SIM Forensics: Part 3Published on Forensic Magazine (http://www.forensicmag.com)

SIM Forensics: Part 3

John J. Barbara

The system architecture of a GSM cellular networkis very complex. It can generally be divided into three broad parts: the MobileStation (the cell phone and its SIM), the Base Station Subsystem (which isresponsible for handling traffic and signaling between the phone and the NetworkSwitching Subsystem), and the Network Switching Subsystem (which performs theswitching of calls between the mobile users and the Public Switched TelephoneNetwork). Phones connect to a GSM network by searching for cells within theirimmediate location. GSM networks have several different cell sizes, anddepending upon which is being implemented, the coverage area will vary.Regardless of the coverage, a cell phones location information could be ofsignificant forensic value.

A. LOCATION INFORMATION A SIM card contains the LOCI (Location Information) Elemental File which can befound under the GSM Dedicated File (see April/May 2011 Digital Forensic Insidercolumn for information regarding the SIM Card File System). This file contains theTemporary Mobile Subscriber Identity (TMSI), TMSI TIME, Location AreaInformation/Local Area Identifier (LAI), and the Location Update Status.

1.Temporary Mobile Subscriber Identity (TMSI): In addition to allowing mobile phones to communicate with each other, the NetworkSwitching Subsystem (NSS) also acts somewhat as a telephone exchange. However,it has additional functionality to deal with the roaming ability of cell phones. A keycomponent of the NSS is the Mobile services Switching Center (MSC) which providesfunctionality such as registration, location updating, and call routing. When asubscriber roams into the jurisdiction of an MSC, information about the cell phone isstored in a temporary database called the Visitor Location Register (VLR). Sinceeach Base Station in the GSM network is served by one VLR, a subscriber cannot bepresent in more than one VLR at a time. The VLR assigns the TMSI which ensuresprivacy since it prohibits tracing of the identity of the subscriber should anyoneattempt to intercept the link. The TMSI is assigned for the duration that thesubscriber is within the jurisdiction of a particular MSC and combined with thecurrent location area, allows a subscriber to be uniquely identified.

2. Location Area Information/Local Area Identifier (LAI) The LAI for voice communications is structured hierarchically and uniquely identifies

Page 1 of 4

SIM Forensics: Part 3Published on Forensic Magazine (http://www.forensicmag.com)

a Location Area (LA) within a GSM network. It consists of three components:

Mobile Country Code (MCC): consists of three decimal places and is used toidentify the country of origin of the SIM card.Mobile Network Code (MNC): consists of two decimal places and is used inconjunction with the MCC to identify the SIM cards network provider.Location Area Code (LAC): consists of a maximum of five decimal places.

GSM networks are divided into LAs which are comprised of one or more radio cells.Each of the LAs is uniquely identified within the network by its Location Area Code(LAC). These numbers are stored on the SIM card, thus providing the handset withits location. This also serves as a unique reference for the location of the subscriberas well since the LAI is required before the handset can receive an incoming call.When the subscriber roams into a new LA, the handset also stores the new LAI onthe SIM card, adding it to a list of the previous LAIs. After being powered off andthen powered back on, the handset will search the list of its stored LAIs until it findsthe one it is currently located in, thereby allowing service to resume. Analyzing theSIM card can provide the geographical location(s) where the SIM card, the phone,and the owner of the phone (suspect) may have been.

B. FORENSIC TOOL OVERVIEW To analyze a SIM card, it is normally removed from the handset and inserted into anappropriate reader. Command directives, called Application Protocol Data Units(APDUs), are sent to the SIM by the tool to extract potential probative evidence thatmay be present in the SIM file system. The original data on the SIM card is normallypreserved by the elimination of write requests to the SIM during its analysis.Extracted data integrity can be maintained by the tool calculating the hash value(s)of the data from the files created and re-verifying as necessary to demonstrate thatthey remain unchanged. Some SIM tools extract and preserve data better thanothers. As with any forensic tool, examiners need to thoroughly research those thatare available to determine which one(s) meet their needs. Most examiners areaware (or should be) that no one tool will be able to extract all the data from everydifferent type of cell phone or SIM card. Listed below are some tools that examinerscommonly use. (Disclaimer: the summarized, edited information is presentedalphabetically and should not be interpreted as a competitive ranking. Thisinformation was obtained from the cited Web sites and should not be considered asendorsements by Forensic Magazine or the author nor should it be construed thatthese are the only tools available):

AccessData Mobile Phone Examiner (MPE) Plus: integrates seamlesslywith Forensic Toolkit. Enables advanced reporting to detail phone data [suchas] call history, contacts, messages, photos, voice recordings, video files,calendar, tasks, and notes. MPE supports more than 2,500 phones and canbe purchased with hardware to include a SIM reader and phone cables.(http://accessdata.com/products/computer-forensics/mobile-phone-examiner[1]).Cellebrite (UFED): the UFED family of products is able to extract and

