Continue your professional development with us

There are many ways to grab a few CPD points here and there if you’re a criminal defence lawyer, but all of them take time out of your busy day, and some of them are little more than a box-ticking exercise.

Here at CCL-Forensics we like to spread a little love by offering our own CPD course – free of charge*. You can choose from a one, two, or three-hour course and we’ll come to your premises at a time and date to suit you.

The course aims to improve delegates’ understanding of digital evidence: including things you may not have considered, and a look at what it is possible to extract and use to build a case. Building a full picture of your client’s activities is vital if he or she is to receive a fair trial, and making use of all the evidence available is a key part of that.

It’s a very popular course, and we consistently receive feedback from people who are genuinely surprised at how much they learn. Delegates take information from the course and put it into practice when building defence cases which involve digital evidence.

Take a look at the agenda:

  • Introduction to digital forensics
  • How people communicate electronically
  • What information can be recovered and from where
    • Social media evidence
    • Smart phones and computers
    • Chat and messenger services
    • Real life examples (e.g. the recent riots)
    • Deleted data
  • Indecent images
    • Brief overview of the law
    • Extracting deleted files and internet history
    • Showing intent
  • 20 unlikely places you may find defence evidence
  • Cell site analysis
    • Using phone mast data to analyse your client’s movements
    • How precise can it be?
    • Understanding and challenging the prosecution evidence

Give us a call on 01789 261200 or email and find out how we can help you to make the best of the evidence available to you.

*Subject to a minimum number of attendees.


Digital forensic software – grab it while it’s hot!

CCL-Forensics is offering its software at introductory prices for just one more week, so take a look at what’s on offer and squeeze as much into tight budgets as you can.

The tried-and-tested software, developed by analysts, for analysts, has been used extensively in the field by CCL-Forensics’ own investigators and by many other digital investigators from around the world.

From March 31st, prices will be increasing, so take advantage of the lower rates now.

Leading research and development in digital forensics

CCL-Forensics’ research and development team has produced a series of forensic software tools to aid them in digital investigations.

epilog allows investigators to recover deleted data from the widely-used database format, SQLite. Whatever the type of device – computers, mobile phones, SatNavs or others – epilog can be used to recover information, regardless of the type of data stored.

PIP allows analysts to present often-complex data from XML files quickly and efficiently. The tool also parses data from Apple’s property list (plist) files – both in XML and binary format. It can be used to look at computers, mobile phones and SatNavs.

dunk! can uncover potential new web activity evidence from locally-stored web cookies, putting web evidence into context and adding an extra dimension to investigations. It also parses Google Analytics cookies, showing how often, from where, and how a user arrived at a particular site, as well as presenting any search terms used to find the page.

Find out more

For more information about what CCL-Forensics can offer or to purchase the software tools, please visit our website, call us on 01789 261200 or email

Hidden digital evidence part 4

Welcome to the final instalment of our short blog series on places you may not have thought to look for digital evidence.

  1. Biometric data

The use of fingerprints, retinal scans and facial recognition is no longer the stuff of science fiction. Its use may not be widespread yet, but it is certainly becoming a reality on a number of advanced devices.

Computers, laptops and mobile devices may be protected from unauthorised use by such biometric technology. If the data can be retrieved, it can help significantly with the attribution of that device – especially useful on mobile phones if cell site analysis is being carried out as part of the case.

It’s an emerging technology, so keep an eye on developments over the coming months and years. More and more evidential opportunities will present themselves.

  1. Near-field communications

This refers to technology such as the Oyster Card on London’s transport system, and credit cards are also being equipped with chips, which when waved near to a reader device can perform the same function as when it is inserted into a chip and pin device.

Such technology is also finding its way into mobile phones – the Google Wallet has been in the news recently (for all the wrong reasons – namely security issues). This is an app that enables users to pay for goods using their mobile phone using a near-field communication device.

