New Epilog Signature files released

Epilog Signature files allow users to add specific support for new databases they encounter and although they are designed so that Epilog’s users can create their own signatures when the need arises, CCL-Forensics are committed to updating and releasing a sets of signatures, pre-written and ready to use.

In this new release we have had a real focus on smartphones adding support for:
• iOS6
• Android 4.0 (Ice Cream Sandwich)
• Android 4.1 (Jelly Bean)
• Android 3rd Party Applications
• iOS 3rd Party Applications
• Skype

We always welcome suggestions for signatures that you’d like to see added to the signature collection so please get in touch on epilog@ccl-forensics.com

For more information on epilog please visit our website – www.cclgroupltd.com/Buy-Software/

Advertisements

Double accreditation is a forensic first

We’re absolutely delighted to announce something of a ‘forensic first’.

CCL-Forensics has become the first UK digital forensic lab to be accredited to ISO17025 – not just for one part of the business – but for BOTH its computer and mobile phone labs.

It’s taken a long time to get here – and having this standard, cements our position as the UK’s leading supplier of digital investigation services.  It also means clients can have the maximum confidence in the quality of our services – especially if the case goes to court.

ISO17025 is a recommendation of the Home Office Forensics Science Regulator, Andrew Rennison – and all labs handling digital evidence should have it by 2015.  Put simply, it is one of the biggest steps forward the digital forensic industry has ever seen.  We’re already way ahead of the curve!

We’ve had ISO17025 for our phone lab for while now – and were one of only a small number of providers to do so.  The fact that we’ve now been accredited for our PC lab is huge news.

So what does it mean?  To give it its full title, it’s called “the general requirements for the competence of testing and calibration laboratories”.  That means that we are required to have in place an all-encompassing set of detailed standard operating procedures.  These procedures show that we operate a management system, are technically competent, and generate technically valid results.

It’s been the result of a lot of hard work – not only by our dedicated quality department – but by all members of staff who have worked tirelessly to ensure all the procedures are developed to the highest standard.

If you’d like more information about our quality standards, please email Dave Lattimore, Total Quality Manager at info@ccl-forensics.com.

Continue your professional development with us

There are many ways to grab a few CPD points here and there if you’re a criminal defence lawyer, but all of them take time out of your busy day, and some of them are little more than a box-ticking exercise.

Here at CCL-Forensics we like to spread a little love by offering our own CPD course – free of charge*. You can choose from a one, two, or three-hour course and we’ll come to your premises at a time and date to suit you.

The course aims to improve delegates’ understanding of digital evidence: including things you may not have considered, and a look at what it is possible to extract and use to build a case. Building a full picture of your client’s activities is vital if he or she is to receive a fair trial, and making use of all the evidence available is a key part of that.

It’s a very popular course, and we consistently receive feedback from people who are genuinely surprised at how much they learn. Delegates take information from the course and put it into practice when building defence cases which involve digital evidence.

Take a look at the agenda:

  • Introduction to digital forensics
  • How people communicate electronically
  • What information can be recovered and from where
    • Social media evidence
    • Smart phones and computers
    • Chat and messenger services
    • Real life examples (e.g. the recent riots)
    • Deleted data
  • Indecent images
    • Brief overview of the law
    • Extracting deleted files and internet history
    • Showing intent
  • 20 unlikely places you may find defence evidence
  • Cell site analysis
    • Using phone mast data to analyse your client’s movements
    • How precise can it be?
    • Understanding and challenging the prosecution evidence

Give us a call on 01789 261200 or email info@ccl-forensics.com and find out how we can help you to make the best of the evidence available to you.

*Subject to a minimum number of attendees.

Hidden digital evidence part 4

Welcome to the final instalment of our short blog series on places you may not have thought to look for digital evidence.

  1. Biometric data

The use of fingerprints, retinal scans and facial recognition is no longer the stuff of science fiction. Its use may not be widespread yet, but it is certainly becoming a reality on a number of advanced devices.

Computers, laptops and mobile devices may be protected from unauthorised use by such biometric technology. If the data can be retrieved, it can help significantly with the attribution of that device – especially useful on mobile phones if cell site analysis is being carried out as part of the case.

