The increasing use of Mobile phones,
prepaid cell phones as
well as post paid,
by the population as a
personal means of communication has made Mobile Phones an important piece of
evidence in many legal cases. In the coming days, Mobiles will be used for
e-commerce and the relevance of Mobile Evidence will assume greater importance.
Since Mobile phone is an electronic device there are several
aspects of ITA-2000 that apply to the Mobile phone transactions.
These are early days of using of Mobile evidence and there is
a very high possibility that an imperfect understanding of the technology by the
Police, the Lawyers and the Judges may lead to wrong judicial decisions.
In view of the importance of the Mobile devices as Cyber
Evidence we shall discuss some key elements of Mobile evidence for academic
understanding and debate.
The important aspects for which Mobile evidence is being
presently used are
a) To find out the numbers to which calls have been made from
a given mobile with date and time
b) To find out the numbers from which the calls have been
received in a given mobile with date and time
c) To know the contacts through the Phone book.
d) To know the details of recent SMS messages received
e) To know the details of SMS templates
f) To know the Ring tones and Games stored in the instrument
g) To know the Pictures and video clips stored in the mobile
either on the SIM card or a flash memory card.
Of these, a) and b) are also available at the service
provider's level. Also while the number of entries available on the instrument
may be limited by the memory, the service provider has a more detailed and
reliable data with timing for the purpose of billing.
What the service provider's data may provide is however the
information as recorded at their system based on the SIM card recognized by the
system.
If the data at the service provider's systems match the data
of recently called and received numbers as found on the instrument, it could
mean that the SIM card presently on the instrument has data matching with what
is available at the service provider's level.
If the two data does not match it means that the SIM card
data has been manipulated.
Manipulating SIM card data on the instrument is a very easy
process and hence the data on the SIM card can only be taken as only an
indicating evidence and has to be properly certified to be of any use in a court
of law.
If the data on the SIM card is extracted from the Mobile
after the mobile has been in the custody of the Police for some time, it is
possible for the defense to take a stand that the data has been manipulated.
On the other hand the data at the service provider's level
cannot be manipulated except with the connivance of the service provider or
hacking into their system. Again here the data as found visible on the computers
of the service provider can be taken as prima-facie evidence but if it has to be
relied upon, there has to be a corroborative certification that the data is
apparently not altered.
Since mobile conversations are not presently recorded
by the service provider and they are not normally available for any evidence.
If the conversation is hacked and recorded, then it will be a
case of illegal tapping and the quality of the evidence needs to be evaluated by
other parameters including a voice recognition.
The phone book details only provides information about the
persons whom the mobile owner has been in contact and nothing more.
A few of the incoming SMS messages are normally stored on the
mobile and along with time data corroborated with the service provider's
information, may be evidence of an incoming message. Templates may indicate the
likely outgoing information and if it contains any spam or obscene message, may
indicate the intention of the mobile user and nothing more.
Ring tones and Games may be relevant from the point of view
of copyright violations.
Details of pictures and video clippings on an accompanying
memory card indicates the intentions of the mobile user and if they can be
matched with any outgoing data packets, may be used as evidence for the likely
outgoing message. These can be of use in case of any obscene pictures being
transmitted from the mobile.
However linking the stored data to a sent message requires
certain Forensic testing and it is doubtful if such capabilities exist with the
Indian Police as of date.
Identification of Mobile
Essentially there are two identification aspects of a mobile
device. Firstly the SIM card identity which allows the transactions of a mobile
to be recorded in the service provider's records.
The second is the IMEI (International Mobile Equipment
Identifier) which is associated with the hardware.
Some service providers monitor IMEI numbers with call data.
In such cases if a mobile is stolen and a new SIM card is being used, it would
be possible to run IMEI filters to block the stolen numbers.
Spoofing:
It must be remembered that spoofing of SMS messages as well
as voice messages is not impossible on a mobile.
Firstly it is possible to send SMS messages from a computing
device with a false "Sender's Mobile Number".
Secondly, it is possible to pick a hand set and alter the SIM
card data to make it look like a different SIM card and use it for sending
offending messages or making calls which can be attributed to the original owner
of the SIM Card.
For example a card belonging to Mr Fraud can be altered to
match the SIM card of Mr Innocent and used for making calls to Targets 1 and 2 .
Then if this SIM card is presented as evidence with or without the hand set of
Mr Innocent, it is possible to create an evidence which appears as if Mr
Innocent has made calls to Mr Targets 1 and 2.
Acceptance of SIM card data as evidence is therefore required
to be accompanied by several collaborative Forensic certifications that
eliminate the possibilities of such manipulation.
Even though the IMEI number is considered a good
identification of the hardware, it is said that in India the existence
of sets with duplicate IMEI numbers is wide spread and hence the service
providers have been reluctant to use IMEI blocking as a solution to immobilize
stolen mobiles.
[P.S: In CDMA phones the identification is through what is
called ESN-(Electronic Security Number) numbers.]
Further both IMEI numbers and ESN numbers can be modified
with the use of right equipments and such practices are being regularly practiced by those who
deal in stolen mobiles.
It must therefore be considered possible to clone a mobile if
the person so charged is shown to have sufficient resources and access to
technology.
Future of Mobile Evidence
The first impact of the recognition that Mobile Evidence can
be modified, will be felt by the law enforcement authorities since evidence
gathered by them in many cases will be questioned in the courts of law.
Just when the judiciary in India is grappling with
understanding the evidentiary aspects of Computer records, the focus being
generated on the Mobile Evidence will be a further challenge to the Indian
judiciary.
The undersigned is in the process of developing a Check
list and Guidance Note to suggest the preferred procedure for Mobile Evidence
Seizure, Preservation and Presentation as part of its activity to contribute to
the "Mobile Forensics".
(Comments Welcome)
Naavi
November 22, 2004
Related Article:
BJP’s Naroda MLA says she wasn’t at riot site, cell phone records say she was
there
Mobile
phones - the new fingerprints