Data may be recorded on the phone – including when it was used, where, and for what purpose. This could be a rich vein of potential evidence, and although its use is not widespread at the moment, it’s certainly worth keeping up with developments.

  1. Games consoles

Games consoles such as Xboxes, Playstations and Wiis now have web browsers as standard. They are much more than just a platform for gaming, with many allowing users to stream music over the internet, rent movies and interact with others online.

External hard drives can also be attached to consoles, enabling people to play music and movies from their collections through the console.

Consoles also enable instant messaging to take place, within games and simply via the messaging function in the console itself.

Use of all these features leaves a digital trail on the hard drive, making such devices a rich source of potential evidence.

  1. Throwaway culture

The focus has been on modern emerging technology, particularly smartphones. But it’s sometimes sensible to consider the other end of the scale: antique technology can also provide interesting evidential opportunities.

Many people tend to upgrade their handsets – and laptops and PCs – and put the old ones in a drawer or box. There they languish, gathering dust, until they’re needed for a criminal case.

It’s entirely possible to extract all sorts of evidence from these older devices, some of which can prove as tricky as the higher-end handsets and computers. Just because a phone or other device looks simple and cheap, the data it may contain could be crucial.

Here’s an example: CCL-Forensics used its web cache toolkit on a six-year-old Nokia 6230i handset and recovered 600 pages of web history – not necessarily the result you’d expect from a modest old device.

  1. With the network provider

A vast quantity of valuable evidence can be gathered from mobile phone network providers using cell site analysis. Network providers keep a variety of information about a phone’s use for a period of time – including the cell masts it used to make and receive calls.

This type of analysis can help to build up a picture of where the phone has been used, and can help in attributing different phones to their users – especially where criminals make use of “clean” and “dirty” phones. (Clean phones are those used for “normal”, everyday activities; dirty phones are those used in the course of crime, and are often thrown away afterwards.)

If a mobile phone has been used in crime, don’t discount the possibility that a wealth of evidence could be gathered using cell site analysis.

Here endeth our list of possible locations for digital forensic evidence – although it is, of course, not exhaustive. As technology advances, more and more types of digital evidence will become available for investigators.

CCL-Forensics’ R&D team keeps pace with new technology, developing tools and techniques for extracting this new data. If you have any questions, they’re always happy to chat. Just drop us a line at

More hiding places for digital evidence

The saga continues… Keep reading for some more ideas as to where you can look for digital evidence.

  1. Deleted data

Just because data has been deleted from a computer or mobile phone, doesn’t mean it’s gone forever.

When a file is deleted, it may remain on the hard drive. What are actually deleted are the instructions for finding the file – the pathway – not the file itself. Only if the data is overwritten by new files will it become irretrievable.

By analysing a device’s hard drive, investigators can recover a wealth of information that is no longer available to a regular user.

  1. Bluetooth/WiFi pairings

Although Bluetooth is less popular than it once was, with WiFi access now widely available, it can be a valuable source of potential evidence. Each Bluetooth device has a unique identifier, which is likely to be recorded when it is paired or connected.

Examining a phone’s Bluetooth history could prove vital in proving association between other exhibits in the case – some of which may be attributed to other relevant individuals.

Analysing the unique identifiers of WiFi networks that a phone device was connected to, can be instrumental in proving a particular device was present or even in use at a certain location.

  1. Cloud computing and sync

Cloud computing – whereby shared resources, software and information are provided to computers and other devices as a utility over a network (typically the internet) – allows users to access software, data management and storage without needing to know the location and other details of the infrastructure.

As the amount of data people and businesses create and use increases, data storage becomes increasingly expensive, so many people and organisations are now choosing to use the cloud to store data, or to make various settings and favourites portable between devices.

This means they can effectively have access to the same data, which can include settings, cookies and preferences, regardless of which device they are using at the time. So, activity may take place on an individual’s computer which is automatically updated on their smartphone via the cloud.

A user’s data and preferences basically follow them around, providing evidential opportunities for digital investigators.