It’s an emerging technology, so keep an eye on developments over the coming months and years. More and more evidential opportunities will present themselves.

  1. Near-field communications

This refers to technology such as the Oyster Card on London’s transport system, and credit cards are also being equipped with chips, which when waved near to a reader device can perform the same function as when it is inserted into a chip and pin device.

Such technology is also finding its way into mobile phones – the Google Wallet has been in the news recently (for all the wrong reasons – namely security issues). This is an app that enables users to pay for goods using their mobile phone using a near-field communication device.

Data may be recorded on the phone – including when it was used, where, and for what purpose. This could be a rich vein of potential evidence, and although its use is not widespread at the moment, it’s certainly worth keeping up with developments.

  1. Games consoles

Games consoles such as Xboxes, Playstations and Wiis now have web browsers as standard. They are much more than just a platform for gaming, with many allowing users to stream music over the internet, rent movies and interact with others online.

External hard drives can also be attached to consoles, enabling people to play music and movies from their collections through the console.

Consoles also enable instant messaging to take place, within games and simply via the messaging function in the console itself.

Use of all these features leaves a digital trail on the hard drive, making such devices a rich source of potential evidence.

  1. Throwaway culture

The focus has been on modern emerging technology, particularly smartphones. But it’s sometimes sensible to consider the other end of the scale: antique technology can also provide interesting evidential opportunities.

Many people tend to upgrade their handsets – and laptops and PCs – and put the old ones in a drawer or box. There they languish, gathering dust, until they’re needed for a criminal case.

It’s entirely possible to extract all sorts of evidence from these older devices, some of which can prove as tricky as the higher-end handsets and computers. Just because a phone or other device looks simple and cheap, the data it may contain could be crucial.

Here’s an example: CCL-Forensics used its web cache toolkit on a six-year-old Nokia 6230i handset and recovered 600 pages of web history – not necessarily the result you’d expect from a modest old device.

  1. With the network provider

A vast quantity of valuable evidence can be gathered from mobile phone network providers using cell site analysis. Network providers keep a variety of information about a phone’s use for a period of time – including the cell masts it used to make and receive calls.

This type of analysis can help to build up a picture of where the phone has been used, and can help in attributing different phones to their users – especially where criminals make use of “clean” and “dirty” phones. (Clean phones are those used for “normal”, everyday activities; dirty phones are those used in the course of crime, and are often thrown away afterwards.)

If a mobile phone has been used in crime, don’t discount the possibility that a wealth of evidence could be gathered using cell site analysis.

Here endeth our list of possible locations for digital forensic evidence – although it is, of course, not exhaustive. As technology advances, more and more types of digital evidence will become available for investigators.

CCL-Forensics’ R&D team keeps pace with new technology, developing tools and techniques for extracting this new data. If you have any questions, they’re always happy to chat. Just drop us a line at research@ccl-forensics.com.

More places you may not have looked for digital evidence

As promised, we continue our list of places you may not have looked for digital evidence. It’s not always obvious, and sometimes we have to dig deep to find anything useful. Read on to find out more…

  1. VOIP (Voiceover IP)

VOIP refers to the communication protocols, technologies, methodologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over internet protocol (IP) networks.

It’s not new technology, but with many phones now having WiFi connectivity or data bundles included in tariffs as standard, it’s becoming a more popular way of communicating. VOIP replaces “traditional” over-the-network phone calls, enabling users to make calls using a computer (Skype is a well-known example of this type of technology).

The traces left by this activity are just as relevant as traditional call logs, but “calls” made using VOIP do not necessarily leave the same type of information on the phone, or call data records, as a standard call. Instead of being logged at the network provider with IMEI, IMSI and other data, it is just recorded as data transfer. It may not even show in the handset’s call list.

VOIP calls do, however, leave a deeper digital trail within a phone either within the application itself or in other log files. The apps may also have their own phonebooks, where contact details are stored separately from the phone’s standard contact list.

Computers are also used for VOIP communications, which will leave traces within the apps and on the hard drive in a similar way to mobile phones.

  1. Web browsers

Internet browsers – on computers, laptops, tablets and smartphones – contain a wealth of data that could prove vital to a case.

