Presentation is loading. Please wait.

Presentation is loading. Please wait.

Watching the Detectives: Spotting Stingray and Digital Surveillance ANDREW NORTHRUPCHRIS SOGOHIAN ASSISTANT PUBLIC DEFENDERPRINCIPAL TECHNOLOGIST FORENSICS.

Published byMatthew Jasper Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Watching the Detectives: Spotting Stingray and Digital Surveillance ANDREW NORTHRUPCHRIS SOGOHIAN ASSISTANT PUBLIC DEFENDERPRINCIPAL TECHNOLOGIST FORENSICS."— Presentation transcript:

1 Watching the Detectives: Spotting Stingray and Digital Surveillance ANDREW NORTHRUPCHRIS SOGOHIAN ASSISTANT PUBLIC DEFENDERPRINCIPAL TECHNOLOGIST FORENSICS DIVISIONAMERICAN CIVIL LIBERTIES UNION MARYLAND OPD

2 Today’s Agenda 1.Location Data a.Historical Cell Site Data b.Real Time Data 2.IMSI Catchers 3.Social Media 4.Malware 5.Encryption

3 Location Data Historical Cell Site Data Records maintained by the phone company Subscriber Information Call Detail Records Time and date of call/text Number called/texted Duration of call 1 st tower used (sometimes last tower used) (usually sector of tower used) Tower List

4 Historical Cell Site Data

5

6 Beware of Overinterpretation PCMD and RTT data: Sprint’s Per Call Measurement Data (PCMD) Verizon’s Round Trip Time (RTT) Measures time it takes for Radio Waves to reach phone and return. This information is used by engineers to maintain and optimize the cellular network. FBI attempts to use this data to narrow down phone’s location.

7 Historical Cell Site Data

8

9 Beware of Overinterpretation

10 Problems with Relying on this Data 1.Does not account for multipathing.

11 Beware of Overinterpretation Problems with Relying on this Data 2.Does not account for “soft handoffs.”

12 Beware of Overinterpretation Problems with Relying on this Data 3.Incomplete Data – Networks may get overloaded. If the data is incomplete or inaccurate, this will not be reflected in the paperwork.

13 Beware of Overinterpretation Problems with Relying on this Data 3.Repeaters – Outlying stations linked via wire to cell sites Phones communicating with repeaters will reflect distance to the repeater, BUT there is no way of knowing where or if there is a repeater.

14 Beware of Overinterpretation Problems with Relying on this Data What do the providers themselves say about this data. Verizon’s Disclaimer: “The latitude and longitude measurements on the Real Time Tool “RTT” report are derived solely from the Round Trip Delay measurement. They are best estimates and are not related to any GPS measurement. Measurements with a high confidence factor may be more accurate than measurements with a low confidence factor, but all measurements contained on this report are the best estimates available rather than precise location. “

15 Beware of Overinterpretation Problems with Relying on this Data What do the providers themselves say about this data. Sprint’s Disclaimer: PCMD- (Per Call Measurement Data) takes RF (Radio Frequency) measurements during a call. This is how the Distance in miles, Latitude and Longitude are determined. This is the estimated location of the mobile device when the RTD (Round Trip Delay) was taken during the connection. There are many variables that can affect the accuracy of these measurements. Multipath of the radio wave to or from the mobile device may affect the accuracy. Sprint mobile devices may be in a one way connection or multiple hand-off connection with different sectors on the same cell site or different sectors on different cell sites when the measurements were taken which can affect the accuracy. Sprint has repeaters deployed throughout the network. If a repeater was being used when the measurements were taken, the accuracy will be affected. Sprint Nextel will not guarantee the accuracy of the location information.

16 Beware of Overinterpretation Drive Time Analysis FBI Cellular Analsys Surveillance Team conducts drive tests to evaluate coverage. Shrinks area of location of phone. No margin of error measured. Cannot recreate conditions of date of incident. State v. Phillips opinion

17 REOP in Historical Cell Site Data? This is an area of law that is in flux. Federal: In re Application of the United States for Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013) U.S. v. Graham, 796 F.3d 332 (4 th Cir. 2015) (rehearing en banc held 3/23/16) Look to State Level Decisions.

