Select Committee on Home Affairs Written Evidence

15.  Memorandum submitted by Gregory Smith

  This is a submission in response to the Committee's Notice of the 25 November 2005 with respect to the most recent request for further comment Notice 11 January 2006 relating to mobile telephones evidence. This submission is intended to provide general and technical observations.


  It is intended that this submission will inform the Committee about mobile telephones evidence in order to aid interpolation of witnesses from the various agencies, ministries and any other witnesses that may be called to this Enquiry. This is with particular regard to timescales, resources and the practicalities involved with disclosure.

  For the avoidance of doubt, this submission neither argues for or against the detention period currently being considered by the Committee.


  Principal of Trew & Co, consulting forensic engineer (18 years) and Chief Training Officer Trew MTE.


  When generally referring to mobile telephone it is in fact reference to a mobile station (MS) that actually comprises two devices, a mobile telephone and a smart card.

Mobile Telephones (Wireless devices)

  A mobile telephone first and foremost is a digital wireless data device in its own right. It has been suggested a mobile telephone is first and foremost a computer, which is misleading, not only from the point it usurps the laws of physics, but legally as well. Mobile telephones are recognised in European Directives (Telecommunications Terminal Equipment Directive 91/263/EEC, particularly the provisions of Article 4, and the Radio and Telecommunications Terminal Equipment (RTTE) Directive 99/5/EC). The provisions of European Directives applied for recognition of the technology, harmonisation and removal of trade barriers and other requirements. National laws (Communications Act 2003, Telecommunications Act 1984 (parts of which have been repealed) and the Wireless Telegraphy Act 1949 provisions are applied to this technology. There are applicable Statutory Instruments as well. National law are applied to protect sovereignty over the spectrum, permission and purpose of use (the opposite being hijack of the airwaves), protection against interference, law interception and so on.

  Behind, but supporting the aerial and radio circuitry, a mobile telephone has computer architecture in order to action commands and receive response from the radio network and devices connected to it. It also has a memory for the retention of user content. The purchaser owns the handset and there are various makes and models of handset available. There are broadly speaking two categories of mobile telephones separated into two categories:

  The first is a GSM mobile telephone containing a number of user features and functions. The second is a Smart Phone mainly used on GPRS and 3G networks, which is rich in features and functionality. The two categories of devices fall under the above legislation. A third possibility may arise which is a computer data device (PDA or laptop), which is not a handset wireless device, but makes use of the radio network by using a wireless card inserted into it. The wireless card as a device falls under the above legislation. Where the PDA has permanently fixed wireless (GSM/3G) capability the above legislation applies to it.

  Mobile Telephones and Smart Phones are required to have a tamper-proof serial numbers called an IMEI (International Mobile Equipment Identity) numbers, which are electronically embedded into the mobile telephones security. *** It is common to find on mobile telephones and smart phones passwords that users can invoke to prevent unauthorised persons gaining access to particular folders or files. Access codes that simply activate particular programs subscribed to by the handset user may be used in smart phones. Overcoming this form of security entry level may not be possible without co-operation from the user and/or the third party application vendor.***


  The data storage found in a GSM mobile telephone or mid-range smart phone is approximately between 2Mb to 4Mb of data, which can print out to many hundreds of A4 sheets of paper.

Smart Card (SIM and USIM)

  SIM (Subscriber Identity Module) card is a user-friendly title to give provenance to the smart card used for the GSM communications, but SIM does not actually define the device. Technically speaking, a SIM card comprises two parts:

  A physical card, it comes in two sizes, a credit card size and a plug-in card—the size of postage stamp. Both have electronic circuitry, micro-controller and computer operating system and termed an Integrated Circuit Card (ICC), which is assigned a unique Identity (ID), hence ICCID. This identity is a serial number that one might find helpful to think of as a car chassis number. That being the case, it may be equally helpful to think of the user's mobile telephone number as a car vehicle registration plate number.

  The ICCID number is electronically embedded in the card and is recorded externally on the face of a SIM card where it is referred to as the SIM Serial Number (SSN).

  There are important responsibilities attached to the ICCID number. Most importantly, when a SIM Card is supplied to a subscriber in order that the subscriber can make or receive mobile telephone calls using the subscription details recorded in the SIM, the card becomes a Charge Card. A benefit acquired and a detriment incurred by user and network operator by its use. For that purpose the implementation and structure of the ICCID number is recorded in the International Telecommunications Union Telecommunications Recommendation—ITU-TE118 International telecommunication charge card numbering scheme.


  Turning now to SIM which it is entirely different from the ICC. Whereas ICC is considered the physical device, the SIM is a Module, which is programmed onto the card, where user content, services and network data can be recorded and stored. SIM's memory structure is similar to the memory tree one see in Windows Explorer. SIM has a Main Directory, Sub Directories, Folders and Files.

