New Epilog Signature files released

Epilog Signature files allow users to add specific support for new databases they encounter and although they are designed so that Epilog’s users can create their own signatures when the need arises, CCL-Forensics are committed to updating and releasing a sets of signatures, pre-written and ready to use.

In this new release we have had a real focus on smartphones adding support for:
• iOS6
• Android 4.0 (Ice Cream Sandwich)
• Android 4.1 (Jelly Bean)
• Android 3rd Party Applications
• iOS 3rd Party Applications
• Skype

We always welcome suggestions for signatures that you’d like to see added to the signature collection so please get in touch on epilog@ccl-forensics.com

For more information on epilog please visit our website – www.cclgroupltd.com/Buy-Software/

Advertisements

Cell site blog – Never mind the quality, feel the width

Thoughts and observations on how ‘more’ could mean ‘less’ in the presentation of cell site analysis.

By Matthew Tart, Cell Site Analyst

This month – we look at quality over quantity in cell site analysis – with particular emphasis on a recent example where a pile (literally) of maps could easily have left jurors’ heads spinning.  And cost the prosecution a considerable sum.

This month’s topic: Getting the balance right in cell site analysis 

This blog starts with a case we were involved in recently, involving a high profile crime with a number of defendants.  On this occasion we were working for the defence, but this story acts as a useful pointer for the prosecution by illustrating techniques that experts used by the Crown should – and should not – be doing.  We’ll focus on a method used by a large number of cell site analysts (but not ourselves) which is not necessarily robust or stand up to close scrutiny.

Q: What were the details of the case?

A: The prosecution were investigating the probability of a suspect being at a crime scene – a pub in an inner city location.  At the time of the crime, one of the suspects (we were working for that suspect’s defence solicitor in this case) made a phone call.  The call data records showed that this phone call was made on what we’ll call ‘cell A’, which was on a mast near the crime scene – but also near to his home address which was about 500m away.

The suspect’s alibi was that he was at home at the time of the crime and the phone call.

The prosecution’s outsourced expert carried out ‘spot samples’ (i.e. turned up at a location with a piece of equipment) at both the crime scene and the alibi location.  Their report showed a different cell serving at each location.  Cell A was shown as best serving at the crime scene – but not at the alibi location.

Q: So what did we do differently?

A: We carried out a much more extensive survey i.e. a drive survey at the home address and the surrounding area.  This was carried out with regard to the cell of interest (Cell A), and we used multiple pieces of equipment and repeatedly moved in and out of the area.  We found that cell A provided coverage north, south, east and west of both locations (crime and alibi scene), and based upon this, could not distinguish between the mobile phone being at either location.  The evidence was simply not strong enough to suggest one or the other.

Q:  So, were both sides saying something different?

A: Yes and no. Before the court date, the prosecution’s outsourced expert asked for a copy of our defence report, which we provided.  We then discussed the contents with the expert over the phone, who claimed that he wouldn’t expect cell A to provide coverage at the home address.  After looking at our evidence, he admitted that our assertion that the cell served at both addresses was actually the most valid interpretation of the evidence.  This is a worrying admission/u-turn to say the least.  This is despite his evidence not documenting that cell A also serves at that crucial home address.

Q:  The other side claimed that a different cell provided service at the home address.  Did your survey find that cell as well?

A: Yes, but we found four cells which served at the home address.  Cell A, the one the other side claimed – AND two others.

Q: How was this data presented by the prosecution’s expert?

A: In a rather cumbersome, and lengthy fashion, to say the least.  There were a number of suspects, and their report showed the same maps over and over – and over – again.  It showed the locations of interest, calls for varying time periods, and whether the cells used actually covered the locations.  This came to more than 100 (one hundred) maps.  All printed on A3 paper and bound into a daunting, unwieldy piece of physical evidence, which the jury would have to absorb.

I would defy even the most attentive juror to have easily made sense of this massive tome.  Notwithstanding the threatening size of the document, but all the pages were practically the same, or almost identical copies of other similar pages.  You simply wouldn’t be able to take it all in.  Especially as one wouldn’t expect jurors to be familiar with this type of evidence – making it all the more crucial to have it presented in a friendly form.

Q: What would we have done differently?

A: Firstly, not produced a huge weighty un-jury-friendly document. The best way of presenting this evidence (for which we would have had MUCH more survey data, having done more than carry out simple spot samples) would have been a series of two or three detailed maps which can be presented interactively at court with the relevant points being highlighted by the expert in the course of presenting the evidence.  These maps would have covered specifically the period of interest – and would have a secondary, financial, benefit.

