New Epilog Signature files released

Epilog Signature files allow users to add specific support for new databases they encounter and although they are designed so that Epilog’s users can create their own signatures when the need arises, CCL-Forensics are committed to updating and releasing a sets of signatures, pre-written and ready to use.

In this new release we have had a real focus on smartphones adding support for:
• iOS6
• Android 4.0 (Ice Cream Sandwich)
• Android 4.1 (Jelly Bean)
• Android 3rd Party Applications
• iOS 3rd Party Applications
• Skype

We always welcome suggestions for signatures that you’d like to see added to the signature collection so please get in touch on epilog@ccl-forensics.com

For more information on epilog please visit our website – www.cclgroupltd.com/Buy-Software/

Advertisements

Cell site blog – Never mind the quality, feel the width

Thoughts and observations on how ‘more’ could mean ‘less’ in the presentation of cell site analysis.

By Matthew Tart, Cell Site Analyst

This month – we look at quality over quantity in cell site analysis – with particular emphasis on a recent example where a pile (literally) of maps could easily have left jurors’ heads spinning.  And cost the prosecution a considerable sum.

This month’s topic: Getting the balance right in cell site analysis 

This blog starts with a case we were involved in recently, involving a high profile crime with a number of defendants.  On this occasion we were working for the defence, but this story acts as a useful pointer for the prosecution by illustrating techniques that experts used by the Crown should – and should not – be doing.  We’ll focus on a method used by a large number of cell site analysts (but not ourselves) which is not necessarily robust or stand up to close scrutiny.

Q: What were the details of the case?

A: The prosecution were investigating the probability of a suspect being at a crime scene – a pub in an inner city location.  At the time of the crime, one of the suspects (we were working for that suspect’s defence solicitor in this case) made a phone call.  The call data records showed that this phone call was made on what we’ll call ‘cell A’, which was on a mast near the crime scene – but also near to his home address which was about 500m away.

The suspect’s alibi was that he was at home at the time of the crime and the phone call.

The prosecution’s outsourced expert carried out ‘spot samples’ (i.e. turned up at a location with a piece of equipment) at both the crime scene and the alibi location.  Their report showed a different cell serving at each location.  Cell A was shown as best serving at the crime scene – but not at the alibi location.

Q: So what did we do differently?

A: We carried out a much more extensive survey i.e. a drive survey at the home address and the surrounding area.  This was carried out with regard to the cell of interest (Cell A), and we used multiple pieces of equipment and repeatedly moved in and out of the area.  We found that cell A provided coverage north, south, east and west of both locations (crime and alibi scene), and based upon this, could not distinguish between the mobile phone being at either location.  The evidence was simply not strong enough to suggest one or the other.

Q:  So, were both sides saying something different?

A: Yes and no. Before the court date, the prosecution’s outsourced expert asked for a copy of our defence report, which we provided.  We then discussed the contents with the expert over the phone, who claimed that he wouldn’t expect cell A to provide coverage at the home address.  After looking at our evidence, he admitted that our assertion that the cell served at both addresses was actually the most valid interpretation of the evidence.  This is a worrying admission/u-turn to say the least.  This is despite his evidence not documenting that cell A also serves at that crucial home address.

Q:  The other side claimed that a different cell provided service at the home address.  Did your survey find that cell as well?

A: Yes, but we found four cells which served at the home address.  Cell A, the one the other side claimed – AND two others.

Q: How was this data presented by the prosecution’s expert?

A: In a rather cumbersome, and lengthy fashion, to say the least.  There were a number of suspects, and their report showed the same maps over and over – and over – again.  It showed the locations of interest, calls for varying time periods, and whether the cells used actually covered the locations.  This came to more than 100 (one hundred) maps.  All printed on A3 paper and bound into a daunting, unwieldy piece of physical evidence, which the jury would have to absorb.

I would defy even the most attentive juror to have easily made sense of this massive tome.  Notwithstanding the threatening size of the document, but all the pages were practically the same, or almost identical copies of other similar pages.  You simply wouldn’t be able to take it all in.  Especially as one wouldn’t expect jurors to be familiar with this type of evidence – making it all the more crucial to have it presented in a friendly form.

Q: What would we have done differently?

A: Firstly, not produced a huge weighty un-jury-friendly document. The best way of presenting this evidence (for which we would have had MUCH more survey data, having done more than carry out simple spot samples) would have been a series of two or three detailed maps which can be presented interactively at court with the relevant points being highlighted by the expert in the course of presenting the evidence.  These maps would have covered specifically the period of interest – and would have a secondary, financial, benefit.

By not producing hundreds of maps, we would have saved a considerable amount of time – and therefore cost.  We would estimate that producing this unmanageable number of maps and documents would have potentially cost tens of thousands of pounds. Our approach would almost certainly have been cheaper AND more robust.