As well as a user’s browsing history, other evidential opportunities can include bookmarks, cache data, downloads, social media history, and more. Together with other forms of digital evidence, such as chat logs and emails, a picture can be built of the user’s behaviour, and may help to prove mens rea – intent to commit a crime – in a case. Conversely, of course, it could help to prove someone’s innocence.

Mobile internet has been around since 1999, but has improved vastly since then. Smartphones are now miniature computers, with full-colour and fully-functional mobile web pages – and mobile web browsers work in much the same way as standard browsers. The same information can be extracted from mobile web browsers, helping to add to the bigger picture.

  1. Dynamic key logger

Smartphones are – as their name suggests – generally pretty smart. Many of them can now “learn” how people use them, recording every key press in a log file. For instance, they will remember people’s names and place names between applications – not just in text message apps (as an example).

Users cannot disable this functionality and will not necessarily be aware of its existence. Dynamic key loggers are a potentially-rich source of evidence: it may be that a text message or email of interest may no longer be present on the device – but its content could exist in one of these log files.

The technology gives investigators another method of extracting data from mobile devices, adding an extra dimension to digital evidence.

  1. Data-hiding applications

If you know what you’re doing, it’s entirely possible to hide data on mobile phones, putting it beyond the reach of typical forensic extraction tools and techniques.

There are several apps that can be downloaded to smartphones which can hide data within other applications. This means that, for example, photographs could be hidden within – for example – the stocks and shares app on the phone, but they would only be retrievable using the data-hiding application.

The data remains hidden on the device if the data-hiding app is uninstalled, and can only be retrieved if the app is reinstalled. Valuable evidence may be going unnoticed if the deliberately-hidden data is not located.

CCL-Forensics’ R&D team has developed a technique to analyse the installed apps on a smartphone to identify what that phone is capable of, which enables our analysts to tailor the examination accordingly. How can you analyse a mobile phone unless you know what it can do?

  1. On the circuit board

Just occasionally, a mobile device is so complicated – or the data you’re after is so deeply buried – that the only viable option is interfacing directly with the circuitry.

“Chip off” forensics is nothing new – but removing chips from the circuit board of a device is a destructive process, and one that cannot necessarily be repeated by another qualified expert. Examining the chips in situ is much more desirable.

One such method of doing this is to interface directly with the circuit board. Many phones will have a series of JTAG (Joint Test Action Group) ports, to which connections can be made, and from which data can be retrieved. JTAG is an industry-standard method of carrying out such engineering work, but it is still necessary to interpret the data which is extracted.

CCL-Forensics has spent considerable time researching this. If you require further information about the potential of this technique, please get in touch.

More hints and tips will follow in a few days – stay tuned!

Have you looked everywhere for digital evidence?

Building a good case means gathering as much relevant evidence as possible to build a full picture of the situation.

There are several obvious places to look for evidence: a computer’s hard drive; a flash drive; a SIM card from a mobile phone, for example. But looking down the back of the proverbial sofa can reveal a whole heap of potential evidence you may not have thought of.

Here at CCL-Forensics, we like to be helpful – and we also love a good list. So here, for your delectation, are five places you may not have looked…

  1. Location-based services

SatNav devices are not the only way to stop yourself from getting lost these days. Quite apart from the traditional paper map, most mobile devices now contain built-in GPS which works with applications to provide location-specific data to the user.

A few examples: weather apps showing the local forecast need a GPS fix in order to deliver the correct data; social networking apps such as Facebook and foursquare also use GPS to place the user and their online friends in various locations; and a significant number of devices run GPS in the background without the user even noticing.

All this can leave valuable forensic traces on the device. It’s worth considering whether this data is relevant to your case, and if the geographical location of the person attributed to the phone is important. If so, this data should be requested as part of a handset examination. When combined with, for example, ANPR hits or cell site analysis it could strengthen your case.

  1. Geo-tagged images

Following on from location-based services, it’s now possible to tag photographs and other files with a code from a GPS signal to show where the device was when the file was created.

It’s not just mobile digital devices that do this, either; many digital cameras now use GPS signals to geo-tag their photographs.

This metadata can be used to associate individuals or locations featured in photos with a set of geographic coordinates. It’s potentially valuable data that could go unnoticed using “traditional” forensic tools.