  1. Backups

It’s always worth considering that data from a mobile phone may be backed up onto the user’s computer.

Many people use their mobile phones almost as an extra limb (the author is guilty of this particular failing), so it’s a good idea to back up the phone on a regular basis just in case it’s lost, stolen or broken.

The evidence from backup files can be used to link a computer and phone as part of the same case, but there may also be more data on the computer from the phone’s backup than is still stored in the handset itself.

Additionally, many mobile applications (and even operating systems) are configured to sync with computers, leaving a digital trail and data on both devices. Systems such as iTunes and BlackBerry Backup are popular and store a huge amount of data. This can provide a valuable evidential opportunity.

  1. Voicemail

In days of yore, voicemail was stored at the telephone exchange operated by the mobile phone network. Users would call their automated voice mailbox, and listen to messages as part of that call.

Many modern phones are now capable of having those voicemails “pushed” to the handset using an internet connection. They’re then stored on the phone for access anywhere – even if there is no phone signal.

Additionally, many phones have the facility to record voice memos (much like a dictation machine), which again could provide valuable evidence as part of an investigation.

As with any data stored on a digital device, it’s always possible for it to leave a digital trail, which can be recovered using the correct forensic tools and techniques.

The final instalment in this short series of blogs about hidden digital evidence will be posted in a few days. See you then!

More places you may not have looked for digital evidence

As promised, we continue our list of places you may not have looked for digital evidence. It’s not always obvious, and sometimes we have to dig deep to find anything useful. Read on to find out more…

  1. VOIP (Voiceover IP)

VOIP refers to the communication protocols, technologies, methodologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over internet protocol (IP) networks.

It’s not new technology, but with many phones now having WiFi connectivity or data bundles included in tariffs as standard, it’s becoming a more popular way of communicating. VOIP replaces “traditional” over-the-network phone calls, enabling users to make calls using a computer (Skype is a well-known example of this type of technology).

The traces left by this activity are just as relevant as traditional call logs, but “calls” made using VOIP do not necessarily leave the same type of information on the phone, or call data records, as a standard call. Instead of being logged at the network provider with IMEI, IMSI and other data, it is just recorded as data transfer. It may not even show in the handset’s call list.

VOIP calls do, however, leave a deeper digital trail within a phone either within the application itself or in other log files. The apps may also have their own phonebooks, where contact details are stored separately from the phone’s standard contact list.

Computers are also used for VOIP communications, which will leave traces within the apps and on the hard drive in a similar way to mobile phones.

  1. Web browsers

Internet browsers – on computers, laptops, tablets and smartphones – contain a wealth of data that could prove vital to a case.

As well as a user’s browsing history, other evidential opportunities can include bookmarks, cache data, downloads, social media history, and more. Together with other forms of digital evidence, such as chat logs and emails, a picture can be built of the user’s behaviour, and may help to prove mens rea – intent to commit a crime – in a case. Conversely, of course, it could help to prove someone’s innocence.

Mobile internet has been around since 1999, but has improved vastly since then. Smartphones are now miniature computers, with full-colour and fully-functional mobile web pages – and mobile web browsers work in much the same way as standard browsers. The same information can be extracted from mobile web browsers, helping to add to the bigger picture.

  1. Dynamic key logger

Smartphones are – as their name suggests – generally pretty smart. Many of them can now “learn” how people use them, recording every key press in a log file. For instance, they will remember people’s names and place names between applications – not just in text message apps (as an example).

Users cannot disable this functionality and will not necessarily be aware of its existence. Dynamic key loggers are a potentially-rich source of evidence: it may be that a text message or email of interest may no longer be present on the device – but its content could exist in one of these log files.

The technology gives investigators another method of extracting data from mobile devices, adding an extra dimension to digital evidence.

  1. Data-hiding applications

If you know what you’re doing, it’s entirely possible to hide data on mobile phones, putting it beyond the reach of typical forensic extraction tools and techniques.