Q:  So the lesson here is…

A: …to think about what you need to achieve, and the best way of doing it.  Don’t be held to ransom by an outsourced experts ‘way of doing something’.  Hopefully this example has shown two things.  One, that carrying out spot samples (as we’ve mentioned in previous blogs) may not be the most appropriate way of surveying.  And secondly, that the end product i.e. what the jury see and have to understand, can be something a little more sophisticated than a batch of similar-looking, repetitive – and quite frankly, uninspiring – maps and tables.  Technology has moved on.  So has cell site analysis.  And so has the presentation of evidence in court.

In terms of maps it is quality not quantity that delivers the most impactive conclusions in relation to the possible locations of a mobile phone.

For more information about this – or any aspect of cell site analysis, please contact Matthew Tart (or any of our other cell site analysts) on 01789 261200 or by emailing cellsite@ccl-forensics.com

New version of PIP (XML and plist parser) coming soon

Our ever-popular XML and plist parsing tool, PIP, is coming of age with a new, improved version.

Currently in beta-test, and with the updated version available free to current PIP users (following its official release, obviously!), we’ll be announcing more details over the coming weeks.

As a teaser, this is what you can expect from the new version (v1.1):

  • Improved GUI – the layout of the application has been updated to improve work-flow
  • New Tree View – view your data graphically to see, at-a-glance, the structure of your data
  • Automatic XPath Building – Now you can use the Tree View to show PIP the data that you are interested in and PIP will generate the XPath automatically. This even works with Apple’s Property List ‘dictionary’ structures.
  • Import/Export Batch Jobs – Set-up a batch job of XPaths for a particular folder structure (iOS Library or Application folders for example) and then export the batch so that you, or anyone else in your lab can re-use it when you next come across the same data
  • Command line version – version 1.1 of PIP comes with the “pipcmd” command-line utility, allowing you to integrate PIP into tool chains and other automated tasks
For more information about XML and plist parsing, please visit http://www.ccl-forensics.com/pip or email us at pip@ccl-forensics.com.

Double accreditation is a forensic first

We’re absolutely delighted to announce something of a ‘forensic first’.

CCL-Forensics has become the first UK digital forensic lab to be accredited to ISO17025 – not just for one part of the business – but for BOTH its computer and mobile phone labs.

It’s taken a long time to get here – and having this standard, cements our position as the UK’s leading supplier of digital investigation services.  It also means clients can have the maximum confidence in the quality of our services – especially if the case goes to court.

ISO17025 is a recommendation of the Home Office Forensics Science Regulator, Andrew Rennison – and all labs handling digital evidence should have it by 2015.  Put simply, it is one of the biggest steps forward the digital forensic industry has ever seen.  We’re already way ahead of the curve!

We’ve had ISO17025 for our phone lab for while now – and were one of only a small number of providers to do so.  The fact that we’ve now been accredited for our PC lab is huge news.

So what does it mean?  To give it its full title, it’s called “the general requirements for the competence of testing and calibration laboratories”.  That means that we are required to have in place an all-encompassing set of detailed standard operating procedures.  These procedures show that we operate a management system, are technically competent, and generate technically valid results.

It’s been the result of a lot of hard work – not only by our dedicated quality department – but by all members of staff who have worked tirelessly to ensure all the procedures are developed to the highest standard.

If you’d like more information about our quality standards, please email Dave Lattimore, Total Quality Manager at info@ccl-forensics.com.

More hiding places for digital evidence

The saga continues… Keep reading for some more ideas as to where you can look for digital evidence.

  1. Deleted data

Just because data has been deleted from a computer or mobile phone, doesn’t mean it’s gone forever.

When a file is deleted, it may remain on the hard drive. What are actually deleted are the instructions for finding the file – the pathway – not the file itself. Only if the data is overwritten by new files will it become irretrievable.

By analysing a device’s hard drive, investigators can recover a wealth of information that is no longer available to a regular user.

  1. Bluetooth/WiFi pairings

Although Bluetooth is less popular than it once was, with WiFi access now widely available, it can be a valuable source of potential evidence. Each Bluetooth device has a unique identifier, which is likely to be recorded when it is paired or connected.

Examining a phone’s Bluetooth history could prove vital in proving association between other exhibits in the case – some of which may be attributed to other relevant individuals.

Analysing the unique identifiers of WiFi networks that a phone device was connected to, can be instrumental in proving a particular device was present or even in use at a certain location.

  1. Cloud computing and sync

Cloud computing – whereby shared resources, software and information are provided to computers and other devices as a utility over a network (typically the internet) – allows users to access software, data management and storage without needing to know the location and other details of the infrastructure.

As the amount of data people and businesses create and use increases, data storage becomes increasingly expensive, so many people and organisations are now choosing to use the cloud to store data, or to make various settings and favourites portable between devices.