  An example of network data found in SIM, it contains the subscriber's identity called the IMSI (International Mobile Subscriber Identity) which is linked to the user's mobile telephone number. Without the IMSI recorded in the SIM the IMSI would not be transmitted for registration to and validation by the mobile network, thus the user would not be able to make or receive calls. The IMSI is important in criminal investigation as it enables law enforcement to gain access to subscriber details, billing and call records and so on. Another example, but this time about user data found in SIM, are SMS text messages, which may have been either sent or received by the user. These can form an important aspect in a criminal investigation and highlight contacts and communications between parties that may be linked to a crime.

  The data stored in a GSM SIM card be approximately 0.25Mb, which roughly translates to about 100-150 A4 sheets of paper.

  USIM (Universal Subscriber Identity Module) card is the title used to give provenance to the smart card used for 3G communications and, like SIM, the USIM title does not actually define the device. USIM card comprises:

  Universal Integrated Circuit Card (UICC) card is the physical device containing electronic circuitry, micro-controller and computer operating system, and the card follows the principles of International charge card numbering scheme (ITU TE 118). It comes in two sizes, a credit card size and a plug-in card—the size of postage stamp.

  Unlike SIM ICC used for GSM, UICC was designed for use in generic markets such as transport, finance and loyalty, physical access, healthcare, mobile communications and so on. The UICC may be used for one market or for use with several markets. For instance, mobile communications and Banking are two markets that have already attracted market implementation.

  Also UICC was designed to cater for access to more than one digital wireless technology, thus contains the necessary modules for 3G WCDMA mobile network and the 2nd generation mobile technology, GSM module.

  The Data storage in the UICC card is much larger than a SIM card, about 0.5Mb. If one were to print out the quantity of data applicable to UICC, USIM and GSM this can typically run to on average nearly 200-300 A4 sheets of paper. In any criminal investigation, attendance time to deal with this amount of data runs into days.

  The USIM/s module/s, and there can be numerous modules for USIM based upon the number of accounts to which the user subscribers, coupled with a GSM module, means this smart card uses multi-platform data sharing. What this means is that data found in the GSM module might mean the data can used by the USIM/s module/s as well. Consequently, investigation the data residing on the card adds further support for the examination of data running to days, not hours.

  If the above wasn't enough to deal with, UICC has two primary security codes with up to 16 supplementary codes that may be shared between two or more applications or data files. Further complications arises, for example, with Banking where having used the access to code to initiate the Banking application, a further access code (session password) is needed to access the account information which is remotely stored at the Banking website. This access code needs to be transmitted to the mobile network and on to its destination address along with the subscriber profile to be validated and authenticated before access to the remote account will be allowed.

Wireless Networks

  There are currently four generations of digital wireless development used by devices in operation in the UK. GSM (Global Systems for Mobile) communications, a pan-European TDMA (Time Division Multiple Access) digital technology that has been adopted and is used globally. GPRS (General Packet Radio Switching) which is an overlay wireless technology using the GSM network as its backbone, but provides high speed data transport for data-rich content (Internet etc) and adopted by some countries globally. 3G, known as WCDMA (Wideband Code Division Multiple Access) was developed as an International standard. The UK has a separate radio network for GSM and 3G (WCDMA), although this is not discernible by the ordinary user and functions just the same, save that 3G provides for multimedia services and functions from voice calls, text and email to Internet, video, TV and radio. Lastly, WLAN (Wireless Local Area Networks) to enable access to emails, Internet etc in hot spot areas, such as cafes etc.


  The above overview provided, albeit, a brief introduction to mobile telephones and smart cards. What we know is mobile communications has evolved between 1992-2006 but that evolution continued at an alarming rate. This means that examining data in handsets and smart cards is taking longer and overcoming the security access to get to the data inside is getting harder, not easier.

  Moreover, distribution of data is not always via the mobile network but by use of very shortage wireless protocols such as Bluetooth, which operate at up to 10 metres between devices. This means data can be generated in mobile telephones and smart cards and consumes a large amount of attendance time to discover where the data originated. Further complications are mobile communication devices enabled with 4G technology—referred to as WLAN. Smart cards, too, are developing fast with new ways of communicating, such as RFID (Radio Frequency IDentification) for close range toll ticketing (useful for payment scheme suitable for transportation such as Oyster on the London Underground). This adds a further dimension to, and layer of, evidence requiring attention.

  I have outlined below some issues associated with examining devices, security access, data used for criminal investigation, time factors for retrieval, possible conflicts with legislation, and defence issues that I thought the Committee may wish to know. Should the Committee wish to know more or wish me to expand upon the issues in this document then please let me know.