There are several apps that can be downloaded to smartphones which can hide data within other applications. This means that, for example, photographs could be hidden within – for example – the stocks and shares app on the phone, but they would only be retrievable using the data-hiding application.

The data remains hidden on the device if the data-hiding app is uninstalled, and can only be retrieved if the app is reinstalled. Valuable evidence may be going unnoticed if the deliberately-hidden data is not located.

CCL-Forensics’ R&D team has developed a technique to analyse the installed apps on a smartphone to identify what that phone is capable of, which enables our analysts to tailor the examination accordingly. How can you analyse a mobile phone unless you know what it can do?

  1. On the circuit board

Just occasionally, a mobile device is so complicated – or the data you’re after is so deeply buried – that the only viable option is interfacing directly with the circuitry.

“Chip off” forensics is nothing new – but removing chips from the circuit board of a device is a destructive process, and one that cannot necessarily be repeated by another qualified expert. Examining the chips in situ is much more desirable.

One such method of doing this is to interface directly with the circuit board. Many phones will have a series of JTAG (Joint Test Action Group) ports, to which connections can be made, and from which data can be retrieved. JTAG is an industry-standard method of carrying out such engineering work, but it is still necessary to interpret the data which is extracted.

CCL-Forensics has spent considerable time researching this. If you require further information about the potential of this technique, please get in touch.

More hints and tips will follow in a few days – stay tuned!

Have you looked everywhere for digital evidence?

Building a good case means gathering as much relevant evidence as possible to build a full picture of the situation.

There are several obvious places to look for evidence: a computer’s hard drive; a flash drive; a SIM card from a mobile phone, for example. But looking down the back of the proverbial sofa can reveal a whole heap of potential evidence you may not have thought of.

Here at CCL-Forensics, we like to be helpful – and we also love a good list. So here, for your delectation, are five places you may not have looked…

  1. Location-based services

SatNav devices are not the only way to stop yourself from getting lost these days. Quite apart from the traditional paper map, most mobile devices now contain built-in GPS which works with applications to provide location-specific data to the user.

A few examples: weather apps showing the local forecast need a GPS fix in order to deliver the correct data; social networking apps such as Facebook and foursquare also use GPS to place the user and their online friends in various locations; and a significant number of devices run GPS in the background without the user even noticing.

All this can leave valuable forensic traces on the device. It’s worth considering whether this data is relevant to your case, and if the geographical location of the person attributed to the phone is important. If so, this data should be requested as part of a handset examination. When combined with, for example, ANPR hits or cell site analysis it could strengthen your case.

  1. Geo-tagged images

Following on from location-based services, it’s now possible to tag photographs and other files with a code from a GPS signal to show where the device was when the file was created.

It’s not just mobile digital devices that do this, either; many digital cameras now use GPS signals to geo-tag their photographs.

This metadata can be used to associate individuals or locations featured in photos with a set of geographic coordinates. It’s potentially valuable data that could go unnoticed using “traditional” forensic tools.

  1. SatNav in your hand

Dedicated SatNav devices are well known among digital forensics investigators, but SatNav apps are becoming increasingly common on mobile devices, with smartphones beginning to replace windscreen-mounted devices. (There are a couple of interesting articles on this subject.)

There is an additional evidential opportunity available on the phones themselves, as there is the potential for them to contain records of directions, searches and other SatNav-based activity. If geographic location is relevant to your case, this opportunity should not be underestimated.

Search terms which coincide with significant locations in your investigation can, for example, show that the user had a specific interest in that location. GPS fixes, where recorded and retrieved, may show that the device had moved to or from that location.

  1. Instant messaging

Instant messaging facilities are now a major part of many computer and phone social media applications – not to mention newer tablet technology.

Using smartphones for instant messaging allows suspected criminals to communicate without details being recorded in text message history or on the billing records. Many tariffs now include data as well as airtime, making IM a much more accessible medium – and it can also be used over WiFi.