This means they can effectively have access to the same data, which can include settings, cookies and preferences, regardless of which device they are using at the time. So, activity may take place on an individual’s computer which is automatically updated on their smartphone via the cloud.

A user’s data and preferences basically follow them around, providing evidential opportunities for digital investigators.

  1. Backups

It’s always worth considering that data from a mobile phone may be backed up onto the user’s computer.

Many people use their mobile phones almost as an extra limb (the author is guilty of this particular failing), so it’s a good idea to back up the phone on a regular basis just in case it’s lost, stolen or broken.

The evidence from backup files can be used to link a computer and phone as part of the same case, but there may also be more data on the computer from the phone’s backup than is still stored in the handset itself.

Additionally, many mobile applications (and even operating systems) are configured to sync with computers, leaving a digital trail and data on both devices. Systems such as iTunes and BlackBerry Backup are popular and store a huge amount of data. This can provide a valuable evidential opportunity.

  1. Voicemail

In days of yore, voicemail was stored at the telephone exchange operated by the mobile phone network. Users would call their automated voice mailbox, and listen to messages as part of that call.

Many modern phones are now capable of having those voicemails “pushed” to the handset using an internet connection. They’re then stored on the phone for access anywhere – even if there is no phone signal.

Additionally, many phones have the facility to record voice memos (much like a dictation machine), which again could provide valuable evidence as part of an investigation.

As with any data stored on a digital device, it’s always possible for it to leave a digital trail, which can be recovered using the correct forensic tools and techniques.

The final instalment in this short series of blogs about hidden digital evidence will be posted in a few days. See you then!

More places you may not have looked for digital evidence

As promised, we continue our list of places you may not have looked for digital evidence. It’s not always obvious, and sometimes we have to dig deep to find anything useful. Read on to find out more…

  1. VOIP (Voiceover IP)

VOIP refers to the communication protocols, technologies, methodologies and transmission techniques involved in the delivery of voice communications and multimedia sessions over internet protocol (IP) networks.

It’s not new technology, but with many phones now having WiFi connectivity or data bundles included in tariffs as standard, it’s becoming a more popular way of communicating. VOIP replaces “traditional” over-the-network phone calls, enabling users to make calls using a computer (Skype is a well-known example of this type of technology).

The traces left by this activity are just as relevant as traditional call logs, but “calls” made using VOIP do not necessarily leave the same type of information on the phone, or call data records, as a standard call. Instead of being logged at the network provider with IMEI, IMSI and other data, it is just recorded as data transfer. It may not even show in the handset’s call list.

VOIP calls do, however, leave a deeper digital trail within a phone either within the application itself or in other log files. The apps may also have their own phonebooks, where contact details are stored separately from the phone’s standard contact list.

Computers are also used for VOIP communications, which will leave traces within the apps and on the hard drive in a similar way to mobile phones.

  1. Web browsers

Internet browsers – on computers, laptops, tablets and smartphones – contain a wealth of data that could prove vital to a case.

As well as a user’s browsing history, other evidential opportunities can include bookmarks, cache data, downloads, social media history, and more. Together with other forms of digital evidence, such as chat logs and emails, a picture can be built of the user’s behaviour, and may help to prove mens rea – intent to commit a crime – in a case. Conversely, of course, it could help to prove someone’s innocence.

Mobile internet has been around since 1999, but has improved vastly since then. Smartphones are now miniature computers, with full-colour and fully-functional mobile web pages – and mobile web browsers work in much the same way as standard browsers. The same information can be extracted from mobile web browsers, helping to add to the bigger picture.

  1. Dynamic key logger

Smartphones are – as their name suggests – generally pretty smart. Many of them can now “learn” how people use them, recording every key press in a log file. For instance, they will remember people’s names and place names between applications – not just in text message apps (as an example).

Users cannot disable this functionality and will not necessarily be aware of its existence. Dynamic key loggers are a potentially-rich source of evidence: it may be that a text message or email of interest may no longer be present on the device – but its content could exist in one of these log files.

The technology gives investigators another method of extracting data from mobile devices, adding an extra dimension to digital evidence.

  1. Data-hiding applications

If you know what you’re doing, it’s entirely possible to hide data on mobile phones, putting it beyond the reach of typical forensic extraction tools and techniques.

There are several apps that can be downloaded to smartphones which can hide data within other applications. This means that, for example, photographs could be hidden within – for example – the stocks and shares app on the phone, but they would only be retrievable using the data-hiding application.

The data remains hidden on the device if the data-hiding app is uninstalled, and can only be retrieved if the app is reinstalled. Valuable evidence may be going unnoticed if the deliberately-hidden data is not located.