  It has not been possible to cover every issue regarding mobile telephone examination and evidence in this document. For instance, this document has not discussed timescales or delays associated with handling and pre-examination techniques (fingerprinting, DNA, etc) that may need to be dealt with before setting about the task of extracting and harvesting data from the devices.


  Mobile telephone and SIM card examination is not simply about extracting and harvesting data from these devices. The primary concerns about evidence is to ensure integrity of the evidence from start to finish. Evidence said to be obtained for intelligence purposes no longer follows the principle it will not used in criminal proceedings. Any evidence obtained must be safely acquired and stored on the basis that it might be used as evidence, even if it is not used straightaway. In consequence, seizing a mobile telephone and examining it straightaway has a high risk of contamination. Consequently, a number of procedures are required to avoid as best possible contamination of evidence:

    —  Seizure procedure.

    —  Handling and device assessment procedure.

    —  Goods inwards procedure (presented for examination).

    —  Laboratory Environment procedure.

    —  Examination procedure.

    —  Post-examination procedure.

    —  Quarantine procedure.

  There are many subset-procedures to each of the main procedure categories, above.

  The procedures evolved as the number and variety of mobile telephones and SIM cards increased and due to a disparate range of devices connecting to or with mobile telephones and SIM cards, such as flash memory cards, PDAs, laptops etc. Each of the devices has their own memory where user content can be retrieved. ***

  Following examination the harvested data is then examined and analysed to link the data to a particular crime or to discard it. It takes as long to analyse data and to discard it as it does to analyse the data to comprehend its relationship to a crime.


PIN 1 (Personal Identification Number)

  SIM and USIM have the capability to be locked where the user invokes a four-digit code to prevent access to the SIM card content and services. If the user does not volunteer or provides an incorrect PIN 1 preventing access to the device then SIM/USIM needs to be unlocked—PUK 1.

PUK 1 (Personal identification number Unlocking Key)


PIN 2 (Personal Identification Number)

  The user as a further step in security personalisation invokes PIN 2 to be activated as a four-digit code. It is used to bar certain numbers being dialed or only allowing certain numbers to be dialed. If the user does not volunteer or provides an incorrect PIN 2 preventing access to the device then SIM/USIM needs to be unlocked—PUK 2.

PUK 2 (Personal identification number Unlocking Key)


Universal PIN, Global PIN and Local PIN

  These are security access conditions introduced for 3G UICC/USIM. It is not absolutely clear yet whether all smart card manufacturers will introduce all the PINs for their UICC cards. However, as these matters are laid down in the 3G standards unlock procedures are in place ***

Third Party Vendor PINs

  3G USIM PIN codes for Banking applications, payment schemes, access to particular Internet sites etc do require the user to transmit a PIN code and user ID and the user ID and code to be validated and authenticated before gaining access. ***

Handset Passwords

  An alpha-numeric password activated by the handset user and can be applied to entry level to the handset functions and content or can be applied to prevent access to particular content (phonebook, SMS text messages etc). ***

Handset Application Passwords

  This type of user password can be invoked to activate a particular application, where application offers security access conditions. ***


  Below is a general list of data that can be extracted and harvested from smart cards and handsets in criminal investigation:

Smart card

    —  ICCID number/SIM Serial Number

    —  PIN/PUK

    —  IMSI (subscriber identity)

    —  Mobile Telephone Number

    —  Subscriber's Home Network

    —  SIM or USIM Service Table (allocated and activated services)

    —  Roaming Networks

    —  Forbidden Networks

    —  Access to various networks technology

    —  Location data

    —  Broadcast Control Channel data

    —  Service Dialed Numbers

    —  Barred Dialed Numbers

    —  Fixed Dialed Numbers

    —  Last Numbers Dialed

    —  Outgoing Call Indicator (outgoing calls)

    —  Incoming Call Indicating (answered/unanswered calls)

    —  SMS text messages

    —  Deleted text messages

    —  SMS Service Centre number/s

    —  Voicemail platform number/s

    —  Voicemail indicators

    —  Phonebook numbers

    —  Global Phonebook (3G)

    —  Mailbox indicators


    —  IMEI number

    —  Battery Power

    —  Clock settings

    —  Application settings

    —  Applications

    —  Passwords/Keylocks/SIMLock

    —  Phonebook

    —  Last Numbers Dialed

    —  Last Numbers Received

    —  Last Number Missed

    —  SMS text messages/MMS messages

    —  Deleted text messages

    —  Emails

    —  Video/Images

    —  Voice tags

    —  Voice recording/Dictation/Music

    —  lnternet/WAP/GPRS setting

    —  Organiser/Calendar

    —  Extended Memory cards



The average time to extract and harvest data from GSM SIM using forensic tools is approximately 5-10 minutes. To analyse the data can take several hours.