  1. SatNav in your hand

Dedicated SatNav devices are well known among digital forensics investigators, but SatNav apps are becoming increasingly common on mobile devices, with smartphones beginning to replace windscreen-mounted devices. (There are a couple of interesting articles on this subject.)

There is an additional evidential opportunity available on the phones themselves, as there is the potential for them to contain records of directions, searches and other SatNav-based activity. If geographic location is relevant to your case, this opportunity should not be underestimated.

Search terms which coincide with significant locations in your investigation can, for example, show that the user had a specific interest in that location. GPS fixes, where recorded and retrieved, may show that the device had moved to or from that location.

  1. Instant messaging

Instant messaging facilities are now a major part of many computer and phone social media applications – not to mention newer tablet technology.

Using smartphones for instant messaging allows suspected criminals to communicate without details being recorded in text message history or on the billing records. Many tariffs now include data as well as airtime, making IM a much more accessible medium – and it can also be used over WiFi.

Most smartphones will have an inbuilt IM app, or will allow users to download one. Chats are conducted via the internet – but there is the potential to leave a forensic trace behind on the device itself.

This won’t be detailed in a standard examination report containing calls, texts and contact lists – but it’s worth considering whether this type of communication is relevant to your case.

A recent example of how instant messaging can be used extremely effectively in crime is last August’s riots. The BlackBerry Messenger (BBM) service is free and secure, and was used extensively to organise disturbances in the capital, and then throughout the UK. There are plenty of articles documenting how the system works, and how it worked during the riots.

It’s pretty obvious that recovering “fleeting” instant messages can be vital evidence in criminal cases – for the prosecution and for the defence.

  1. Organiser

How much of your life is on your mobile phone? With the widespread rejection of antique items such as paper diaries, smartphone organisers contain a huge amount of information about people’s appointments and movements.

They’re available on computers, smartphones and other mobile devices, and are often synced with other apps via online sites such as Google or Hotmail. It’s not just a diary, either; notes apps and programs are the modern equivalent of scribbling a note on a post-it, and can add a valuable extra dimension to evidence.

The data contained therein can provide a great evidential opportunity, complementing data found elsewhere on the suspect’s device(s).

There are 20 places you could try looking, in all – so stay tuned over the next couple of weeks.

Forensic software tools – get ‘em while they’re hot, they’re lovely!

The R&D team at CCL-Forensics are a busy bunch. Over the past couple of years, they’ve developed a number of forensic software tools to examine the evidence that standard tools can’t reach.

Here’s a quick overview of what’s on offer. Follow the links to find out more, or give us a shout by phone (01789 261200) or email (info@ccl-forensics.com) – we’re always happy to talk geek with like-minded practitioners.

epilog allows investigators to recover deleted data from SQLite databases, a widely-used format in many devices including mobile phones, computers and SatNavs). Many off-the-shelf tools will only allow you to view live records.

PIP is our XML and plist parsing tool. It allows investigators to present often-complex data from XML files quickly, efficiently, and in a user-friendly format. Apple’s property list files – both XML and binary formats – present no obstacle to PIP at all.

dunk! is a splendidly-named tool for digging around in cookies. Unlike standard tools, it analyses known cookie types to uncover potential new evidence and help give context to other browser artefacts. This includes showing the path the user took to arrive at a particular webpage by parsing Google Analytics cookies, revealing a wealth of information previously unavailable to practitioners.

rubus  is FREE! We like to give a little love back to the community, so with this in mind, we made our BlackBerry backup deconstruction tool available. Not having found a tool that would do the job, we made our own – enabling analysts to reverse engineer BlackBerry backup data stored in .ipd files.

The tools all went through beta-testing first, and were pronounced ready to unleash upon the world. Since then, they’ve been subject to an introductory pricing period, and have been bought and used successfully around the world.

Now that we’re confident in the tools we’ve developed, we’re also confident in their value to our customers. So with that in mind, if you haven’t bought the tools already, you may want to think about doing so! The introductory pricing period finishes at the end of March – and although they’ll still be extremely good value for money, they will be a little more expensive.

We’ve had useful feedback from our customers in the past, which has helped us to further develop our tools, and we always welcome comments and suggestions on our software. Feel free to comment below, or get in touch with us in more traditional ways!