Elementary S02E13, S02E15,

Elementary S02E13 - All in the Family

A mafia member is murdered and Holmes finds interesting documents that explain how the person could have been found. These documents have "unassuming alpha-numeric sequences" that are apparently printed on every document that comes out of "PRISM", a NSA-run surveillance program. Not only did the NSA documents contain correspondences of the murdered person, it also had telephone records and a triangulation of the phone which ultimately lead the murder to the victim.

The email correspondence with the alpha-numeric sequence on top.
The PRISM surveillance program does indeed exist. It was leaked in 2013 by Snowden. Except for the watermark (the alpha-numeric sequences) the show is relatively realistic with respect to what data the NSA collects (or collected). I don't believe the data is handed out as easily as the show portrays, though. There is a reason that program was hidden for 6 years and was only made public by somebody who worked at the NSA.

Elementary S02E15 - Corpse de Ballet

The police receives a USB drive with a message on it. Detective Bell takes the original USB drive from it's evidence bag and inserts it into the computer to play it for Holmes and Watson.
Bell using the original drive (using gloves nonetheless).
This is a big no-no for several reasons:
  • inserting a foreign USB drive into a computer is always dangerous. One should never do this without good precautions. For example, a very simple attack is for the USB key to emulate a keyboard and execute commands as if a human typed them in.
  • accessing the USB drive could accidentally alter it. Just playing the message could, for example, modify the "last accessed" date (which is unlikely to exist, but still). In the worst case, the PC could delete the message. In general, forensic labs take an image of the original drive in such a way that it has the least impact. It's always possible to modify USB drives so they are still modified in that process, but that would require some skill (and almost certainly hardware modifications).

Later, Holmes remembers that the phone of the ballerina was hot to the touch. He had learned that some of here conversations were recorded and once the dancer confirms that the battery drains rapidly, he concludes that the phone was infected by spyware. "Unusual heat is an indicator of spyware".
Phones (and notebooks) get hot if the processors in it are used. Generally, the biggest consumers are the screen, the CPU (general purpose computing unit), the GPU (graphics processing unit), and the wireless chips (LTE, Wifi, and Bluetooth).
Spyware that collects information, most likely has a tendency to keep the phone awake and to use some of these chips. Spying through the webcam, for example, would definitely have an impact, since it keeps some expensive chips running to compress the data and send it somewhere. Recording audio all the time will also be noticeable. Just sniffing telephone calls may be undetectable.
Given the other hints that Holmes had, his conclusion was reasonable. It got a bit unrealistic when he immediately found the spyware and used the term "cloned the phone".
Holmes investigates the phone.

Comments