Telephone Record Evidence

Telecommunication evidence’ is the broad term used to describe any data/information retained or otherwise available from the communication service provider (CSP, such as ‘T-Mobile’ and ‘Orange’), and which has probative value for investigative or legal purposes.

‘Call Data Records’ (CDRs), sometimes referred to as ‘Call Detail Records’ (CDRs), are statements that provide information relating to the usage of the telecommunication services provided by a given operator by a specific user.

The following information would be created and retained by the telecommunications operator during the normal course of business operations:

o    Called telephone number or numbers;

o    Name(s) and address(es) of the subscriber(s) or registered user(s);

o    Date and time of the start and end of the communication;

o    Telephone service used, e.g. voice, conference call, ‘Short Message Service’ (SMS), Enhanced Media Service or ‘Multi-Media Service’ (MMS);

o    ‘International Mobile Subscriber Identity’ (IMSI) of the calling and called party;

o    ‘International Mobile Equipment Identity’ (IMEI) of the calling and called party;

o    Location label (Cell ID) at the start and end of the communication;

o    Data mapping between Cell IDs and their geographical location at the start and end of the communication.

The information detailed above may be available for disclosure only following due authorisation by the relevant ‘POLICE & INTELLIGENCE LIAISON OFFICER’ at the telecommunication operator and/or in response to an Order of the Court.

The information detailed above will typically be retained for twelve (12) months following point of creation, to facilitate billing and comply with regulatory requirements.

The ‘EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE’ (ETSI) specification for GSM event and call data provides detailed definitions for a variety of records needed in the administration of subscriber related event and call data.

‘Call Data Records’ (CDRs) can be analyzed for a variety of purposes and can provide considerable assistance to investigators and defence specialists. For instance, a service provider may use them to understand the calling patterns of their subscribers and the performance of the network.

In the context of an investigation, assessment of CDRs can be used to identify contact and communication between given individuals, potentially proving relationships and/or involvement in a conspiracy. CDRs can also be used to assist in the first stage of ‘cell site analysis’; the identification of the specific cell station used to handle a communication session.

Such information can be translated into geographical locations for the cells involved in communication sessions, which in turn assists in appreciating the general locale from which calls were made/received.

Read More

ACPO Guide Electronic evidence

The fragile nature of digital evidence, coupled with the complexity and skill required to conduct an assessment that will bear the scrutiny of a court of law, makes it important to independently validate and verify the findings of the forensic assessor.

One of the fundamental tenants ‘Best Practice’ for the evaluation of electronic evidence – including telecommunication data – is that assessments are made on forensically sound and digitally perfect copies of the original media.

This ensures that the target media cannot be tainted or corrupted, and that the original material is retained as Best Evidence for record, independent verification, and presentation in Court.

The first European-based body dedicated to electronic evidence was the ‘FORENSIC COMPUTING GROUP’, formed in 1997 in the United Kingdom. This comprised of various investigative agencies and forensic science units involved in digital evidence. It also had representation from the ‘ASSOCIATION OF CHIEF POLICE OFFICERS’ (ACPO) ‘COMPUTER CRIME WORKING GROUP’.

In 1999 the ACPO Computer Crime Working Group became the first international body to draft Good Practice “guidelines” for the search, seizure and examination of electronic evidence. In particular, these guidelines define the minimum levels of standard for the preservation and analysis of electronic evidence exhibits.

The guideline documents (ACPO Guide Electronic Evidence) have been refined and expanded upon since their original conception, to the current version released in 2010, however, the same core set of principles have remained consistent throughout.

The UK authorities, in consultation with industry experts, have created a ‘GUIDE FOR COMPUTER BASED EVIDENCE’ which defines minimum levels of standard for the preservation and analysis of electronic evidence exhibits. The ACPO Guide Electronic Evidence is built upon four (4) main principles:

o    PRINCIPLE 1: No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court;

o    PRINCIPLE 2: In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions;

o    PRINCIPLE 3: An audit trail or other record of all processes applied to computer based evidence should be created and preserved. An independent third party should be able to examine those processes, assess an exhibit, and achieve the same result;

o    PRINCIPLE 4: The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of and access to, information contained in a computer.

Whilst the ACPO Guide Electronic Evidence was originally drafted for assisting in the investigation of computer based crime, it is widely acknowledged in the forensic community that the principles are to be adhered to for all assessments involving digital material, including all forms of electronic evidence, including telecommunication records/evidence.