CCL-Forensics’ R&D team has developed a technique to analyse the installed apps on a smartphone to identify what that phone is capable of, which enables our analysts to tailor the examination accordingly. How can you analyse a mobile phone unless you know what it can do?

  1. On the circuit board

Just occasionally, a mobile device is so complicated – or the data you’re after is so deeply buried – that the only viable option is interfacing directly with the circuitry.

“Chip off” forensics is nothing new – but removing chips from the circuit board of a device is a destructive process, and one that cannot necessarily be repeated by another qualified expert. Examining the chips in situ is much more desirable.

One such method of doing this is to interface directly with the circuit board. Many phones will have a series of JTAG (Joint Test Action Group) ports, to which connections can be made, and from which data can be retrieved. JTAG is an industry-standard method of carrying out such engineering work, but it is still necessary to interpret the data which is extracted.

CCL-Forensics has spent considerable time researching this. If you require further information about the potential of this technique, please get in touch.

More hints and tips will follow in a few days – stay tuned!

Have you looked everywhere for digital evidence?

Building a good case means gathering as much relevant evidence as possible to build a full picture of the situation.

There are several obvious places to look for evidence: a computer’s hard drive; a flash drive; a SIM card from a mobile phone, for example. But looking down the back of the proverbial sofa can reveal a whole heap of potential evidence you may not have thought of.

Here at CCL-Forensics, we like to be helpful – and we also love a good list. So here, for your delectation, are five places you may not have looked…

  1. Location-based services

SatNav devices are not the only way to stop yourself from getting lost these days. Quite apart from the traditional paper map, most mobile devices now contain built-in GPS which works with applications to provide location-specific data to the user.

A few examples: weather apps showing the local forecast need a GPS fix in order to deliver the correct data; social networking apps such as Facebook and foursquare also use GPS to place the user and their online friends in various locations; and a significant number of devices run GPS in the background without the user even noticing.

All this can leave valuable forensic traces on the device. It’s worth considering whether this data is relevant to your case, and if the geographical location of the person attributed to the phone is important. If so, this data should be requested as part of a handset examination. When combined with, for example, ANPR hits or cell site analysis it could strengthen your case.

  1. Geo-tagged images

Following on from location-based services, it’s now possible to tag photographs and other files with a code from a GPS signal to show where the device was when the file was created.

It’s not just mobile digital devices that do this, either; many digital cameras now use GPS signals to geo-tag their photographs.

This metadata can be used to associate individuals or locations featured in photos with a set of geographic coordinates. It’s potentially valuable data that could go unnoticed using “traditional” forensic tools.

  1. SatNav in your hand

Dedicated SatNav devices are well known among digital forensics investigators, but SatNav apps are becoming increasingly common on mobile devices, with smartphones beginning to replace windscreen-mounted devices. (There are a couple of interesting articles on this subject.)

There is an additional evidential opportunity available on the phones themselves, as there is the potential for them to contain records of directions, searches and other SatNav-based activity. If geographic location is relevant to your case, this opportunity should not be underestimated.

Search terms which coincide with significant locations in your investigation can, for example, show that the user had a specific interest in that location. GPS fixes, where recorded and retrieved, may show that the device had moved to or from that location.

  1. Instant messaging

Instant messaging facilities are now a major part of many computer and phone social media applications – not to mention newer tablet technology.

Using smartphones for instant messaging allows suspected criminals to communicate without details being recorded in text message history or on the billing records. Many tariffs now include data as well as airtime, making IM a much more accessible medium – and it can also be used over WiFi.

Most smartphones will have an inbuilt IM app, or will allow users to download one. Chats are conducted via the internet – but there is the potential to leave a forensic trace behind on the device itself.

This won’t be detailed in a standard examination report containing calls, texts and contact lists – but it’s worth considering whether this type of communication is relevant to your case.

A recent example of how instant messaging can be used extremely effectively in crime is last August’s riots. The BlackBerry Messenger (BBM) service is free and secure, and was used extensively to organise disturbances in the capital, and then throughout the UK. There are plenty of articles documenting how the system works, and how it worked during the riots.

It’s pretty obvious that recovering “fleeting” instant messages can be vital evidence in criminal cases – for the prosecution and for the defence.

  1. Organiser

How much of your life is on your mobile phone? With the widespread rejection of antique items such as paper diaries, smartphone organisers contain a huge amount of information about people’s appointments and movements.

They’re available on computers, smartphones and other mobile devices, and are often synced with other apps via online sites such as Google or Hotmail. It’s not just a diary, either; notes apps and programs are the modern equivalent of scribbling a note on a post-it, and can add a valuable extra dimension to evidence.

The data contained therein can provide a great evidential opportunity, complementing data found elsewhere on the suspect’s device(s).

There are 20 places you could try looking, in all – so stay tuned over the next couple of weeks.