iOS 4.3.3 deletion of Location Cache

iOS 4.3.3 deletion of Location Cache

Apple responded in April 2011 to concerns in the marketplace about location data that enables a user to be tracked without their knowledge or without knowing such a mechanism existed in the iPhone:

http://www.apple.com/pr/library/2011/04/27location_qa.html

By 3rd May 2011 an early fix was suggested would be available pending the outcome of Beta tests. That the fix would deal with location backups to iTunes when Location Services was switched OFF.  

On the 5th May the promised iOS patch to resolve the iPhone location tracking went live and reduced the size of the cache of information that had been backed up. Noticeable the cache file is now considerable smaller, however the size of the update to do that was over 650 megabytes.

Loss of evidence in the cache is one observation and another is with Location Services switched OFF on the handset this may impact on historical and current Cell Site Analysis investigations.

Requesting Cell Site Data

Requesting Cell Site Data

Engaging with defence solicitors or law enforcement with respect to seeking cell site evidence can be a tricky business. Invariably the request for data is largely governed by the type of case and the instruction of work. Problematical with the latter point is there maybe the notion that the person instructing actually has sufficient technical knowledge and understanding to comprehend the technical details to be analysed and the types of detail the CSA expert will need.

A mistake in common practice that I have noted with examiners and experts is to assume the CDR contains the complete cell site details, and clearly that cannot be the case. The structure and content of CDR vis-a-vis TAP files both are different and have different purposes, but ae not generated for the purposes to include cell site details. I have seen some company websites identifying themselves as experts and suggesting cell site details are found in extended CDRs. I do not agree as cell site details have absolutely nothing to do with a generated per call CDR or indeed TAP file for that matter. There are a minimal references to cell sites by way of cell ID (start/end) and a few other bits and pieces, but nothing more would be generated by the mobile phone, radio network, the switch or data capture machine for inclusion into a CDR/TAP file.

Another matter I have noted, when dealing with expert and examiner cell site reports and those conducting radio test measurements is this vague suggestion allude to an implicit fact that because the examiner took GPS measurements when conducting tests this somehow creates a fact that the cellular radio coverage is corroborated by this or the movements of the handset user is somehow tracked this way. There appears on the face of it at least a confusion between GPS and the mobile network. Neither GSM or WCDMA propagate GPS signals, merely they take data output in the form of a packet of data from a GPS module/unit and forward that packet through the device/network to the terminal that will somehow make use of the data. If I need support for that fact then I find it at first instance in the radio frequencies adopted for GSM and WCDMA and from which all else will follow when dealing with cellular radio propagation and communications.

So what are the data field elements that the examiner/expert might seek at first instance. Clearly there needs to be corroboration of a GSM originated/terminated and start and/or end of a mobile communication. The list below is not data (email/internet/download etc) communication related.

----------------------------------------
Date ?
Time ?
Calling party ?
Called party ?
Type of call ?
Duration ?
Registration (ringing time before answer) ?


Mast location Details for start of call
---------------------------------------
[Start of call] Site ID number?
[Start of call] Site Name?
[Start of call] Site Address?
[Start of call] Site Post code?
[Start of call] Type of transmission 3G WCMDA site or GSM site?
[Start of call] Frequency Range?
[Start of call] Macrocell or Microcell?
[Start of call] Height of Antennas?
[Start of call] Is this a omni-directional site?
[Start of call] How many sectors at site (e.g. 3, 6 etc)?
[Start of call] Easting and Northing?
[Start of call] Longitude and Latitude?
[Start of call] Cell ID (hex)?
[Start of call] Cell ID (dec)?
[Start of call] Cell ID (last digit as sector)?
[Start of call] Broadcast Control Channel (BCCH) number?
[Start of call] Azimuth (bearing of coverage)?


Mast location Details for end of call
-------------------------------------
[End of call] Site ID number?
[End of call] Site Name?
[End of call] Site Address?
[End of call] Site Post code?
[End of call] Type of transmission 3G WCMDA site or GSM site?
[End of call] Frequency Range?
[End of call] Macrocell or Microcell?
[End of call] Height of Antennas?
[End of call] Is this a omni-directional site?
[End of call] How many sectors at site (e.g. 3, 6 etc)?
[End of call] Easting and Northing?
[End of call] Longitude and Latitude?
[End of call] Cell ID (hex)?
[End of call] Cell ID (dec)?
[End of call] Cell ID (last digit as sector)?
[End of call] Broadcast Control Channel (BCCH) number?
[End of call] Azimuth (bearing of coverage)?

The cell site details should relate at minimum to the material time of the mobile communications and at least  upto the date the request for  information is being made in order to comprehend any changes at the Masts for the Mast that handled the start of the call and the Mast that handled the end of the call.