Most smartphones will have an inbuilt IM app, or will allow users to download one. Chats are conducted via the internet – but there is the potential to leave a forensic trace behind on the device itself.

This won’t be detailed in a standard examination report containing calls, texts and contact lists – but it’s worth considering whether this type of communication is relevant to your case.

A recent example of how instant messaging can be used extremely effectively in crime is last August’s riots. The BlackBerry Messenger (BBM) service is free and secure, and was used extensively to organise disturbances in the capital, and then throughout the UK. There are plenty of articles documenting how the system works, and how it worked during the riots.

It’s pretty obvious that recovering “fleeting” instant messages can be vital evidence in criminal cases – for the prosecution and for the defence.

  1. Organiser

How much of your life is on your mobile phone? With the widespread rejection of antique items such as paper diaries, smartphone organisers contain a huge amount of information about people’s appointments and movements.

They’re available on computers, smartphones and other mobile devices, and are often synced with other apps via online sites such as Google or Hotmail. It’s not just a diary, either; notes apps and programs are the modern equivalent of scribbling a note on a post-it, and can add a valuable extra dimension to evidence.

The data contained therein can provide a great evidential opportunity, complementing data found elsewhere on the suspect’s device(s).

There are 20 places you could try looking, in all – so stay tuned over the next couple of weeks.

Free Python module for processing plist files – get ’em while they’re hot, they’re lovely!

As anyone who has examined an iOS device (or an OSX device for that matter) will know, property list files are a major source of potential evidence. Being one of the main data storage formats they might contain anything from configuration details to browsing history to chat logs.

We’ve examined property lists in detail previously, covering their file formats and the challenges they might present (you can download the white paper here). We have also released our tool PIP, which can be used to parse data from plists and other XML data in a structured way.

As regular readers might have gathered I’m pretty keen on the Python scripting language and while the built-in libraries do support reading from the XML property list format (available through the plistlib module) there is no support for the binary property list format which is increasingly becoming the standard format.

Recently I had a task where I needed to parse a large number of binary format property list files inside a script I was writing. It was theoretically possible to have the script export them all to a single location and then perhaps run PIP separately but I really wanted to have everything self-contained and besides, I needed to make use of the data extracted from the plist files later on in the script.

One of the beauties of Python is how quickly you can go from concept to “product”, so I decided that rather than waste time finding a work-around I would craft a proper solution. After a few hours’ work I had a fully functioning module for dealing with binary plist files in Python and today we’re excited to be releasing the code so that other practitioners and coders can make use of it.

You can get the source from our Google Code page (while you’re at it you can also download our module for dealing with BlackBerry IPD backup files here.

I designed the module to provide the parsed data in as native a format as possible (see Table 1) so when writing your code you do not have to deviate from the normal Pythonic constructs – the data structure returned contains everyday Python objects. The data structure returned is also vastly interchangeable with that returned by plistlib’s “readPlist” function (the exception being that plistlib wraps “data” fields in a “Data” object rather than giving direct access to the underlying “bytes” object).

Table 1: Converted data types returned by ccl_bplist

The module only has one function that you need to know about in order to use it: “load()”. This function takes a single argument which should be a binary file-like object* and it returns the python representation of the data in the property list.

In addition to the ccl_bplist module, the Google Code repository contains an example of the module in use, parsing the “IconState.plist” from an iOS device auditing the Apps and folders present on the Springboard home screen.

Icon state screenshot

Script results

We really hope that the community will be able to make use of this module and if you have any questions please leave a comment or email us at

*When working from a file on disk you should use the open() function with “b” in the mode string e.g.: open(file_name, “rb”).

There may be other times when the bplist has come from another source, e.g. a BLOB field in a database or even a property list embedded in another’s data field. In these cases you can wrap a bytes object in a BytesIO object found in the “io” module e.g.: io.BytesIO(some_data).