SIM cards from UK “virtual networks” like Lebara and Lyca Mobile are becoming increasingly common. From a forensic examiner’s standpoint, it’s hard to keep track of which network is which (and which infrastructure network they are “piggy-backing” on). We’ve recently updated our list of IMSI and ICCID prefixes to include a number of these Mobile Virtual Network Operators to help make this clearer.
Control-F recently ran a Phone Forensics Deconstructed training course which was attended by members of Avon & Somerset Constabulary’s High Tech Crime Unit. One of the delegates was able to apply what he’d learned on the course on his very next day in the office, and to great effect:
“On returning from the Phone Forensics Deconstructed course a member of my staff was able to use one of the techniques taught by Kevin in relation to the reconstruction of a partial 3GP video. The item was recovered and is now a key piece of evidence in a significant sexual offence. This is a real example of the benefits of the course and Kevin’s experience” – DS Tim Beer, Avon and Somerset HTCU
If you’d like to learn more about how Control-F training can help you recover more evidence in less time, don’t hesitate to contact us.
Control-F Managing Director Kevin Mansell gave a presentation on recovering internet artefacts from mobile phones at the International Communications Data & Digital Forensics Seminar 2011 (ICDDF) at Heathrow on March 28th 2011. Kevin explained to the audience how traces of Internet browsing can be recovered from mobile phones but are easily (and commonly) overlooked. The presentation included practical tips and tool recommendations for phone examiners to increase their chances of finding and interpreting web cache, bookmarks, history and cookies, regardless of the phone make and model.
Control-F offers training in recovering Internet artefacts from mobile phones as part of our 3 day training course Phone Forensics Deconstructed.
Are you using flasher boxes to remove handset security codes or to perform ‘hex dumps’ of handsets which aren’t supported by commercial forensic tools?
If you are, you are one of a growing number of phone forensic examiners who are using flasher boxes to help gain access to “troublesome devices”. However, it may be that you’re less than 100% confident in using tools where there is little in the way of formal training available. If you’re not currently using flasher boxes, you’re missing out on a technology which would allow you to recover more evidence from more devices than you can today.
Knowing which boxes to buy, how to set them up and use them safely is somewhat of a minefield. We would like to guide you through that minefield to ensure that you can safely retrieve more evidence from more devices than you can today with our new 3 day Flasher Box Forensics training course.
Control-F Managing Director Kevin Mansell is delighted to have been invited to give a guest lecture at Coventry University on Tuesday 8th February to students on its B.Sc. Forensic & Investigative Studies. His talk will look at the compelling nature of digital evidence as well as the current and future challenges presented by mobile devices.
The way in which country and service provider information is defined in the ICCID and IMSI identifiers found on SIM cards can be confusing and hard to remember. We’ve put together a list to help you (and us!) quickly confirm the “prefixes” used by different service providers in both types of number.
In response to a question we’re commonly asked, we’ve published a handy list of the default SIM PIN codes used by communications service providers. We’ve started with the UK service providers but will add those for other countries on request. Remember, there are 3 attempts to enter the SIM PIN before the card becomes “blocked” and the PUK has to be entered.
To coincide with Managing Director Kevin Mansell’s presentation at the 2010 F3 Conference on the same topic, we have published a Mobile Phone Video White Paper for free download. The white paper, developed jointly with CCL-Forensics, provides an insight into the underlying structure of 3GP and MP4 video files commonly found on mobile phone handsets. The paper goes on to show that through greater understanding of the file formats, a more intelligent approach to finding and recovering deleted video can be applied.
When you’re searching for anything (and let’s face it, it’s normally a set of keys isn’t it?!), it always helps to know what you’re looking for. That sounds pretty obvious but it’s very relevant for forensic examiners searching large volumes of data. For example, finding SMS messages in a hex dump of some Samsung handsets is a whole lot easier once you know that the keyword “DEADBEEF” appears within the memory dump in between SMS messages. Suddenly, finding deleted text messages got a whole lot easier!!
One question which often crops up during training courses and conference presentations is, “Where can I go to find out what these search terms and keywords are?”. Up until now, there hasn’t been a good answer to that question which is why we are now providing a page on the Control-F website to help people like yourselves find evidence more quickly.
The new page provides information on key types of data that you might want to search a memory dump for (e.g. ICCIDs, MMS messages etc.) along with different encoding schemes that we’ve encountered and search terms or regular expressions to save you time.
We hope that you find it useful and would love to hear your feedback (and receive contributions!). We use Gary Kessler’s file signature page all of the time and if this page becomes half as useful, we’ll be delighted.
TURN DATA INTO EVIDENCE
This 3 day ‘next level’ mobile phone forensics course is designed to give phone examiners a greater understanding of the data they already retrieve, coupled with the skills to find and recover traces of the ever increasing Internet browsing, social networking and satnav usage with mobile phones. Find out more…