18 Discovery Requests 1.Call Detail Records for relevant time period. 2.Cell Tower lists (locations and azimuths) for time of incident and time of request. 3.Subscriber Information

19 Discovery Requests If they are using Drive Testing or PCMD data: 1.Any and all published and peer reviewed scientific studies establishing margins of error for these techniques. 2.SOP’s and manuals for any and all equipment.

20 Questions?

21 Real Time Data 1.E911 Data 2.IMSI Catchers

22 E911 Data Enhanced 911 Data: FCC requires that all cellphones must have the capability of being located in case of emergency calls. The location is being transmitted through: 1.Radiolocation 2.GPS based technology E911 data is prospective, not retrospective.

23 E911 Data Radiolocation: Uses multiple towers to find location

24 E911 Data Global Positioning System: Uses handset GPS information. More commonly used on newer phones. Often used in conjunction with radio location.

25 E911 Data Does 911 need to be called in order for this to be activated? Of course not. Don’t be ridiculous!

26 E911 Data So how do the police use E911 data to track people?

27 E911 Data Here is how it works…

28 E911 Data Typically, the Police get an Order/Warrant for a target phone number. (This may vary by jurisdiction and age of case) The Police then fax this Order/Warrant to phone company to get one or all of the following: 1.Subscriber Information 2.Call Detail Records 3.Activation of E911

29 E911 Data Once the phone company flips the switch, law enforcement gets: 1. Emails every 15 minutes with location updates. 2. Emails every time target phone is involved in a calling or text event.

30 E911 Data How they manifest themselves

31 E911 Data

32

33 Police plot this data, and then go out with “the Finisher”

34 E911 Data Clues that this is in use: Slip-ups. Is phone using more battery than normal?

35 E911 Data Discovery: All court orders and applications for court orders. All communications with the phone company. All emails to and from the phone company including E911, text and phone alerts in Native File Format. Any reports.

36 Questions?

37 The Finisher

38 Cell site simulator/IMSI catcher Brand Names: Triggerfish (Passive) Stingray (2G) Hailstorm (3G/4G)

39 IMSI Catchers International Mobile Subscriber Identity (IMSI) catchers. Briefcase size device. Looks for IMSI number assigned to target phone. Can also search for IMEI (International Mobile Equipment Identity) which is assigned to the handset rather than the subscriber.

40 IMSI Catchers How it works: 1. Mimics Cell tower. 2. Forces Phones in the area to connect to it in a search for the target phone. 3. Can act as a specific carrier tower or general tower. 4. Can gather information about every phone contacted. 5. Disrupts service, but cannot interrupt calls.

41 IMSI Catchers Once the IMSI catcher locates a phone device indicates: 1.How far away the phone is. 2.In what direction the phone is. 3.Police drive around until they determine where the phone is. 4.When they get close enough, they will call the phone to see if it rings.

42 IMSI Catchers What do they do with the data from innocent people in the area? According to them, they delete it, unless they are canvassing.

43 IMSI Catchers Canvassing: If they do not know the number of a suspect, they develop this through a “canvass.” Think Season 3 of the Wire.

44 IMSI Catchers Can this device… 1.Act as a pen register? 2.Monitor phone calls or texts? 3.Take data off of your phone?

45 IMSI Catchers The answer is…. Who knows? Even if we did know, the answer may change next week. It may also vary depending on with whom you are dealing.

46 IMSI Catchers Harris Corporation is very secretive about the capabilities of their machine. From the NDA with the BPD:

47 IMSI Catchers Harris Corporation is very secretive about the capabilities of their machine. From their NDA with the BPD:

48 IMSI Catchers

49 Discovery Request: See EFF Model Discovery Request dealing with the equipment. In addition, ask for: 1.After Action Reports. 2.Any Maps or printouts generated.

50 IMSI Catchers What to look for: 1.Where is your client arrested? 2.Did they call the phone? 3.Was phone acting strange before? A. Losing power quickly. B. Dropping calls or trouble getting signal.

