Keith Borer Consultants celebrated 40 years in business in 2020. With over 35 experts covering all aspects of forensic science and collision investigation, the team can bring a wealth of expertise and experience to your case. The digital forensics team includes specialists in cell site analysis, mobile devices, forensic computing and indecent imagery.
The article’s author, Dr David Schudel, is a Senior Manager at KBC and specialises in cell site analysis, fire investigation and forensic chemistry.
For more details, please visit www.keithborer.co.uk
What is EncroChat?
EncroChat dates to 2015 and is a Dutch company with at least one of its servers based in France. In early 2020, the EncroChat system was infiltrated by the National Gendarmerie and in March 2020 they started to investigate the messages jointly with the Dutch Police. This investigation continued until June 2020 when EncroChat issued a message to its users to say the system had been compromised.
It is not known exactly how the French authorities did infiltrate the system and how users/messages were prioritised or how much data was obtained. It is also not known if all messages were gathered or whether the data was subject to any filtering system prior to the data being forwarded to the relevant law enforcement agency. Within the UK, this was the National Crime Agency and the data was collated under “Operation Venetic”. A recent theory is that French authorities managed to infiltrate the system through an update that was issued by EncroChat in April 2021. This allowed them to receive the messages directly from the phones unencrypted. Prosecution experts have agreed that this theory is possible.
How does an EncroChat handset work?
EncroChat predominantly used BQ Aquaris (Android) handsets with the EncroChat operating system (OS) preloaded. The handsets had the microphone, camera and GPS settings disabled or removed for privacy reasons. The handset operated a dual boot system which was designed to hide the illicit operating system. Access to the EncroChat operating system was gained by powering the unit on and holding the volume button. If started normally, the phone would appear to be running as a normal handset.
What information is available to UK law enforcement?
The EncroChat handsets used a KPN (Dutch network) SIM card that could roam onto the British networks; the EncroChat operating system required mobile data to work and the SIM cards only utilised Mobile Data Events (MDE, also called GPRS) within the UK. Therefore, the only billing available to UK law enforcement was mobile data. Once a handset was identified, it was possible to then request the associated Mobile Data Events (GPRS) records from each of the 4 main UK networks.
How do EncroChat users connect with each other?
No conventional mobile telephone number was allocated to the EncroChat user and users communicated between each other using a “Handle/Username” and invited each other to connect in a similar way as traditional applications like “WhatsApp”.
How do police identify EncroChat users?
Due to there being no traditional user or subscriber details, the EncroChat users are often identified by co-locating the handset with conventional phones being operated by the EncroChat user or through co-location of the EncroChat handset with the user’s vehicles through ANPR or vehicle tracking data. Sometimes, location data made available from the EncroChat itself.
What legal challenges can be made in EncroChat cases?
Initially, there were questions on how the data had been obtained and the legality under the Investigatory Powers Act 2016.
The main question around this was:
- Were the communications intercepted whilst they were being transmitted or whilst they were being stored in or by the system?
The Court of Appeal set out that it was the latter, subject to some subsidiary arguments, and the evidence was deemed to be admissible.
A recent case in Sweden, where a man had been convicted of unlawful firearm possession, has been overturned by the Swedish Courts. It appears that this case relied heavily on the EncroChat messages.
Within the UK, law enforcement agencies have used the data for initial intelligence gathering to formulate other tactics, such as surveillance and the execution of search warrants, thereby obtaining other, more tangible, evidence.
In some cases, though, the evidence is still primarily based on the use of the EncroChat device and the comparison of the call data obtained from the British networks against known or accepted phones and also the use of ANPR data or vehicle tracking data to suggest that the user of the EncroChat phone was the same person as the user of the conventional accepted phone or vehicle.
EncroChat only used GPRS data, which must be analysed differently from conventional call data records. GPRS call data records do not provide a definitive time stamp but instead record a data session and the phone could have utilised the recorded cell at any point within that session. How this recorded session time is generated differs from network to network. On occasion, the session time can be up to several hours in duration and, if not compared correctly against the call data records for an accepted phone or ANPR data, could lead to the misinterpretation of the data.
What is the future for EncroChat?
June 2020, EncroChat sent all its users a message stating that government entities had seized its domain and that all users should power off their devices and physically dispose of them. EncroChat has not operated since this message was sent.
Do you have an EncroChat case?
If you a dealing with an EncroChat case and have any questions or concerns, please get in touch by email or phone with one of our four cell site experts at Keith Borer Consultants, namely Steve (Jack) Frost, Chris Walsh, David Schudel or Thomas Marryat, to see how we may be able to assist.