By not producing hundreds of maps, we would have saved a considerable amount of time – and therefore cost.  We would estimate that producing this unmanageable number of maps and documents would have potentially cost tens of thousands of pounds. Our approach would almost certainly have been cheaper AND more robust.

Q:  So the lesson here is…

A: …to think about what you need to achieve, and the best way of doing it.  Don’t be held to ransom by an outsourced experts ‘way of doing something’.  Hopefully this example has shown two things.  One, that carrying out spot samples (as we’ve mentioned in previous blogs) may not be the most appropriate way of surveying.  And secondly, that the end product i.e. what the jury see and have to understand, can be something a little more sophisticated than a batch of similar-looking, repetitive – and quite frankly, uninspiring – maps and tables.  Technology has moved on.  So has cell site analysis.  And so has the presentation of evidence in court.

In terms of maps it is quality not quantity that delivers the most impactive conclusions in relation to the possible locations of a mobile phone.

For more information about this – or any aspect of cell site analysis, please contact Matthew Tart (or any of our other cell site analysts) on 01789 261200 or by emailing cellsite@ccl-forensics.com

Benefits of hindsight: Why ‘nurturing’ data can prove valuable for cell site analysts.

It’s at this time of year, when the sun is shining (well, it IS at the very moment these words are being written), that carrying out an intensive cell site survey seems almost like a perk of the job. But, as everyone involved knows, a cell site expert shouldn’t expect that each assignment should come with such luxuries.  Surveys aren’t always necessary – and even where they are, there could be a smarter solution.  In this month’s cell site ‘blog’, Matthew Tart looks at the possibility of using data from previous cases.

This month’s topic: Use of historic cell site data

Q: First of all, precisely what do we mean by historic cell site data?

A: Simply, it’s data CCL-Forensics has generated from carrying out previous cases, which we have organised and stored in an ever-growing database.  The reason we have this, is because we don’t carry out static surveys as we have found they have limited repeatability and failed validation (this is described in our previous blog here), which I’ll go into in a little more detail later.  So if we’re interested in where a particular cell serves, there is a potential that we’ve already surveyed relevant areas.  We’re not (quite!) up to UK wide coverage yet, but the database is growing rapidly, plus we’re getting additional cell data every time we travel between our offices and the general area of the survey.  

Q: So, how does this actually benefit the case. Surely, all cases are different, and you may still have to do some surveying?

A:  This is not necessarily a replacement for any future survey, it is an enhancement, but it does have some significant advantages.  The first being that it can help us to scope out a case, and therefore produce a more accurate strategy – keeping costs down.  The more CCL-Forensics know about the network infrastructure of the location in question, the more easily we can produce the most cost-effective forensic solution to the problem at hand. It’s also been useful in court, where very specific questions have been raised about the coverage of a cell; if we have relevant data, our expert in the witness box can easily (and with no cost to anyone involved), use that area information – adding value to proceedings.  In short, it means that we simply have more data with which to work – and scientifically, that’s a very good place to be.

Q: But isn’t there a risk that the data may be out of date?

A: The timeliness of data is always a consideration in cell site analysis.  One of the most common concerns tends to surround how the network may have changed in the (often) months between the incident and the survey.  By using data collected in the past, it could be more relevant to the time of the incident.  Additionally further surveys can be undertaken to assess whether that there have been changes in the network over a period of time – and not even the networks themselves can give us information as reliable as that.

Q:  Why aren’t all cell site analysts doing this?

A: I’m not saying it’s only CCL-Forensics who are doing it, but there are analysts who practice certain surveying techniques where keeping a database would not be appropriate.  Earlier, I mentioned the concept of carrying out static surveys.  CCL-Forensics have gone through this at length before, but this just goes to reinforce why turning up at a scene, carrying out a few measurements and then leaving again, is not the strongest piece of science in the world.

Using static surveys each job stands alone and in isolation from any other examination.

Q: It must take up a serious amount of storage space

A: CCL-Forensics had to buy a huge new server to hold this data, but it’s already been worth it.  We’ve saved so much time by having access to this data, and passed on significant cost savings as a result.  It also means that our clients are getting stronger evidence, effectively for free.  It’s stronger because we can more accurately assess service areas, and also get an educated idea of network changes, which can inform expectations at the outset of an investigation and same time during it.

For us, it’s definitely an investment in the future and ideally, we’d like to be a position where we have the whole country mapped, but that’s a little way away at the moment!

To finish with an example: There was an urgent pre case management hearing relating to an incident in a city 150 miles from our base.  We were asked to provide some analysis of call data records on a Wednesday morning, which were needed by the Thursday evening. 

