11. Memorandum submitted by Mr Vinesh
This report is in response to the Committee's
notice of 25 November 2005. Its purpose is to promote the understanding
of Telecoms forensics and the investigative process thereon.
This report has been produced from a forensic
practitioner's perspective, to promote the understanding of the
forensic data recovery of Mobile Telephones, the subsequent analysis
and the investigative process. It has been compiled with prior
consultation with practitioners in this field inclusive of Mr
Greg Smith of Trew & Co and does not form any opinion for
or against powers of detention. It is intended to remain unbiased
throughout and is based on technical issues. A glossary of terms
is attached as appendix 1 [not printed].
It is up to the committee to draw its own conclusion
from this report with reference to terrorism detention powers.
I specialise in the examination of computer
and mobile telephone equipment for forensic purposes. I have been
involved in this type of work since October 2000 and have conducted
over 3,000 computer and mobile telephone forensic examinations
to date. A full CV is attached as appendix 2 [not printed].
3. THE PRESENT
The technology concerning mobile telephony has
evolved over recent years at an alarming rate. A typical mobile
phone or handheld wireless device is basically a mini computer.
The communication aspects have greatly increased with the advent
of "Smart Phones" and "3G Technology". We
no longer have a simple communication medium, what we do have
are handheld devices which can perform a multitude of tasks at
a touch of a button.
A mobile telephone consists of the following
components or data storage areas:
1. SIM Card (Subscriber Identity Module2g)
or USIM (Universal Subscriber Identity Module3g) Card
The SIM/USIM is small printed electronic circuit
board which allows connectivity to a valid service provider. The
SIM/USIM predominantly holds the required network data to allow
connectivity and communication; it also can contain user created
data such as contact names and numbers, text messaging etc.
2. Handset (internal memory)
Advances in technology have allowed greater functionality
of the handset itself. It is now common place for almost all devices
to have an array of multi media capabilities as well as simple
communication purposes. A typical handset can contain a vast amount
of user data.
3. Additional or Expandable MemoryMemory
In addition to the handset memory, the most common
devices now incorporate expandable memory via the use of removable
memory cards. Again a memory card can contain multitude of user
The network or service providers have also increased
the functionality available to its subscribers thus increasing
the type of information available.
4. DATA RECOVERY
5. ISSUES WITH
Present time Scales
On average a complete data recovery and presentation
process for one device can take between four-eight hours, this
is solely dependant on the device in questions and in some cases
this time frame may be doubled or tripled. A number of well established
forensic products exist to deal with the data recovery of SIM
and USIM and the handset memory including memory cards. However
with the rate of change with such technology these tools become
outdated very quickly, thus the examiner is continually battling
to identify the best suited method in line with best practice
and rules of evidence to recover data, this again adds to the
time scale. Where voicemail is encountered the process of retrieval
is dependant on various factors, the retrieval requires the correct
level of authorisation and limitations exist in terms of voicemail
The state of security or encryption on such
devices is continually evolving. A SIM/USIM card can be PIN protected
(Personal Identification Number), if the PIN is not known the
only method to gain access is via the use of a PUK code (PIN Unblocking
key) which is available from the relevant service provider. If
this is encountered the time scales will be increased and will
be based upon the time taken to obtain the relevant access code.
This code will only be available with the correct legislative
authority and providing the SIM/USIM in question is genuine and
valid (not a clone or user created). Where a non UK subscriber
is identified this process is further complicated thus the time
frame is further increased and is some cases may not be available.
Mobile Handset and Memory Cards
The handset and memory cards are more complex
to deal with. They can also be encrypted or protected via the
use of a security code or password, this security feature in some
devices can also be extended to the user's personal data such
as messaging. If this code is not known it is not possible forensically
to gain access to data. Brute force attacks are possible, however
this process is labour intensive and may not yield any results.
In some cases the device may be "locked out" if the
incorrect code is applied. There are "flashing/hacking tools"
available which claim to reset or bypass such security features,
this process has its own complications. In terms of best practice
and admissibility of evidence. The use of such tools is not recommended.
If these tools were used it is possible that further legal issues
materialise. It is possible that the manufacturers have a "back
door" to reset or gain access to the device in question,
it is unlikely that this information would be obtainable. The
recovery of deleted data (Hex Dumps) from the device memory may
be possible to a certain degree and is relatively a new practice,
however this practice requires further extensive research to ensure
the reliability and validity of such data for it to be evidential,
this process has its own complications and limitations due to
the various makes and models.
6. THE FUTURE
The future of wireless handheld devices is growing
rapidly. Convergence towards 4g technology is in the pipeline
where we will see further capabilities. The list below identifies
possible advances over the next 12-24 months.
Increased security features.
Increased memorymini hard
More complex operating systemsWindows
Mobile, Linux etc.
Increased functionality (Digital
Smaller devices (Wrist phones, wearable
Increased network services.
The list above is not exhaustive but identifies
the possibilities, which in turn will affect the way in which
telecom forensics is undertaken.
This report has provided a brief insight into
aspects surrounding telecom forensics and the future of wireless
mobile devices. It is evident that we will see a rapid increase
in the use of mobile devices as a form of every day communications.
It is also known that such devices are used frequently to facilitate
criminal activities. As the scope of this technology increases
so do the complications concerning telecom investigations principally
the resources needed and time scales required in conducting such
23 January 2006