported, for instance, by the last location and frequency details stored on the SIM card or may be the handset has GPS or one of the smartphone mapping system that might be set to automatic logging.


Have a go at designing one of these diagrams and show how you would handle the Apple phone (in this case) - the seizure and examination procedure. Just as a heads up F d is intended to represent a text message in the future that has been sent but not yet delivered to the target's handset. So how would you know if a text message is pending and who would you have to cooperate with to get that information (and the text content too)?

Hope this helps.

No comments: