Professional Documents
Culture Documents
www.elsevier.com/locate/diin
KEYWORDS
Mobile phones;
SIM cards;
Cellular telephone
network;
Forensic investigation
1742-2876/$ - see front matter 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2004.11.007
267
Million messages
60
50
40
30
20
10
pr
Ju 98
n
A -98
ug
O -98
ct
D -98
ec
Fe -98
b
A -99
pr
Ju -99
n
A -99
ug
O -99
ct
D -99
ec
Fe -99
b
A -00
pr
Ju 00
n
A -00
ug
O 00
ct
D -00
ec
Fe -00
bA 01
pr
Ju -01
n
A -01
ug
O -01
ct
D 01
ec
Fe -01
bA 02
pr
Ju -02
n
A -02
ug
O -02
ct
D 02
ec
Fe -02
bA 03
pr
Ju -03
n03
Forensic examination
Mobile phones contain a plethora of information
both in the handset and on the accompanying
Subscriber Identity Module (SIM) card contained
within the handset. The quality of this information
heavily depends on the order and process of data
extraction. An understanding of this process will
aid the successful recovery of relevant data.
The process of data recovery can and does have
a major impact on the information stored on the
phone particularly that found in the handset. If,
for instance, the battery of a Nokia 3310 is
removed, the date/time stamp information is
immediately lost. For this reason not only the
order but also the method of retrieving the information is vital and must be undertaken in
a carefully controlled manner.
There are three classifications of data that can
be obtained from a mobile phone:
Location information.
Billing information including call logs.
Locally stored handset data.
The first two can only be retrieved through the
airtime provider i.e. Vodafone, O2 etc. but the
268
B. Mellars
Call received by
nearest base station
Base station controller
determines power of
transmitters and
manages handover of
calls made from one cell
to the next if you are
moving
Public
Telephone
Network
Requests user
details from home
location register.
Tells network
where phone is
Holds all
information
on
every user
Figure 1
Security checks
caller ID on SIM
Generates
encryption key
for the call
Requests IMEI
from phone and
bars call if
blacklisted
269
Figure 2
Narrow beam
provides
coverage
along roads
Forensic tools
There are a number of systems for downloading
the SIM data in a forensically sound manner. These
may be divided into three distinct classes:
1. Forensic examination.
2. SIM readers.
3. Manufacturers tools.
270
B. Mellars
Figure 3
Most analysts choose to use an armoury of software depending on the type of handset under
investigation. All of these systems have limitations.
Oxygen Forensic Manager works only with certain models of Nokia phones but is both robust and
reliable for handset data. A major drawback is the
lack of a single report, the data must be extracted
according to type i.e. the abbreviated dial numbers will export in a number of formats but the call
Figure 4
271
SMS MESSAGES
OPENED or UNOPENED
ADDRESS BOOK/CALL
HISTORY DETAILS
VOICEMAIL
YES
YES
NO
NO
YES
YES
Do you have the
written consent of
the owner to
examine the phone?
YES
NO
YES
NO
Was the phone on
or off when it was
seized?
OFF
ON
Obtain authority to
interfere with property
(i.e. the phone) under
Part lll Police Act 1997
BEFORE examination
NO
YES
Examination
is lawful
Obtain a directed
surveillance authority
YES
YES
Examination is
UNLAWFUL
YES
NO
Do you have the written
consent of the intended
recipient(s),or sender(s)
of the SMS?
NO
YES
Seek a Directed
Surveillance authority
in respect of the other
party to the
SMS under RIPA
YES
NO
Examination of
the stored SMS is
unlawful
YES
If criteria are met, consider application for an
Interception Warrant (RIPA sect 5)
YES
Figure 5
YES
Obtain a directed
surveillance
authority
YES
YES
Examination is lawful
Obtain authority to
interfere with property
(I.e. the phone) under
Part lll Police Act 1997
BEFORE examination
NO
YES
Examination is lawful
272
and many more. All are designed to allow users to
backup the data on their cards and do not have any
forensic integrity. The Dekart SIM reader is of
interest in that it uses a memory stick.
Case histories
In addition to the traditional text-based information found on mobile phones, there is now the
facility on many units to take and store images using
integral cameras as well as receive images from
other users. The quality of these images is limited
but is still sufficient to permit clear identification in
many instances. It is not uncommon now to find
units capable of storing hundreds of images particularly in the units with a removable memory card.
In a recent case a suspect was accused of
possessing and dealing in Class A drugs. Subsequent examination of the handset showed the
suspect preparing packages containing white powder with the additional bonus of clearly showing
a clock and calendar in the background.
Mobile phones have been used in a number of
cases involving children groomed on the Internet
who were subsequently assaulted. Call data showing dates and times, text messages and on occasions pictures have all led to convictions.
Another example of the use to which law
enforcement agencies put mobile phone data was
a murder committed outside a nightclub in the UK.
The murder followed an incident in the club and
B. Mellars
was committed outside by a number of males who
had been summoned for this purpose using a series
of mobile phones. Examination of the seized
handsets showed a clear pattern of communication
between the accused at the time in question and
was accepted as prima fasciae evidence of a conspiracy.
In another case involving false accounting and
benefit fraud the data retrieved from the mobile
phones were cross-referenced using specialist
software. The results obtained clearly showed that
the basis of the defence case e that the accused
were not known to each other, was false and that
there was a long-standing association amongst all
the defendants. All defendants were found guilty
and sentenced accordingly.
Process of examination
In addition to the many pitfalls that can await the
mobile phone analyst is the onus of ensuring that
all examinations are conducted within the law.
Under UK law seizure of units must fulfil the
criteria laid down under PACE (http://tash.gn.apc.
org/pace_act.pdf), there must be appropriate
authorities to examine under the Police Act
1997
(http://www.hmso.gov.uk/acts/acts1997/
1997050.htm) and the implications of RIPA
2000
(http://www.hmso.gov.uk/acts/acts2000/
20000023.htm) and the Telecommunications Act
1996
(http://www.communicationsbill.gov.uk/
legislation/Telecommunications_Act_1984.doc),
2000
(http://www.hmso.gov.uk/acts/acts2000/
20000007.htm) have to be fully understood to be
certain that during the examination there is no
breach of current legislation.
The National Specialist Law Enforcement Centre
(NSLEC) (http://www.centrex.police.uk/business/
law.html) produces a helpful flowchart (Fig. 5)
which amply illustrates the complexity of this
process.
References
Crownhill Associates: www.crownhill.co.uk.
Envisage Systems Ltd: www.envisagesystems.co.uk.
Vodafone UK: www.crownhill.co.uk.
!http://www.hmso.gov.uk/acts/acts1997/1997050.htmO.
!http://www.hmso.gov.uk/acts/acts2000/20000023.htmO.
!http://www.hmso.gov.uk/acts/acts2000/20000007.htmO.
Paraben: www.paraben.com.
Radio Tactics: www.radio-tactics.com.
Oxygen Software: www.opm-2.com/forensic.