Select Committee on Home Affairs Written Evidence

11.  Memorandum submitted by Mr Vinesh Parmar

  This report is in response to the Committee's notice of 25 November 2005. Its purpose is to promote the understanding of Telecoms forensics and the investigative process thereon.


  This report has been produced from a forensic practitioner's perspective, to promote the understanding of the forensic data recovery of Mobile Telephones, the subsequent analysis and the investigative process. It has been compiled with prior consultation with practitioners in this field inclusive of Mr Greg Smith of Trew & Co and does not form any opinion for or against powers of detention. It is intended to remain unbiased throughout and is based on technical issues. A glossary of terms is attached as appendix 1 [not printed].

  It is up to the committee to draw its own conclusion from this report with reference to terrorism detention powers.


  I specialise in the examination of computer and mobile telephone equipment for forensic purposes. I have been involved in this type of work since October 2000 and have conducted over 3,000 computer and mobile telephone forensic examinations to date. A full CV is attached as appendix 2 [not printed].


  The technology concerning mobile telephony has evolved over recent years at an alarming rate. A typical mobile phone or handheld wireless device is basically a mini computer. The communication aspects have greatly increased with the advent of "Smart Phones" and "3G Technology". We no longer have a simple communication medium, what we do have are handheld devices which can perform a multitude of tasks at a touch of a button.

  A mobile telephone consists of the following components or data storage areas:

    1.  SIM Card (Subscriber Identity Module—2g) or USIM (Universal Subscriber Identity Module—3g) Card

    The SIM/USIM is small printed electronic circuit board which allows connectivity to a valid service provider. The SIM/USIM predominantly holds the required network data to allow connectivity and communication; it also can contain user created data such as contact names and numbers, text messaging etc.

    2.   Handset (internal memory)

    Advances in technology have allowed greater functionality of the handset itself. It is now common place for almost all devices to have an array of multi media capabilities as well as simple communication purposes. A typical handset can contain a vast amount of user data.

    3.   Additional or Expandable Memory—Memory Cards

    In addition to the handset memory, the most common devices now incorporate expandable memory via the use of removable memory cards. Again a memory card can contain multitude of user data.

    4.   Network services

    The network or service providers have also increased the functionality available to its subscribers thus increasing the type of information available.




Present time Scales

  On average a complete data recovery and presentation process for one device can take between four-eight hours, this is solely dependant on the device in questions and in some cases this time frame may be doubled or tripled. A number of well established forensic products exist to deal with the data recovery of SIM and USIM and the handset memory including memory cards. However with the rate of change with such technology these tools become outdated very quickly, thus the examiner is continually battling to identify the best suited method in line with best practice and rules of evidence to recover data, this again adds to the time scale. Where voicemail is encountered the process of retrieval is dependant on various factors, the retrieval requires the correct level of authorisation and limitations exist in terms of voicemail retention.


  The state of security or encryption on such devices is continually evolving. A SIM/USIM card can be PIN protected (Personal Identification Number), if the PIN is not known the only method to gain access is via the use of a PUK code (PIN Unblocking key) which is available from the relevant service provider. If this is encountered the time scales will be increased and will be based upon the time taken to obtain the relevant access code. This code will only be available with the correct legislative authority and providing the SIM/USIM in question is genuine and valid (not a clone or user created). Where a non UK subscriber is identified this process is further complicated thus the time frame is further increased and is some cases may not be available.

Mobile Handset and Memory Cards

  The handset and memory cards are more complex to deal with. They can also be encrypted or protected via the use of a security code or password, this security feature in some devices can also be extended to the user's personal data such as messaging. If this code is not known it is not possible forensically to gain access to data. Brute force attacks are possible, however this process is labour intensive and may not yield any results. In some cases the device may be "locked out" if the incorrect code is applied. There are "flashing/hacking tools" available which claim to reset or bypass such security features, this process has its own complications. In terms of best practice and admissibility of evidence. The use of such tools is not recommended. If these tools were used it is possible that further legal issues materialise. It is possible that the manufacturers have a "back door" to reset or gain access to the device in question, it is unlikely that this information would be obtainable. The recovery of deleted data (Hex Dumps) from the device memory may be possible to a certain degree and is relatively a new practice, however this practice requires further extensive research to ensure the reliability and validity of such data for it to be evidential, this process has its own complications and limitations due to the various makes and models.

Investigative Process



  The future of wireless handheld devices is growing rapidly. Convergence towards 4g technology is in the pipeline where we will see further capabilities. The list below identifies possible advances over the next 12-24 months.

    —  Increased security features.

    —  Increased memory—mini hard disks.

    —  More complex operating systems—Windows Mobile, Linux etc.

    —  Increased functionality (Digital TV/Satellite etc).

    —  Smaller devices (Wrist phones, wearable technology).

    —  Increased network services.

    —  Disposable devices.

  The list above is not exhaustive but identifies the possibilities, which in turn will affect the way in which telecom forensics is undertaken.


  This report has provided a brief insight into aspects surrounding telecom forensics and the future of wireless mobile devices. It is evident that we will see a rapid increase in the use of mobile devices as a form of every day communications. It is also known that such devices are used frequently to facilitate criminal activities. As the scope of this technology increases so do the complications concerning telecom investigations principally the resources needed and time scales required in conducting such investigations.

23 January 2006

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2006
Prepared 3 July 2006