Page 2 of 4

SIM Forensics: Part 3Published on Forensic Magazine (http://www.forensicmag.com)

analyze data from more than 3,000 phones including smartphones and GPSdevices. UFED devices have a built-in SIM reader that allows the device toobtain data such as call logs, phonebooks, SMS, IMSI, and the ICCID. SIMcard cloning is also supported.(http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg[2]).EnCase Smartphone Examiner: designed to forensically collect data fromsmartphone and tablet devices, such as the iPhone and iPad. It can captureevidence from devices that use the Apple iOS, HP Palm OS,Windows MobileOS, Google Android OS, or RIM Blackberry OS. Can acquire data fromBlackberry and iTunes backup files as well as a multitude of SD cards. Theevidence can be seamlessly integrated into EnCase Forensic.(http://www.guidancesoftware.com/encase-smartphoneexaminer. htm [3]).Data Pilot Secure View Kit: provides both a software and hardwaresolution which [enables] logical data extraction of the content stored in themobile phone. Kit includes a universal cable set supporting Motorola(including iDen), Nokia, Samsung, LG, Sanyo, Audiovox, and Sony Ericssonphones. Can acquire cell phone data via USB, Bluetooth, IrDA, or a SIM cardreader. (http://www.datapilot.com/productdetail/253/supphones/Notempty[4]).MOBILedit! Forensic: analyzes phones via Bluetooth, IrDA, or cableconnection; analyzes SIMs through SIM readers and can read deletedmessages from the SIM card. (http://www.mobiledit.com/mef-features.htm[5]).Parabens SIM-Card Seizure: can recover deleted SMS/text messagesand perform comprehensive analysis of SIM card data. SIM Card Seizureincludes the software as well as a Forensic SIM Card Reader. SIM CardSeizure has Unicode support to read multiple languages such as Arabic,Chinese, and Russian. (http://www.paraben.com/sim-card-seizure.html [6]).pySIM: a SIM card management tool capable of creating, editing, deleting,[and performing] backup and restore operations on the SIM Phonebook andSMS records. (http://simreader.sourceforge.net/ [7]).SIMBrush: can be used to extract all observable memory (the ones thatcan be explored by means of standard APIs) from SIM/USIM cardscompatible with T_0 protocol. Capable of acquiring standard and non-standard files present [on] every SIM card. The output of the program is anXML file representing the SIM/USIM card file system.(http://sites.google.com/site/savolabs/Home/tools [8]).Teel Technologies SIMIS for SIM/USIM/R-UIM: engineered inaccordance with ACPO guidelines to ensure that no data on the SIM ismodified during the read process. SIMIS reports are digitally signed withboth MD5 and SHA 256 hashes to ensure integrity. A full audit trail isincluded in the analysis. The SIMIS Mobile Handheld Reader enables users tocollect data from multiple SIM cards for on-site analysis or later review usingSIMIS PC software. (http://teeltech.com/tt3/simis.asp [9]).SIMQuery: a command line tool that retrieves the ICCID and IMSI from aGSM SIM card. A smart card reader that is compatible with the Windowssmart card subsystem is needed along with a Plug-in (GSM SIM card size) toID-1 (ordinary smart card size) adapter card so the SIM card fits into the

Page 3 of 4

SIM Forensics: Part 3Published on Forensic Magazine (http://www.forensicmag.com)

reader. (http://vidstrom.net/otools/simquery/ [10]).UndeleteSMS: a command line tool that recovers deleted SMS messagesfrom a GSM SIM card; has the same requirements as the SIMQuery tool.(http://vidstrom.net/stools/undeletesms/ [11]).XRY Logical & Complete Package with SIM id-Cloner: performs bothlogical and physical extractions from a device [cell phone]. Specificallydesigned to assist in the forensic recovery of data from GSM SIM Cards andalso provide a 100% secure environment. SIM id-Cloner will allow thecreation of a replica of the SIM card found within a mobile device soexaminers can enable the operating system without the risk of it making anetwork connection and changing the data held on the device.(http://www.msab.com/xry/what-is-xry [12]).

John J. Barbara owns Digital Forensics Consulting, LLC, providing consultingservices for companies and laboratories seeking digital forensics accreditation. AnASCLD/LAB inspector since 1993, John has conducted inspections in several forensicdisciplines including Digital Evidence. John is the General Editor for the Handbookof Digital& Multimedia Forensic Evidence published by Humana Press. He can bereached at jjb@digforcon.com [13].

Source URL (retrieved on 01/06/2016 - 8:51am):http://www.forensicmag.com/articles/2011/08/sim-forensics-part-3

Links:[1] http://accessdata.com/products/computer-forensics/mobile-phone-examiner[2] http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg[3] http://www.guidancesoftware.com/encase-smartphoneexaminer. htm[4] http://www.datapilot.com/productdetail/253/supphones/Notempty[5] http://www.mobiledit.com/mef-features.htm[6] http://www.paraben.com/sim-card-seizure.html[7] http://simreader.sourceforge.net/[8] http://sites.google.com/site/savolabs/Home/tools[9] http://teeltech.com/tt3/simis.asp[10] http://vidstrom.net/otools/simquery/[11] http://vidstrom.net/stools/undeletesms/[12] http://www.msab.com/xry/what-is-xry[13] mailto:jjb@digforcon.com

Page 4 of 4