CCL-Forensics checked our database and found extensive surveys in and around the locations of interest, and could make an informed estimate of cell service at those addresses without the disruption, delay and cost of travelling to the area and carrying out a survey.  Basically this would not have been possible, given the time constraint, had we not had the historic data. 

Of course it is not just the survey time that causes delay, it’s the preparation, travelling, data manipulation, analysis and reporting of that data.  But, as we’d already surveyed the area, the client had the report they needed well ahead of the deadline: something which would have been practically impossible otherwise. 

To summarise, every case we do makes CCL-Forensics service stronger.

For more information about historical cell site data usage, or any of the other issues highlighted in this month’s blog, please email Matthew Tart at mtart@ccl-forensics.com or call 01789 261200

 

Mystery box reveals digital secrets

Arun Prasannan, member of CCL-Forensics’ R&D team. 

Every now and again, an unusual device arrives for analysis at CCL-Forensics, which proves interesting – but above all, significant to an investigation.

Earlier this month, a UK law enforcement agency submitted what can only be described as a ‘black box’.  It was plastic, no bigger than a packet of cigarettes, and from the outside, it had only a slot for a SIM card and a socket for power.

Working closely with the investigating agency, a member of CCL-Forensics’ R&D team carried out an in-depth analysis of what was inside the device, and what data it was capable of storing.

It was initially suspected that it was some kind of tracking device, and when disassembled, it was found to contain a battery, and two separate circuit boards, to one of which was attached a mercury switch which detected movement.  One board contained all the circuitry one would normally expect on a mobile phone, and had everything it needed to connect to a GSM network.  When examined VERY closely, it was labelled (in very small print) with an IMEI number.  From this, we could identify the board, and then research all the available documents about that piece of hardware.

Interestingly, it was a widely used GSM module found in many mobile devices such as GPS trackers, Fax machines and even some phones.

The SIM card was analysed separately, and it was strongly suspected that there was additional data on the board itself.

Our analysts procured a test module, and carried out a comprehensive technical analysis to validate what data it could store.  It was found to have the capacity to store call data (made, received, missed), SMS and contacts – as well as some call timers.  It was also determined that SMS messages could be extracted without changing their status. 

Following this comprehensive research, it was found that the suspect device DID contain a number of phone numbers and call times – which were presented back to the investigator in the case.  This was a level of potentially vital evidence which would have been missed without this very low-level investigation of the device and the data it contained.

It also highlights the talents of CCL-ForensicsR&D department, and the value investigators can derive by not simply opting for a ‘plug and play’ forensic examination.

For more information, please contact us at research@ccl-forensics.com

New version of PIP (XML and plist parser) coming soon

Our ever-popular XML and plist parsing tool, PIP, is coming of age with a new, improved version.

Currently in beta-test, and with the updated version available free to current PIP users (following its official release, obviously!), we’ll be announcing more details over the coming weeks.

As a teaser, this is what you can expect from the new version (v1.1):

  • Improved GUI – the layout of the application has been updated to improve work-flow
  • New Tree View – view your data graphically to see, at-a-glance, the structure of your data
  • Automatic XPath Building – Now you can use the Tree View to show PIP the data that you are interested in and PIP will generate the XPath automatically. This even works with Apple’s Property List ‘dictionary’ structures.
  • Import/Export Batch Jobs – Set-up a batch job of XPaths for a particular folder structure (iOS Library or Application folders for example) and then export the batch so that you, or anyone else in your lab can re-use it when you next come across the same data
  • Command line version – version 1.1 of PIP comes with the “pipcmd” command-line utility, allowing you to integrate PIP into tool chains and other automated tasks
For more information about XML and plist parsing, please visit http://www.ccl-forensics.com/pip or email us at pip@ccl-forensics.com.

CCL-Forensics at Criminal Law Conference

CCL-Forensics is pleased to be involved in the annual Law Society Criminal Law Conference this week.

Our Forensics Manager, Mark Larson, will take to the stage to discuss how digital evidence can prove crucial in criminal cases.

It’s happening at Chancery lane in London on Friday, and further details can be found at http://services.lawsociety.org.uk/events/node/54465.

We’ll be presenting alongside our counterparts at Manlove Forensics (http://www.manloveforensics.co.uk/), who will be concentrating on blood pattern analysis, body fluids and DNA profiling.

It’ll be a chance to give criminal law solicitors and others who have an interest in the criminal justice system, the opportunity to see how established, well accredited forensic expert witness companies can enhance criminal cases.