Request notification of any Mast alterations
-----------------------------------------
[Any change to Mast] Decommissioned?
[Any change to Mast] Height of Antenna altered?
[Any change to Mast] Azimuth Bearing of coverage?
[Any change to Mast] Mechanical or electrical tilt changes and to what degree?
[Any change to Mast] Licenced Power or Transmission power?
[Any change to Mast] Type of transmission from 2G GSM to 3G WCDMA or vice versa?

It is quite possible to seek considerably more about the arrangements at each Mast, but that often means dealing with each operator's specific matters on a case by case basis.   These elements are not included here.

Blackberry Forensic Analysis

GSM Radio DNA Bracelet - RACH

GSM Radio DNA Bracelet - RACH (Random Access Channel)

The logical channels set out http://cellsiteanalysis.blogspot.com/2011/01/gsm-radio-dna-bracelet.html each provide useful information that is of use to cell site analysis (CSA). A common misunderstanding that arises with CSA is it has been used in evidence in such away that only a minutiae of information is considered. This in turn has led to some believing CSA can be defined by a limited selection of elements. The world of CSA is far, far larger in rich content than those limited elements. An examiner only comes to know about the rich content having first applied him/herself to learning the symbiotic, co-partnership between the science & technology and examination & forensic procedure leading to evidence & opinion.

For instance let us accept that RACH is a GSM uplink common control channel. In that little nugget of information given by the statement there is firstly the science and technology. The technology is Global System for Mobile (communications) a digital cellular radio system. The adopted GSM system manipulates (modulates) the physical radio signals such that physical signals whilst analogue in nature when manipulated hold a secret inside that is revealed when de-modulated revealing the important data (digital). Moreover, the statement uplink is relevant to note, as is common control channel (CCCH). There are four nominated logical control channel assigned connected with CCCH - Paging Channel (PCH), Access Grant Channel (AGCH), Notification Channel (NCH) and, of course, RACH.  The term 'common' needs clarification, too, because it identifies that the channels are common to all users (mobile users) in a geographical radio area via their handsets. 'Uplink' defines the direction to which the control channel data are transmitted.

In combination, the examination of transmitted data becomes highly significant for it represent an action by the user's mobile phone creating the 'first' step in radio DNA evidence. A Layer 3 trace (example below), and when we say Layer 3 we are taking about RR (radio resources), identifies the access request RACH message sent to the network and a response from the network to it. The example below has been extrapolited (thus goes beyond) what would normally be seen from the raw data. The network and handset are programmed to understand each other and do not needs man's convoluted and verbose explanations but should the machinery, so to speak, need such explanation, god help us, for access to the GSM radio network would probably take three months just to camp on the network without using further resources.

Equally, for cell site analysis we need to know what information can be gleaned from RACH. The image below identifies a screen from an Ericsson handset with TEMS pocket (a radio diagnostic tool) in active mode. I will deal with the paging details in another discussion thread. 

We first see the string '0 1 4 1 0E'. The point to note is that it only contains basic GSM info and not GPRS. Had it included GPRS info the string would consist of seven different separate elements instead of five. So how do we understand the order in which the data appears?  

First element '0':  refers to Cell Barred (0: No, 1: Yes)
Second element '1': refers to Call Re-establishment (0: Allowed, 1: Not allowed)
Third element '4': refers to Max number of retransmissions (1, 2, 4, 7)
Fourth element '1': refers to Number of RACH bursts sent for the last connection (1–7)
Fifth element '0E': refers to Establishment Cause/Random: Reference used in the latest RACH burst (00–FF)

The fifth element is, as referred to above, the 'first' step in radio DNA evidence. As this is generated by the user's handset it makes it interesting as it shows the examiner has understanding of seeking out evidence from the science and technology under test and that the data should be obtained using forensic methodology to secure unaltered data. Importantly, it illustrates to the examiner how to start to establish a link within the chain of data created by a mobile phone from when it is first switched ON, when using resources, until it it is switched OFF.  

The actually RACH access request generated is no more than 8-bits in length. The GSM standard TS04.08 defines the message content format as seen below:

How to interpret the access request message content for establishment cause can be found in TS04.08:

And when the mobile is answering to paging for radio resources connection establishment.

There is so much detail associated with RACH it is possible to write a book solely dealing with this single subject. I do not have the time or luxury to put all that detail here, but to provide a flavour to you that the radio DNA evidence in the bracelet contains a gold mine of evidential information that is largely and randomly ignored and apparently seen by some as not being relevant. I wonder with the little I have mentioned above whether you would think the same?

In the next RACH discussion I shall open up to you more and give insight into RACH and some evidential possibilities.