Read More

Regulation of investigatory powers act 2000

An investigation into people trafficking across European borders, a requirement to tap and listen in on the conversations of a known drug baron, intercepting emails within a paedophile ring, attempting to crack a terrorist’s encrypted drive containing plans for attacks. What does each of these scenarios have in common?

They all require the support of a legislative tool known as the Regulation of Investigatory Powers Act (RIPA).

The RIP Act, commonly referred to as RIPA, was introduced in the year 2000 in order to establish much needed protocols concerning communications data. The act covers interception, acquisition and disclosure of communications, surveillance and human intelligence sources as well as the investigation of electronic data protected by encryption. From a digital investigators point of view, the most relevant of these topics are information encryption and acquisition/disclosure issues.

Obtaining Communications Data

Section 22 with due authorisation and a warrant, any public authority can obtain communications data from a Communications Service Provider (CSP), such as T-Mobile or AOL. The definition of a public authority covers government bodies, the police, as well as local councils or enforcement departments such as Trading Standards.

Communications related data can may be seized by a requested by a public authority for several reasons or in different scenarios. The most immediate of these would be a threat to national security, public health, prevention of injury to a person’s mental or physical health and the prevention of a crime. However, the RIP Act also covers less serious circumstances where charges may need to be collected or assessed by government and for any issues relating to the general well-being of the United Kingdom economy. Authorisation will be valid for one month and no further data can be legally collected after this time period without further authorisation.

Collection and Investigation of Encrypted Data

Encrypted data can be a significant hurdle to digital forensics and can bring an investigation to a total standstill. In the event that encrypted documents, drives, e-mail, conversation logs or other forms of electronic media are discovered, procedures must be followed in accordance with RIPA.
Under section 49, a disclosure requirement must be imposed by an authorised personan authorised person must impose a disclosure requirement if suitable grounds for doing so are met. In terms of encrypted information, a disclosure requirement must be used when there reasonable belief or evidence to suggest that a person has the key to decrypt communications data. Again, threats to national security and crime can help provide further need for measures to decrypt protected information.

Disclosure requirements must describe the encrypted data for which the requirement has been created, on what grounds it has been issued, the time allowed to comply with the notice and information regarding the authorised person providing the notice. Total secrecy surrounding a disclosure notice must be adhered to under section 54 of the RIP Act. Any ‘tipping off’ can result in a person facing imprisonment or a fine.
If a person knowingly fails to comply with a disclosure requirement and does not provide the necessary authority with the key to encrypted data, that person may be subject to two years imprisonment or a fine under section 53 of RIPA. This is commonly a difficult area in digital evidence as encrypted communications may have the potential to imprison a suspect for more than the two years for not providing a key. Those who do not comply with the RIP Act when intercepting, obtaining or otherwise dealing with evidence will be liable to criminal or civil proceedings.

Read More

Facebook Evidence

Facebook™ is a social networking service that allows users to interact with other Internet users, sharing media and messages.

A user is able to contact other individuals by adding them to their ‘friends list’, which enables them to be able to write on other friends’ walls (i.e. a space for public commentary) and leave tags on photographs. Users are also able to communicate by sending instant messages which can sometimes be stored on the user’s machine and messages, similar to emails.

The owner of the account is able to adjust privacy settings so as to restrict what information is publically accessible and what details may be viewed only by friends. Much like conventional email correspondence, sent and received messages are unable to be edited and are stored on the Facebook™ servers in their original format until deleted by the user of an account. This material is the basis for facebook evidence.

Correspondence made via Facebook™, including media files uploaded to the website or shared, are stored permanently on the respective account.

It is necessary for the user to manually select items of correspondence or specific files for deletion in order to have them removed from the account. Alternatively, a user may close their entire account in order to have all correspondence or media files erased. Deleted data files or accounts are no longer available to members of the public, online friends or the original account owner; however, all of this content remains archived by Facebook™ for a period of ninety (90) days .

Facebook™ recommends that investigators contact their organization as soon as a requirement for acount information is known. This way current accounts or erased content can be preserved for a further ninety (90) days, to allow adequate time for service of legal applications.

The Facebook™ unit responsible for managing requests for account information and related facebook evidence, the unit is titled the ‘Security Department and Custodian of Records’:

FACEBOOK™ INC

SECURITY DEPARTMENT / CUSTODIAN OF RECORDS

1601 CALIFORNIA AVENUE

PALO ALTO, CA 94304

FAX: (650) 644 3229

EMAIL: SUBPOENA@FACEBOOK™.COM

The following three types of requests can be made:

•             Preservation Requests

Following notification of a specific User ID, Username or e-mail address, existing account records and erased archive material will be preserved for ninety (90)days.