If you are attending this event, please stop by and say hello.  We’ll be handing out our famous stress-toy judges on the day, so don’t miss out!

.

Challenges surrounding the extraction of CCTV evidence

Q: What are the main challenges faced by police when it comes to extracting raw CCTV evidence?

A: Quite simply it’s the multitude of different systems out there, all recording in a myriad of proprietary formats and using different recording methods. There’s no standard way of extracting data. This means that the task of retrieving CCTV evidence is becoming increasingly more complex. Most systems now tend to fall into one of two categories: DVR-based or NVR-based.

DVRs, or digital video recorders, are stand-alone units that are essentially the modern equivalent of the old video cassette recorder (VCR). The CCTV cameras are connected directly to the unit and the DVR digitally compresses the analogue video onto an internal hard drive. They are often found as single units in small business or retail premises, although they’re increasingly to be found in private residences too. However, DVRs can also be cascaded together and networked for use in much larger systems, such as town centre schemes.

NVRs, or network video recorders, differ in that they record video that’s been digitally encoded by the camera and then transmitted over a network. The advantage is that they don’t have to be connected directly to the cameras and can be placed anywhere within an IT network. This in turn means that recordings can be remotely managed and viewed from any location across the network.

However, just to confuse things further, there are also numerous PC-based systems where the CCTV recording and playback is integrated within the computer rather than a standalone DVR/NVR unit.

Q: And within these groups, presumably the devices are all different?

A: Absolutely – there is no real industry standard, and most digital CCTV systems use a proprietary compression format, or codec as it’s known. This means that there is no simple way of extracting viewable video files – and therein lies the problem.

Q: How much of a problem is this?

A: It can be a big one. Many digital CCTV systems have a built in CD/DVD writer or USB port for downloading and archiving data, but this will still be in a proprietary format and needs an associated proprietary player to view the video.

There may also be occasions when the recording unit itself must be removed, but this can have numerous cost and legal implications, particularly in terms of insurance, security, etc.

The solution is that you need a large array of tools to get at this evidence, and then to process it into a form which means you can use it in court without compromising the chain of evidence and losing quality of the footage.

Q: So, what’s the advice for investigators who need to seize CCTV evidence?

A: Most investigators already know that it is preferable to download the data directly from the system rather than remove the device from the premises.

The most important thing is to ensure that the CCTV footage is retrieved in its native format, as this retains image quality and integrity. Ideally the replay software should be downloaded too, or at the very least a note made of the make and model of the system. If you can’t download it at the scene then you’ll need to take the whole recording unit, which will need to be treated like a standard computer exhibit and the hard drive forensically imaged.

It is also important to remember that it’s often impractical to download all the recorded footage, and consideration must be given to the time period of interest and the cameras required.

Whatever you do, don’t just pull out the hard drive! This may seem like an obvious option but it’s fraught with problems. The hard drive from a DVR will rarely be compatible with anything other than the original recorder, and will often not be in a Windows-compatible format. Therefore the video files will not be accessible when connected to a PC.

Q: So if you have the data on disc, what happens next?

A: It tends to fall into three categories:

  1. You have the data in a proprietary format, and it comes with a player application.
  1. You have the proprietary data, but with no player.
  1. The device exports in a format (for example .avi) which can be viewed with, say Windows Media Player. Whichever one you get, you will still have to process this data, and maintain its integrity and quality. This is where you need the vast array of tools mentioned previously, firstly to replay and capture the relevant footage from the player, and then to edit, enhance, and compile it into something court-friendly. You can’t just walk into a pressurised court environment with a collection of discs containing hours of footage and expect to spin through to the points of interest!

Q: …and if you have to image the hard drive in the device?

A: You still have to find a way to extract and convert this raw data into something usable, and that takes time. It should also be noted that a clone may not always be recognised by the host DVR, in which case using the original hard drive may be the only option. Either way, this should only be undertaken by suitably competent technical staff.

Q: When you have extracted and converted the footage, how do you go about editing, compiling and analysing it?

A: Again, this is where the range of tools comes in. Here at CCL-Forensics, we have invested considerably in cutting-edge image processing technologies and have the most powerful forensic video enhancement, editing and analysis systems available today. With this technology there isn’t any sort of CCTV or video footage that we shouldn’t be able to deal with. I’d be more than happy to give anyone a guided tour, to show just what’s possible.

Why not give CCL-Forensics a call on 01789 261200 or info@ccl-forensics.com if you have any queries, or a current case. A no-obligation chat about CCTV is just a phone call away!