  The average time to extract and harvest data from 3G USIM using forensic tools is approximately 20-30 minutes. To analyse the data can take five hours to 24 hours or even longer dependent on the data to be assessed.


  The average time to extract and harvest data from a standard GSM mobile telephone using forensic tools is approximately two hours for specific data and four hours for full recovery dependent on quantity of data on handset. To analyse the data can take 15 hours dependent on the data to be assessed.

  The average time to extract and harvest data from a GSM smart mobile telephone using forensic tools is approximately four hours for specific data and eight hours for full recovery dependent on quantity of data on handset. To analyse the data can take 24 hours dependent on the data to be assessed.

  The average time to extract and harvest data from a 3G smart mobile telephone using forensic tools is approximately six hours for specific data and 15 hours for full recovery dependent on quantity of data on handset. To analyse the data can take 48 hours dependent on the data to be assessed.

Handset Application Passwords (Third Party Vendors)

  Standard forensic examination tools do not recognise these types of programs/applications and therefore require manual examination of handsets. ***

Extended memory cards

  The average time to extract and harvest data from a flash card extended memory using forensic tools is approximately two hours for specific data and eight hours for full recovery dependent on quantity of data on 1Mb cards. To analyse the data can take 10 hours dependent on the data to be assessed.

  The average timescales given above are based solely upon examiner set up, device set up, device communication protocols and data output format.


  SIM/USIM PIN locked: UK issued card can take 24 hours to 90 days to obtain PUK code from mobile network operator.


  Handset Passwords: ***

  Handset (no SIMIUSIM card): where handsets are seized with no SIM/USIM card, manufacturer's privacy procedure can be invoked that can either prevent access to handset using normal methods or deletes data in call registers and bars access to phonebook etc. Engineering SIM/USIM required from handset manufacturer. This can take up to 30/60 days to obtain dependent on co-operation from handset manufacturer, particularly foreign manufacturers without an UK base.


Handset Application Passwords (Third Party Vendors)

  Password locked applications can be entirely independent of the handset manufacturer and therefore this can present difficulties in obtaining access codes or they may not be obtained at all.


Application Session Passwords

  Accessing third party vendor applications represent one difficulty and another is a session password required for use with the application in order to gain access to data held remotely at a website. This can cause further delays in obtain the session passwords.

Encoding Schemes


Encrypted Voice Data

  Conversation recordings or dictation facilities on handsets are encrypted by the handset's security for each make and model. It is common to find simply extracting the data file containing this content is difficult to unravel the encryption on a computer, as the computer does not have the same security software and files that reside in the handset. The examination process can be extended by a day, having to use the seized handset and replay and digitally record conversation or dictation stored in the handset.


  It is said there is no substantive evidence of a mobile communication having taken place without corroboration to the mobile network operators billing records, call records and any stored communication data. Obtaining this information from the mobile network operator can take a day to weeks. There can be numerous reasons for this.

Pay As You Go

  These are not subscriber accounts where a bill is sent to the user. The data resides in mobile call records, which needs to be obtained via account details. Where the account has not been used for quite some time, it may be the call records have been deleted after a year.

Communication Data

  Content sent or received, such as voicemail, text, images etc may only be saved by the operator for a short period of time. This can add delays where a mobile telephone and/or SIM/USIM card has multiple communications data stored in it or them.

Inter-Network Records

  As is known 3G operators can run their call traffic over several competitive networks. Hutchinson 3 has used O2 to assist with voice and data calls. ***



  As an observation only, it is a common statement made by solicitors and barristers that they do not understand the complexity of mobile telephone evidence. It is as likely that detained person/s may not understand it either. It appears odd then that there has been no mention of mobile telephones linked to a detained person/s where the telephonic evidence has been independently assessed or challenged. Does this mean where the blind are leading the blinding, either the evidence is being accepted at first instance without independent assessment, or is the evidence being ignored on behalf of the detained person/s?

  As law enforcement has raised the issue of mobile telephone evidence contributing to delays, the Committee may consider it a good idea that a Register be compiled with names of independent mobile telephone experts, like myself (engaged by prosecution and defence over 13 years). The Register can be used by defence solicitors specialising in this area so that they can pro-actively engage experts to give a fair assessment of the technical evidence that is to be used or is being used against the detained person. Firstly, an independent expert could assess the matter and accuracy at first instance. And, or, secondly where reasons being given for delays to a person/s detention, said to be caused by mobile telephone evidence, perhaps the independent expert may indicate whether a more expedient method or path exists to obtain evidence. The Committee may consider that a Court might consider the opinion of the expert as a way of determining between genuine delays and unnecessary delays.

29 January 2006

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2006
Prepared 3 July 2006