•             Formal Legal Requests

Records will be provided pursuant to formal compulsory legal process issued under US law.

•             Emergency Requests

Where there is a credible risk of bodily harm or death, immediate assistance will be provided to investigating authorities, even in the absence of legal process/orders. It should be noted that whilst the above references state that formal legal facebook evidence requests “issued under US law”, in the experience of the author the Facebook™ organization will readily assist any request for information from any lawful authority or country, as long as supported by their respective legal process.

Whilst internal procedures vary between Police forces, this position may be verified by contacting the relevant Hi-Tech Crime Unit (HTCU) and/or Single Point of contact (SPoC) for clarification on their approach to securing disclosure of facebook evidence, account information and related records. Subject to receiving a lawful request for information, Facebook™ can provide the following records:

•             Basic Subscriber Information

Previously referred to as ‘neoselect’ , these records will include the User Identification Number, account email address, time/date of account creation, associated telephone number(s), and time/date of logins for the past 72hours.

•             Expanded Subscriber Content

Previously referred to as ‘neoprint’, these records will include all profile contact information, status updates, files/photographs that have been shared, messages posted on other individual’s walls, listings of friends and group memberships, and event reminders.

•             User Photographs

Previously referred to as ‘photoprint’, this will include all photographic media uploaded by the account holder as well as photographs from third parties which have been tagged as featuring the account holder.

•             Messaging Correspondence

Incoming (received), outgoing (sent), and draft email equivalent communications.

•             Internet Logs

Commonly referred to as ‘IP’ logs, this content will assist in demonstrating the time/date that a user account was accessed as well as provide enough information to trace the physical address of the computing device used to make the account access.

The above facebook evidence records will generally be served via email in the form of Adobe Portable Document Format (PDF), so that the content cannot be easily modified.

Read More

An introduction to Cell Site Analysis

The Soham murders involving Jessica Chapman and Holly Wells was one of the most high profile cases to be reported and documented in the last ten years. Cell site analysis played a critical part in the investigation throughout and ultimately helped to convict Ian Huntley of murder.

Cell site analysis aims to determine the geographical location of a mobile phone through analysis of data records, transmit and receive beacons (cell sites) and signal strength of a specific area. Although not an exact science, it is a technique that can be applied by expert witnesses to help defend or prosecute a suspect during a case relying on mobile phone evidence.

Statistics show that in December 2008, over 75 million mobile phones were active in the United Kingdom alone. This figure confirms a larger portion of mobile phones today than there are people (estimated 62,041,708). It is therefore no wonder that Cell Site Analysis (CSA) is an increasingly important forensic and investigative technique used in the UK today.

During the investigation in Soham, Police questioned all males about their whereabouts at the time of Holly and Jessica’s disappearance and asked for a contact mobile number. Ian Huntley initially insisted that he had been out of Soham at the time that the alleged incident occurred. However, phone records and cell site analysis in the area suggested that Huntley’s phone had been used in the vicinity of his home and that one of the girls phones had been switched off in the same area around the time of disappearance. The combination of this evidence, general policing and the investigation eventually lead to the sentencing of Ian Huntley.

Cell sites, or ‘masts’, are often placed on tall buildings or on masts in order to achieve the best coverage possible. Whilst some masts have antennae that transmit in three directions (full 360 degrees), some may only transmit in one and produce limited directional coverage. The cell site analysis expert must therefore determine what type of mast has been used in order to collect the most reliable results possible during an investigation. Each antennae in use by a cell site will also have a unique reference that is recorded and included on mobile phone data records (with the exception of network O2 who reference cell sites but not individual antennae). These unique references form the basis for cell site analysis and confirm what mast was in use by a suspects mobile phone and when.

Although cell sites have the ability to transmit over large distances, signal quality can be less effective or entirely blocked by tall buildings, condensed objects and other obstructs. Users in these ‘black spots’ may experience a decrease in communications quality or a complete halt to mobile phone services. In these instances, a mobile phone could connect to another large cell site with better coverage or to smaller cell sites known as picocells, microcells and femtocells if one were available. Picocells, microcells and femtocells are placed in black spots and other difficult areas (such as train stations) in order to provide a good service that a large cell site cannot achieve. Although each provides a slightly different type of service, they all allow for basic mobile phone communication such as short message service (SMS) and conversations.

Read More