51 IMSI Catchers Legal landscape is developing: U.S. v. Rigmaiden, 844 F. Supp.2d 982 (2012) Government conceded 4 th Amendment implications, but with proper warrants, government not required to divulge device information

52 IMSI Catchers Legal landscape is developing: State of Maryland v. Andrews, 2016 WL 1254567 1. Expectation of privacy in real time cell location information 2. Third party doctrine does not apply, because there is no “voluntarily sharing of location information. 3. Non-disclosure agreements, “inimical to the constitutional principles we revere.” 4. Trap and trace orders insufficient to authorize use of device.

53 IMSI Catchers Legal landscape is developing: State of Maryland v. Andrews, 2016 WL 1254567 Still a COSA Opinion. May be appealed or curtailed by decision with better facts for the State. This is a very fluid area.

54 Questions?

55 Social Media

56 MalWare

57 Encryption

58 Questions? Andrew Northrup Assistant Public Defender Forensics Division 6 Saint Paul, 14 th Floor Baltimore MD 21202 (410) 767-8542 anorthrup@opd.state.md.us

Download ppt "Watching the Detectives: Spotting Stingray and Digital Surveillance ANDREW NORTHRUPCHRIS SOGOHIAN ASSISTANT PUBLIC DEFENDERPRINCIPAL TECHNOLOGIST FORENSICS."

Similar presentations

Location Monitoring Program in the Federal Courts

Location Monitoring Program in the Federal Courts
Cell Phone Jammer By:- Ganesh Pathak Pallavi Mantri Rohit Patil Pawan Kumar.

Cell Phone Jammer By:- Ganesh Pathak Pallavi Mantri Rohit Patil Pawan Kumar.
United States of America V. Craig Forest and Herman Garner Argued December 5, 2003 and filed January 27, 2004.

United States of America V. Craig Forest and Herman Garner Argued December 5, 2003 and filed January 27, 2004.
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
David Waitt Kate Disney 2008 April Digitizing An Analog World.

David Waitt Kate Disney 2008 April Digitizing An Analog World.
New River Valley Emergency Communications Regional Authority Purpose: Consolidate 911 Operations and Establish Regional Radio System to Improve Interoperability.

New River Valley Emergency Communications Regional Authority Purpose: Consolidate 911 Operations and Establish Regional Radio System to Improve Interoperability.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.

1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.
Understanding & Challenging Location Tracking Hanni M. Fakhoury EFF Senior Staff Attorney.

Understanding & Challenging Location Tracking Hanni M. Fakhoury EFF Senior Staff Attorney.
1 INTRUSION ALARM TECHNOLOGY LOCAL VS. MONITORING.

1 INTRUSION ALARM TECHNOLOGY LOCAL VS. MONITORING.
 The Global Positioning System (GPS) is a navigational system involving satellites and computers that can determine the latitude and longitude of a receiver.

 The Global Positioning System (GPS) is a navigational system involving satellites and computers that can determine the latitude and longitude of a receiver.
McGraw-Hill/Irwin © The McGraw-Hill Companies, All Rights Reserved BUSINESS PLUG-IN B21 Mobile Technology.

McGraw-Hill/Irwin © The McGraw-Hill Companies, All Rights Reserved BUSINESS PLUG-IN B21 Mobile Technology.
Data Integrity and Security. Data integrity  data that has a complete or whole structure  a condition in which data has not been altered or destroyed.

Data Integrity and Security. Data integrity  data that has a complete or whole structure  a condition in which data has not been altered or destroyed.
Network security policy: best practices

Network security policy: best practices
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin BUSINESS PLUG-IN B20 Mobile Technology.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin BUSINESS PLUG-IN B20 Mobile Technology.
EC4019PA Intrusion & Access Control Technology (IACT) Chapter 4- CAMS Prepared by Sandy Tay.

EC4019PA Intrusion & Access Control Technology (IACT) Chapter 4- CAMS Prepared by Sandy Tay.
CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)
August 21, 20151 Mobile Computing COE 446 IS-95 Tarek Sheltami KFUPM CCSE COE Principles of Wireless Networks.

August 21, Mobile Computing COE 446 IS-95 Tarek Sheltami KFUPM CCSE COE Principles of Wireless Networks.
AS ICT.  A portable communication device is a pocket sized device that is carried around by an individual  They typically have a display screen with.

AS ICT.  A portable communication device is a pocket sized device that is carried around by an individual  They typically have a display screen with.

Similar presentations

Ads by Google